-
Notifications
You must be signed in to change notification settings - Fork 642
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[bug] SiWe as safe app does not call the authenticate function #1119
Comments
@malteish Good find. I'm able to reproduce the behavior you're seeing. I believe the issue is related to calling Wagmi's I've also started an initial look at adopting EIP-1271, but am receiving errors that 1271 is unsupported in the Safe browser upon attempts to enable with a |
Thanks for looking into this, @DanielSinclair. We are very interested in gasless signatures, too, and happy to help exploring how it can be done. |
After some digging I have to challenge our assumption that the bug starts with @DanielSinclair what do you make of this? |
@malteish Yes, you're right. Was able to isolate the issue to |
So we found out that CSRF and the nonce in the SiWe message were equal when using Metamask or WalletConnect, but different when using safe app. This is because next-auth enforces sameSite by default (which is a good choice!). After updating cookie policy for testing, signing messages and authenticating them in the backend works. Added this to
** WARNING: THESE SETTINGS ARE A VERY BAD CHOICE FOR PRODUCTION** in my opinion. Maybe someone with deeper knowledge in this area of expertise can chime in to either prove me wrong or suggest a better configuration. Background: So this is not really a problem caused by Rainbowkit. Do you want to close the issue? I would like to keep it open a bit longer in hopes of someone finding a better solution. |
@malteish Will keep this issue open to see if a better solution is presented. I'll also relay to the Safe team to see if there is guidance on how to handle sessions/cookies in the Safe browser environment. |
We're also interested on this. We wanted to add support not only for Safe, but also for AA in general. Do you know of other session manager (e.g. iron-session) that is able to properly handle sessions within an iframe? @DanielSinclair , did the Safe team gave a proper answer? It may be something recurrent for them for the way they work with apps as iframes. Regarding the signature, if been unable to make it work with Safe accounts using Wallet Connect. Instead of using the offchain signature with safe_setSettings, I was trying using the online EIP-1271 signature validation with no luck. But I've been able to make it work with other EIP-1271 compatible smart contracts accounts. Why is that?
The two last steps are the possible ways to fix it. @DanielSinclair , if you are talking to Safe team, ask them about this as well. You can create a Safe on testnet and test it yourself. If you need, using our dApp you can see a realworld example where is fails to sign. But other smart contract wallets can sign with no issues. |
@DanielSinclair curious if there was any feedback from the Safe on how to handle this correctly or a better workaround? |
Any news with regard to this issue? |
@nfts2me Our team is looking at this issue. We'll report back once we have a solution 🙏 |
@nfts2me Yes. We're working on this right now, please bear with us 👍 |
Is there an existing issue for this?
RainbowKit Version
0.12.4
wagmi Version
0.12.4
Current Behavior
What works: Connecting (formerly gnosis) safe with WalletConnect
On connect modal select WalletConnect -> Official Modal -> copy link -> paste into app.safe.global WalletConnect app -> connection established -> sign login message -> approve in app.safe.global -> custom logic in pages/api/auth/[...nextauth].ts verifies the multisig has approved this message hash on-chain
What doesn't work: The same workflow as safe app
Rainbowkit support usage as (custom) safe app since version 0.12.4, so this is still brand new. We are excited about it, because we had been working on this very functionality for our dapp!
But when I try the workflow above as safe app, I get stuck with an open modal claiming to be "Verifying signature ...", without ever calling the backend.
So the non-working flow is:
Open app.safe.global -> open custom app -> paste dapp url -> accept disclaimers etc -> connect wallet (very smooth and nice!) -> sign message -> approve in safe -> get stuck at "Verifying signature ...", backend is never called.
Expected Behavior
Sign in workflow with safe app calls backend with 0x as signature, just as sign in workflow with WalletConnect does.
Steps To Reproduce
Not tested: enable an app to become a safe app by adding a manifest.json and configuring cors to allow loading of the same. Try signing the login message with WalletConnect and as safe app. Both should fail (unless the backend was modified to verify EIP1271), but only WalletConnect does fail whereas safe app gets stuck without ever proceeding to check the signature in the first place.
Link to Minimal Reproducible Example (CodeSandbox, StackBlitz, etc.)
No response
Anything else?
No response
The text was updated successfully, but these errors were encountered: