Skip to content

fix(auth): align SIWE statement and surface verify errors#268

Merged
GsCommand merged 1 commit into
mainfrom
codex/fix-siwe-verification-failure-on-claim
May 22, 2026
Merged

fix(auth): align SIWE statement and surface verify errors#268
GsCommand merged 1 commit into
mainfrom
codex/fix-siwe-verification-failure-on-claim

Conversation

@GsCommand
Copy link
Copy Markdown
Contributor

@GsCommand GsCommand commented May 22, 2026

Motivation

  • Users could sign the SIWE message in MetaMask but the server rejected it due to a statement mismatch and the UI only showed a generic "SIWE verification failed." message.
  • The verify endpoint returned unstructured, opaque errors which made debugging and UX difficult.
  • Domain/URI allowances need explicit handling so production and development hosts are accepted consistently.

Description

  • Frontend: introduced a single SIWE_STATEMENT = 'Authenticate with CommandLayer Claim activation.' in public/claim.html and used it when constructing the SIWE message so the signed statement is exact.
  • Frontend: improved error surfacing in signInWithEthereum to throw and display SIWE verification failed: <error> — <reason> when /api/auth/verify returns structured failure details.
  • Backend: updated api/auth/verify.js to enforce the exact REQUIRED_STATEMENT, accept configurable allowlists via COMMANDLAYER_SIWE_DOMAINS and COMMANDLAYER_SITE_URLS (with sensible defaults for www.commandlayer.org, optional commandlayer.org, and localhost in development), and validate normalized URIs and chain IDs.
  • Backend: replaced opaque messages with structured AUTH_FAILED JSON payloads and stable error codes and reasons (including missing_message, missing_signature, dependency_unavailable, malformed_message, domain_mismatch, uri_mismatch, chain_not_allowed, statement_mismatch, and signature_invalid).
  • Tests: updated tests/api-auth.test.js to assert the new error codes and added a statement-mismatch test path.

Testing

  • Ran npm test in the repository and all tests passed (31 passing tests).
  • Attempted npm run build but a build script is not defined in this repo (noted in validation).
  • Ran example checks with cd examples/webhook-auto-verify && npm install && npm run check and the example checks succeeded.

Codex Task

@vercel
Copy link
Copy Markdown

vercel Bot commented May 22, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
commandlayer-commandlayer-org Ready Ready Preview, Comment May 22, 2026 3:19am
commandlayer-org Ready Ready Preview, Comment May 22, 2026 3:19am
commandlayer-org111 Ready Ready Preview, Comment May 22, 2026 3:19am

Request Review

@GsCommand GsCommand merged commit ef2fae5 into main May 22, 2026
4 of 5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

codex

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@GsCommand