feat: warn users when personal_sign message contains the string "wants you to sign in with your Ethereum account"
#24128
Labels
Comments
digiwand
added
needs-design
This was referenced Apr 19, 2024
digiwand
added a commit
that referenced
this issue
Apr 24, 2024
#24138) ## **Description** Resolves @spruceid/siwe-parser 1.1.3 → 2.1.0 The updated @spruceid/siwe-parser allows `http` and `https` schemas in a transaction message's URL. Additional changes are included in the @spruceid/siwe-parser upgrade from v1.1.3 → v2.1.0. One important update is the requirement of [EIP-55](https://npmfs.com/package/@spruceid/siwe-parser/1.1.3/lib/abnf.ts) complaint addresses. This means that if a dapp attempts to sign a `personal_sign` message with a from address that is not EIP-55 compliant, SIWE will not be detected. This is what we want as [EIP-4361](https://eips.ethereum.org/EIPS/eip-4361) enforces EIP-55 addresses. There's a separate ticket that'll warn users if a `personal_sign` message looks like a SIWE but doesn't parse to a SIWE message: #24128 Issue to update test-dapp SIWE addresses to be EIP-55 complaint: MetaMask/test-dapp#326 Related Links (Thanks @NicholasEllul for these): - https://app.warp.dev/block/4eE6QC12lVuwARbpFj62VJ - https://npmfs.com/package/@spruceid/siwe-parser/1.1.3/lib/abnf.ts ## **Related issues** Fixes: MetaMask/MetaMask-planning#2256 Relates To: MetaMask/MetaMask-planning#2278 Related to: #24107 Related to: MetaMask/core#4153 Related to: MetaMask/core#4141 ## **Manual testing steps** 1. Go to the metamask test-dapp or run the test-dapp locally 2. When testing locally, optionally update the from addresses used by the buttons 3. Test Sign-in With Ethereum buttons 4. Observe MM ## **Screenshots/Recordings** <!-- If applicable, add screenshots and/or recordings to visualize the before and after of your change. --> ### **Before** <!-- [screenshots/recordings] --> ### **After** <!-- [screenshots/recordings] --> ## **Pre-merge author checklist** - [ ] I’ve followed [MetaMask Coding Standards](https://github.com/MetaMask/metamask-extension/blob/develop/.github/guidelines/CODING_GUIDELINES.md). - [ ] I've completed the PR template to the best of my ability - [ ] I’ve included tests if applicable - [ ] I’ve documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [ ] I’ve applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-extension/blob/develop/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. ## **Pre-merge reviewer checklist** - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots. --------- Co-authored-by: MetaMask Bot <metamaskbot@users.noreply.github.com> Co-authored-by: legobeat <109787230+legobeat@users.noreply.github.com> Co-authored-by: Nicholas Ellul <nicholas.ellul1@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What is this about?
Complete the following requirement of https://github.com/MetaMask/MetaMask-planning/issues/2278:
[ ] Ensure we warn the user when a personal_sign message contains the string "wants you to sign in with your Ethereum account". (see first recommendation here: https://eips.ethereum.org/EIPS/eip-4361#wallet-implementer-steps)
Scenario
No response
Design
We can use a warning banner alert for this. Copy and details should be discussed with design
Technical Details
No response
Threat Modeling Framework
No response
Acceptance Criteria
No response
Stakeholder review needed before the work gets merged
References
No response
The text was updated successfully, but these errors were encountered: