Parsing/Validation and Verification

[awoie]

We should make sure the terms validation and verification are used consistently. We should validate a SIWE message when it is parsed or created. Validation includes schema validation and making sure the message complies with EIP-4361 spec. Verification means the EIP-191 signature is correct and is verified against a given optional domain, timestamp, nonce etc.

For this I propose, we do the following for validation:

• SIWE message complies with the SIWE ABNF in general
• SIWE message contains valid types such as for address (EIP-55), authority (see RFC/EIP), Resources (should be URIs) etc.
• SIWE has all mandatory parameters (e.g., domain, address, issued at)
• SIWE only uses accepted white spaces (LF)
• Parameters in SIWE message are correctly ordered (this is required by the ABNF)

As a result of the validation above, it should not be possible to get a SIWE message that is invalid. Then verification includes the following:

• verifying the EIP-191 signature
• verifying that expiration time is < date.now() + some minimal clock skew
• verifying that expected nonce and domain are in the message (for this, a server would need to have a configuration for domain and has to remember issued nonces which should also expire individually -> note, if a server issues a nonce it is still up to the frontend WHEN to create the SIWE message which can use a different issued at and a longer expiration time).
• verifying not before date < date.now()

[awoie]

PR ready by today. paython and sam/simon might be good candidates to review once ready.

[sbihel]

Closed by #27