viem 0.0.0-main.20240521T214213 → 0.0.0-main.20240521T215546

package/utils/siwe/types.ts

@@ -0,0 +1,61 @@
+import type { Address } from 'abitype'
+
+/**
+ * @description EIP-4361 message fields
+ *
+ * @see https://eips.ethereum.org/EIPS/eip-4361
+ */
+export type SiweMessage = {
+  /**
+   * The Ethereum address performing the signing.
+   */
+  address: Address
+  /**
+   * The [EIP-155](https://eips.ethereum.org/EIPS/eip-155) Chain ID to which the session is bound,
+   */
+  chainId: number
+  /**
+   * [RFC 3986](https://www.rfc-editor.org/rfc/rfc3986) authority that is requesting the signing.
+   */
+  domain: string
+  /**
+   * Time when the signed authentication message is no longer valid.
+   */
+  expirationTime?: Date | undefined
+  /**
+   * Time when the message was generated, typically the current time.
+   */
+  issuedAt?: Date | undefined
+  /**
+   * A random string typically chosen by the relying party and used to prevent replay attacks.
+   */
+  nonce: string
+  /**
+   * Time when the signed authentication message will become valid.
+   */
+  notBefore?: Date | undefined
+  /**
+   * A system-specific identifier that may be used to uniquely refer to the sign-in request.
+   */
+  requestId?: string | undefined
+  /**
+   * A list of information or references to information the user wishes to have resolved as part of authentication by the relying party.
+   */
+  resources?: string[] | undefined
+  /**
+   * [RFC 3986](https://www.rfc-editor.org/rfc/rfc3986#section-3.1) URI scheme of the origin of the request.
+   */
+  scheme?: string | undefined
+  /**
+   * A human-readable ASCII assertion that the user will sign.
+   */
+  statement?: string | undefined
+  /**
+   * [RFC 3986](https://www.rfc-editor.org/rfc/rfc3986) URI referring to the resource that is the subject of the signing (as in the subject of a claim).
+   */
+  uri: string
+  /**
+   * The current version of the SIWE Message.
+   */
+  version: '1'
+}

package/utils/siwe/utils.ts

@@ -0,0 +1,51 @@
+export function isUri(value: string) {
+  // based on https://github.com/ogt/valid-url
+
+  // check for illegal characters
+  if (/[^a-z0-9\:\/\?\#\[\]\@\!\$\&\'\(\)\*\+\,\;\=\.\-\_\~\%]/i.test(value))
+    return false
+
+  // check for hex escapes that aren't complete
+  if (/%[^0-9a-f]/i.test(value)) return false
+  if (/%[0-9a-f](:?[^0-9a-f]|$)/i.test(value)) return false
+
+  // from RFC 3986
+  const splitted = splitUri(value)
+  const scheme = splitted[1]
+  const authority = splitted[2]
+  const path = splitted[3]
+  const query = splitted[4]
+  const fragment = splitted[5]
+
+  // scheme and path are required, though the path can be empty
+  if (!(scheme?.length && path.length >= 0)) return false
+
+  // if authority is present, the path must be empty or begin with a /
+  if (authority?.length) {
+    if (!(path.length === 0 || /^\//.test(path))) return false
+  } else {
+    // if authority is not present, the path must not start with //
+    if (/^\/\//.test(path)) return false
+  }
+
+  // scheme must begin with a letter, then consist of letters, digits, +, ., or -
+  if (!/^[a-z][a-z0-9\+\-\.]*$/.test(scheme.toLowerCase())) return false
+
+  let out = ''
+  // re-assemble the URL per section 5.3 in RFC 3986
+  out += `${scheme}:`
+  if (authority?.length) out += `//${authority}`
+
+  out += path
+
+  if (query?.length) out += `?${query}`
+  if (fragment?.length) out += `#${fragment}`
+
+  return out
+}
+
+function splitUri(value: string) {
+  return value.match(
+    /(?:([^:\/?#]+):)?(?:\/\/([^\/?#]*))?([^?#]*)(?:\?([^#]*))?(?:#(.*))?/,
+  )!
+}

package/utils/siwe/validateSiweMessage.ts

@@ -0,0 +1,70 @@
+import type { Address } from 'abitype'
+
+import type { ExactPartial } from '../../types/utils.js'
+import { isAddressEqual } from '../address/isAddressEqual.js'
+import type { SiweMessage } from './types.js'
+
+export type ValidateSiweMessageParameters = {
+  /**
+   * Ethereum address to check against.
+   */
+  address?: Address | undefined
+  /**
+   * [RFC 3986](https://www.rfc-editor.org/rfc/rfc3986) authority to check against.
+   */
+  domain?: string | undefined
+  /**
+   * EIP-4361 message fields.
+   */
+  message: ExactPartial<SiweMessage>
+  /**
+   * Random string to check against.
+   */
+  nonce?: string | undefined
+  /**
+   * [RFC 3986](https://www.rfc-editor.org/rfc/rfc3986#section-3.1) URI scheme to check against.
+   */
+  scheme?: string | undefined
+  /**
+   * Current time to check optional `expirationTime` and `notBefore` fields.
+   *
+   * @default new Date()
+   */
+  time?: Date | undefined
+}
+
+export type ValidateSiweMessageReturnType = boolean
+
+/**
+ * @description Validates EIP-4361 message.
+ *
+ * @see https://eips.ethereum.org/EIPS/eip-4361
+ */
+export function validateSiweMessage(
+  parameters: ValidateSiweMessageParameters,
+): ValidateSiweMessageReturnType {
+  const {
+    address,
+    domain,
+    message,
+    nonce,
+    scheme,
+    time = new Date(),
+  } = parameters
+
+  if (domain && message.domain !== domain) return false
+  if (nonce && message.nonce !== nonce) return false
+  if (scheme && message.scheme !== scheme) return false
+
+  if (message.expirationTime && time >= message.expirationTime) return false
+  if (message.notBefore && time < message.notBefore) return false
+
+  try {
+    if (!message.address) return false
+    if (address && !isAddressEqual(message.address, address)) return false
+  } catch {
+    return false
+  }
+
+  return true
+}