Add nonce check in verify function

bytesbay / web3-token

Web3 Token is a new way to authenticate users in a hybrid dApps using signed messages. Implementation of EIP-4361.

381 stars 51 forks source link

Add nonce check in verify function #54

Open HelloRickey opened 1 year ago

HelloRickey commented 1 year ago

Hey @bytesbay, I like web3-token very much, and I am using it, would you consider adding a nonce check in verify, if the nonce is incorrect, verify will fail.

bytesbay commented 1 year ago

Hey , sounds reasonable. Lets clarify the check - if the nonce in token is less than the one passed in verify.opts so the verify will fail, am i right? @HelloRickey

HelloRickey commented 1 year ago

@bytesbay Sorry, I just saw this message. I might be confusing the nonce of Web3Token.sign with the nonce of metamask.

The nonce I passed in Web3Token.sign is 1686623665501 But metamask shows 61545035

Metamask seems to recalculate the nonce of Web3Token.sign?

Is it necessary to add nonce verification in verify?

const { address, body } = await Web3Token. verify(token, {
   domain: 'worldofdefish.com',
   //nonce verification
   nonce:'1686623665501'
});