Add custom params to message creation or verification

[rgouzal]

I am trying to create a custom authentication backend adapter with custom message creation and verification by passing additional params, cause this is how I am implementing authentication on backend:

1. A nonce is retrieved for the current wallet address user.
2. Timestamp is generated to be added to message for e.g. "I agree to login to MyDapp at ${timestamp}"
3. Message is generated with the above content and sent back to user for signing
4. User reads and accept to login by signing message
5. A signature along with nocne and timestamp returned back to backend for verification
6. Signature verified return JWT token for later API access

Now I did read the docs mentioned here: https://www.rainbowkit.com/docs/custom-authentication

Current approach:

verify: async ({ message, signature }) => {
    const verifyRes = await fetch('/auth/sign', {
      method: 'POST',
      headers: { 'Content-Type': 'application/json' },
      body: JSON.stringify({ message, signature }),
    });

    return Boolean(verifyRes.ok);
  }

My expected approach:

verify: async ({ message, signerAddress, signature, nonce, timestamp }) => {
    const verifyRes = await fetch('/auth/sign', {
      method: 'POST',
      headers: { 'Content-Type': 'application/json' },
      body: JSON.stringify({ signature, signerAddress, nonce, timestamp }),
    });

    return Boolean(verifyRes.ok);
  }

[adrianotadao]

hey @rgouzal have you found any solution for your problem?

checking the adapter interface we can see that we can't get the nonce as you want but I think your code makes sense to me.

rainbowkit/packages/rainbowkit/src/components/RainbowKitProvider/AuthenticationContext.tsx

Lines 16 to 26 in fe378b9

	export interface AuthenticationAdapter<Message> {
	getNonce: () => Promise<string>;
	createMessage: (args: {
	nonce: string;
	address: string;
	chainId: number;
	}) => Message;
	getMessageBody: (args: { message: Message }) => string;
	verify: (args: { message: Message; signature: string }) => Promise<boolean>;
	signOut: () => Promise<void>;
	}

[aalmada]

@rgouzal as you can see from the code posted by @adrianotadao, the verify: takes a function that takes only two parameters: message and signature. The message parameter will contain the value returned by the function passed to createMessage:. The signature will return the result of converting the message to a SIWE string and signed by the wallet.

A basic backend should look something like this:
https://github.com/spruceid/siwe-quickstart/blob/714e77e84910ed7dfc14d120df7ac5c6dd5acad9/02_backend/src/index.js#L1-L25

Note that both the frontend and the backend use the siwe library to generate the message and to validate it against the signed message. The backend receives the parameters you need from siweMessage.address and siweMessage.issuedAt respectively. No need to change anything on the frontend example.

The SIWE message format is specified by the EIP-4361: Sign-In with Ethereum. You can see there that there are some more optional parameters. If you need those, just add them when calling new SiweMessage() in the function passed to createMessage:.

Does this answer you question?

[aalmada]

@adrianotadao Authentication guarantees that, whoever is calling the backend is the actual owner of that wallet address. Not having it, would make it possible to someone spoof the address.

Instead of using email and password, SIWE uses a message signed by the private key stored inside the wallet. A new nonce is used on every authentication attempt to prevent replay attacks.

After the call to await siweMessage.validate() in the backend, it's guaranteed that siweMessage.address is the caller and a session can be started. Please note that the server example is missing the session logic. A session token should be used just like with any other web2 backend.

[aalmada]

@adrianotadao No you're no crazy. Most apps just need a frontend, which means the authentication portion of RainbowKit would not be needed. A backend is only required if you have any off-chain data/processing and using the wallet as identifier.

[Salmandabbakuti]

@aalmada following the discussion above, I think it would be great to include address as param to verify. I dont want to use siwe for preparing message and verifying. Instead, I wanted to use viem for verifying message in my backend so I need to pass address too there. would it be possible?

expected to have function signature like this:

verify: (args: { address: string; message: Message; signature: string }) => Promise<boolean>; 

[rafaelfaria]

@aalmada do you have an example of authentication off-chain? I am trying to integrate Rainbowkit with AWS Cognito but havent had much success, since the authentication actually occur completely through the Custom Challenge of cognito iself.

I need to use the wallet as the identifier for the database transactions, hence why i need that.

[magiziz]

@rafaelfaria There is a way to do this. You can use SIWE and our custom authentication api.

Let the frontend sign the message and pass the returned signature + message to the backend api for verification. Once that's done register your user on AWS and return a custom jwt token later.