viem 2.11.1 → 2.12.1

package/utils/siwe/parseSiweMessage.ts

@@ -0,0 +1,55 @@
+import type { Address } from 'abitype'
+
+import type { ExactPartial, Prettify } from '../../types/utils.js'
+import type { SiweMessage } from './types.js'
+
+/**
+ * @description Parses EIP-4361 formatted message into message fields object.
+ *
+ * @see https://eips.ethereum.org/EIPS/eip-4361
+ *
+ * @returns EIP-4361 fields object
+ */
+export function parseSiweMessage(
+  message: string,
+): Prettify<ExactPartial<SiweMessage>> {
+  const { scheme, statement, ...prefix } = (message.match(prefixRegex)
+    ?.groups ?? {}) as {
+    address: Address
+    domain: string
+    scheme?: string
+    statement?: string
+  }
+  const { chainId, expirationTime, issuedAt, notBefore, requestId, ...suffix } =
+    (message.match(suffixRegex)?.groups ?? {}) as {
+      chainId: string
+      expirationTime?: string
+      issuedAt?: string
+      nonce: string
+      notBefore?: string
+      requestId?: string
+      uri: string
+      version: '1'
+    }
+  const resources = message.split('Resources:')[1]?.split('\n- ').slice(1)
+  return {
+    ...prefix,
+    ...suffix,
+    ...(chainId ? { chainId: Number(chainId) } : {}),
+    ...(expirationTime ? { expirationTime: new Date(expirationTime) } : {}),
+    ...(issuedAt ? { issuedAt: new Date(issuedAt) } : {}),
+    ...(notBefore ? { notBefore: new Date(notBefore) } : {}),
+    ...(requestId ? { requestId } : {}),
+    ...(resources ? { resources } : {}),
+    ...(scheme ? { scheme } : {}),
+    ...(statement ? { statement } : {}),
+  }
+}
+
+// https://regexr.com/80gdj
+const prefixRegex =
+  /^(?:(?<scheme>[a-zA-Z][a-zA-Z0-9+-.]*):\/\/)?(?<domain>[a-zA-Z0-9+-.]*) (?:wants you to sign in with your Ethereum account:\n)(?<address>0x[a-fA-F0-9]{40})\n\n(?:(?<statement>.*)\n\n)?/
+
+// https://regexr.com/80gf9
+const suffixRegex =
+  /(?:URI: (?<uri>.+))\n(?:Version: (?<version>.+))\n(?:Chain ID: (?<chainId>\d+))\n(?:Nonce: (?<nonce>[a-zA-Z0-9]+))\n(?:Issued At: (?<issuedAt>.+))(?:\nExpiration Time: (?<expirationTime>.+))?(?:\nNot Before: (?<notBefore>.+))?(?:\nRequest ID: (?<requestId>.+))?/

package/utils/siwe/types.ts

@@ -0,0 +1,61 @@
+import type { Address } from 'abitype'
+
+/**
+ * @description EIP-4361 message fields
+ *
+ * @see https://eips.ethereum.org/EIPS/eip-4361
+ */
+export type SiweMessage = {
+  /**
+   * The Ethereum address performing the signing.
+   */
+  address: Address
+  /**
+   * The [EIP-155](https://eips.ethereum.org/EIPS/eip-155) Chain ID to which the session is bound,
+   */
+  chainId: number
+  /**
+   * [RFC 3986](https://www.rfc-editor.org/rfc/rfc3986) authority that is requesting the signing.
+   */
+  domain: string
+  /**
+   * Time when the signed authentication message is no longer valid.
+   */
+  expirationTime?: Date | undefined
+  /**
+   * Time when the message was generated, typically the current time.
+   */
+  issuedAt?: Date | undefined
+  /**
+   * A random string typically chosen by the relying party and used to prevent replay attacks.
+   */
+  nonce: string
+  /**
+   * Time when the signed authentication message will become valid.
+   */
+  notBefore?: Date | undefined
+  /**
+   * A system-specific identifier that may be used to uniquely refer to the sign-in request.
+   */
+  requestId?: string | undefined
+  /**
+   * A list of information or references to information the user wishes to have resolved as part of authentication by the relying party.
+   */
+  resources?: string[] | undefined
+  /**
+   * [RFC 3986](https://www.rfc-editor.org/rfc/rfc3986#section-3.1) URI scheme of the origin of the request.
+   */
+  scheme?: string | undefined
+  /**
+   * A human-readable ASCII assertion that the user will sign.
+   */
+  statement?: string | undefined
+  /**
+   * [RFC 3986](https://www.rfc-editor.org/rfc/rfc3986) URI referring to the resource that is the subject of the signing (as in the subject of a claim).
+   */
+  uri: string
+  /**
+   * The current version of the SIWE Message.
+   */
+  version: '1'
+}

package/utils/siwe/utils.ts

@@ -0,0 +1,51 @@
+export function isUri(value: string) {
+  // based on https://github.com/ogt/valid-url
+
+  // check for illegal characters
+  if (/[^a-z0-9\:\/\?\#\[\]\@\!\$\&\'\(\)\*\+\,\;\=\.\-\_\~\%]/i.test(value))
+    return false
+
+  // check for hex escapes that aren't complete
+  if (/%[^0-9a-f]/i.test(value)) return false
+  if (/%[0-9a-f](:?[^0-9a-f]|$)/i.test(value)) return false
+
+  // from RFC 3986
+  const splitted = splitUri(value)
+  const scheme = splitted[1]
+  const authority = splitted[2]
+  const path = splitted[3]
+  const query = splitted[4]
+  const fragment = splitted[5]
+
+  // scheme and path are required, though the path can be empty
+  if (!(scheme?.length && path.length >= 0)) return false
+
+  // if authority is present, the path must be empty or begin with a /
+  if (authority?.length) {
+    if (!(path.length === 0 || /^\//.test(path))) return false
+  } else {
+    // if authority is not present, the path must not start with //
+    if (/^\/\//.test(path)) return false
+  }
+
+  // scheme must begin with a letter, then consist of letters, digits, +, ., or -
+  if (!/^[a-z][a-z0-9\+\-\.]*$/.test(scheme.toLowerCase())) return false
+
+  let out = ''
+  // re-assemble the URL per section 5.3 in RFC 3986
+  out += `${scheme}:`
+  if (authority?.length) out += `//${authority}`
+
+  out += path
+
+  if (query?.length) out += `?${query}`
+  if (fragment?.length) out += `#${fragment}`
+
+  return out
+}
+
+function splitUri(value: string) {
+  return value.match(
+    /(?:([^:\/?#]+):)?(?:\/\/([^\/?#]*))?([^?#]*)(?:\?([^#]*))?(?:#(.*))?/,
+  )!
+}

package/utils/siwe/validateSiweMessage.ts

@@ -0,0 +1,70 @@
+import type { Address } from 'abitype'
+
+import type { ExactPartial } from '../../types/utils.js'
+import { isAddressEqual } from '../address/isAddressEqual.js'
+import type { SiweMessage } from './types.js'
+
+export type ValidateSiweMessageParameters = {
+  /**
+   * Ethereum address to check against.
+   */
+  address?: Address | undefined
+  /**
+   * [RFC 3986](https://www.rfc-editor.org/rfc/rfc3986) authority to check against.
+   */
+  domain?: string | undefined
+  /**
+   * EIP-4361 message fields.
+   */
+  message: ExactPartial<SiweMessage>
+  /**
+   * Random string to check against.
+   */
+  nonce?: string | undefined
+  /**
+   * [RFC 3986](https://www.rfc-editor.org/rfc/rfc3986#section-3.1) URI scheme to check against.
+   */
+  scheme?: string | undefined
+  /**
+   * Current time to check optional `expirationTime` and `notBefore` fields.
+   *
+   * @default new Date()
+   */
+  time?: Date | undefined
+}
+
+export type ValidateSiweMessageReturnType = boolean
+
+/**
+ * @description Validates EIP-4361 message.
+ *
+ * @see https://eips.ethereum.org/EIPS/eip-4361
+ */
+export function validateSiweMessage(
+  parameters: ValidateSiweMessageParameters,
+): ValidateSiweMessageReturnType {
+  const {
+    address,
+    domain,
+    message,
+    nonce,
+    scheme,
+    time = new Date(),
+  } = parameters
+
+  if (domain && message.domain !== domain) return false
+  if (nonce && message.nonce !== nonce) return false
+  if (scheme && message.scheme !== scheme) return false
+
+  if (message.expirationTime && time >= message.expirationTime) return false
+  if (message.notBefore && time < message.notBefore) return false
+
+  try {
+    if (!message.address) return false
+    if (address && !isAddressEqual(message.address, address)) return false
+  } catch {
+    return false
+  }
+
+  return true
+}