search

spruceid / siwe-py

A Python implementation of Sign-In with Ethereum
https://login.xyz
Apache License 2.0
66 stars 28 forks source link

Verify success with invalid signature #33

Closed kilesh11 closed 1 year ago

kilesh11 commented 1 year ago

Hi, I want to use siwe for my project. I have signed the message in frontend and passing it to python backend. When I try to verify the message with an test invalid signature. it will pass without raising error

python3.8.10

from siwe import SiweMessage
from siwe.siwe import VerificationError, InvalidSignature, MalformedSession, DomainMismatch, ExpiredMessage, MalformedSession, NonceMismatch, NotYetValidMessage

message = {
    "domain":"localhost:3000",
    "address":"0x8D873cA5De39ae2aCF371515823ab2EDb5c7c928",
    "statement":"Sign in with Ethereum to the app.",
    "uri":"http://localhost:3000",
    "version":"1",
    "chain_id": "1",
    "nonce":"5854bdb2953c9e9974c4bfce22143f7403d911d99277577cd40a85926320dc54",
    "issued_at":"2022-11-01T17:04:08.402Z"
}
message: SiweMessage = SiweMessage(message=message)
print(message.prepare_message())
try:
    # try passing an invalid signature
    message.verify(signature="test_invalid_signature")
    # You can also specify other checks (e.g. the nonce or domain expected).
    print("Authentication attempt accepted.")
except ValueError:
    # Invalid message
    print("Authentication attempt rejected. Invalid message.")
except NotYetValidMessage:
    # The message is not yet valid
    print("Authentication attempt rejected. The message is not yet valid.")
except ExpiredMessage:
    # The message has expired
    print("Authentication attempt rejected. The message has expired.")
except DomainMismatch:
    print("Authentication attempt rejected. Domain mismatch.")
except NonceMismatch:
    print("Authentication attempt rejected. The nonce is not the expected one.")
except MalformedSession as e:
    # e.missing_fields contains the missing information needed for validation
    print("Authentication attempt rejected. Missing fields")
except InvalidSignature:
    print("Authentication attempt rejected. Invalid signature.")
except VerificationError:
    # VerificationError
    print("Authentication attempt rejected. Verification Error.")

# Message has been verified. Authentication complete. Continue with authorization/other.

Both valid and invalid signature will pass the verification. Is there anything I missed or did wrong? Thanks

sbihel commented 1 year ago

Nothing wrong on your part, it was our fault and is rather awkward. Thank you for the report ❤️