search

multiversx / mx-sdk-js-extension-provider

Signing provider for dApps: DeFi Wallet (browser extension).
Other
1 stars 3 forks source link

Native auth client library and extension #18

Closed juliancwirko closed 1 year ago

juliancwirko commented 1 year ago

When I used the mx-sdk-js-native-auth-client library, I observed that the Access token couldn't be verified using mx-sdk-js-native-auth-server library and also https://utils.multiversx.com/auth service when signing using extension provider.

Interestingly, the same code with the web wallet and xPortal generates a valid Access token that can be verified using mx-sdk-js-native-auth-server library and also utils service.

Are there any known problems related to that?

The case can be tested here: https://elvenjs.netlify.app/. The Access token is saved in localstorage under elvenjs_state

I use it like:

const nativeAuthClient = new NativeAuthClient({
  apiUrl: this.initOptions?.apiUrl,
});
const loginToken = await nativeAuthClient.initialize();

and then:

const accessToken = nativeAuthClient.getToken(
  address,
  loginToken,
  signature
);
tanghel commented 1 year ago

hello!

the issue is most likely related to the server-side verifications performed.

the backend that uses the native auth server must specify in the acceptedOrigins array the https://elvenjs.netlify.app origin furthermore, the requests must always be performed from the elvenjs.netlify.app domain, so that the origin header in the request matches the origin in the native auth token

juliancwirko commented 1 year ago

Hi, I think the origin is proper. I probably need help understanding something, how https://utils.multiversx.com/auth?network=devnet verifies Access tokens from other services? Does it check origins? Because some of my Access tokens generated with the same process are validated correctly there.

The first image, when using the extension and validation on utils service (but the same is with the Node-based simple app, where I paste the access token): Screenshot from 2023-05-26 11-22-32

The second, done after the first one on the same app, but signing with Web wallet (the same is with a simple Node verification app, where I'm pasting the access token): Screenshot from 2023-05-26 11-23-54

juliancwirko commented 1 year ago

I've done more tests on an unrelated project with the same implementation, and all work there, so it must be a bug somewhere on my side. I'll close the issue and try to debug it more. Thanks.