Edge case , that works on siwe-js and does not work on siwe-go

[afa7789]

Hi,

Arthur from tally here. we use 'siwe-go' in the backend to authenticate SIWE requests. We noticed that it did not seem to work for users signing with Ledger+Metamask. I've put together some unit tests that duplicate the error.

You'll see that the javascript tests validate the signature, but the go tests for the same signature do not. We're not super familiar with how the cryptography works here. Do you know what the problem might be? We're looking for some help to fix the issue.

Happy to provide more context if that's helpful!

Tldr: I'm trying to sign (siwe) with my ledger at the tally website and got some errors. I was able to narrow down that it works on the JS code, (worked on https://login.xyz ) but it's not working with .GO

I put all replicable steps here:
https://github.com/afa7789/siwe-go

[afa7789]

Ok, I have tested it in the main branch most recent commit too, just to asure that it wasn't failing at that commit too:

 PASS  lib/client.test.ts (30.007 s)
  Message Generation
    ✓ Generates message successfully: couple of optional fields (21 ms)
    ✓ Generates message successfully: no optional field (1 ms)
    ✓ Generates message successfully: timestamp without microseconds (1 ms)
    ✓ Generates message successfully: domain is RFC 3986 authority with IP (1 ms)
    ✓ Generates message successfully: domain is RFC 3986 authority with userinfo (1 ms)
    ✓ Generates message successfully: domain is RFC 3986 authority with port (1 ms)
    ✓ Generates message successfully: domain is localhost authority with port (1 ms)
    ✓ Generates message successfully: domain is RFC 3986 authority with userinfo and port (1 ms)
    ✓ Generates message successfully: no statement (1 ms)
    ✓ Generates message successfully: domain ipv6 (1 ms)
    ✓ Generates message successfully: uri ipv6 (1 ms)
    ✓ Generates message successfully: uri ipv4 (1 ms)
    ✓ Generates message successfully: uri with port (1 ms)
    ✓ Generates message successfully: uri ipv4 query params and fragment (1 ms)
    ✓ Generates message successfully: chainId not 1 (1 ms)
    ✓ Fails to generate message: missing domain (134 ms)
    ✓ Fails to generate message: missing address (113 ms)
    ✓ Fails to generate message: missing uri (82 ms)
    ✓ Fails to generate message: missing version (78 ms)
    ✓ Fails to generate message: missing chainId (70 ms)
    ✓ Fails to generate message: missing nonce (60 ms)
    ✓ Fails to generate message: missing issuedAt (61 ms)
    ✓ Fails to generate message: out of order uri (101 ms)
    ✓ Fails to generate message: out of order version (98 ms)
    ✓ Fails to generate message: out of order chainId (58 ms)
    ✓ Fails to generate message: out of order nonce (58 ms)
    ✓ Fails to generate message: out of order issuedAt (60 ms)
    ✓ Fails to generate message: out of order expirationTime (60 ms)
    ✓ Fails to generate message: out of order notBefore (61 ms)
    ✓ Fails to generate message: out of order requestId (61 ms)
    ✓ Fails to generate message: out of order resources (59 ms)
    ✓ Fails to generate message: domain not RFC4501 authority (57 ms)
    ✓ Fails to generate message: address not EIP-55 (59 ms)
    ✓ Fails to generate message: statement has line break (56 ms)
    ✓ Fails to generate message: uri is non-RFC 3986 (59 ms)
    ✓ Fails to generate message: version not 1 (57 ms)
    ✓ Fails to generate message: not a valid chainId (62 ms)
    ✓ Fails to generate message: nonce with less then 8 chars (57 ms)
    ✓ Fails to generate message: non-ISO 8601 issuedAt (57 ms)
    ✓ Fails to generate message: non-ISO 8601 expirationTime (57 ms)
    ✓ Fails to generate message: non-ISO 8601 notBefore (61 ms)
    ✓ Fails to generate message: resources not separated by line break (59 ms)
    ✓ Fails to generate message: first resource not-RFC 3986 (60 ms)
    ✓ Fails to generate message: second resource is not-RFC3986 (58 ms)
    ✓ Fails to generate message: missing domain (1 ms)
    ✓ Fails to generate message: missing address (1 ms)
    ✓ Fails to generate message: missing uri (1 ms)
    ✓ Fails to generate message: missing version (1 ms)
    ✓ Fails to generate message: missing chainId
    ✓ Fails to generate message: missing nonce (1 ms)
    ✓ Fails to generate message: missing issuedAt
    ✓ Fails to generate message: domain not RFC4501 authority
    ✓ Fails to generate message: address not EIP-55 (1 ms)
    ✓ Fails to generate message: uri is non-RFC 3986
    ✓ Fails to generate message: version not 1
    ✓ Fails to generate message: not a valid chainId
    ✓ Fails to generate message: nonce with less then 8 chars (1 ms)
    ✓ Fails to generate message: non-ISO 8601 issuedAt (1 ms)
    ✓ Fails to generate message: non-ISO 8601 expirationTime (1 ms)
    ✓ Fails to generate message: non-ISO 8601 notBefore (1 ms)
    ✓ Fails to generate message: first resource not-RFC 3986
    ✓ Fails to generate message: second resource is not-RFC3986 (1 ms)
  Message verification without suppressExceptions
    ✓ Verificates message successfully: example message (261 ms)
    ✓ Verificates message successfully: not yet valid (236 ms)
    ✓ Verificates message successfully: expired message (249 ms)
    ✓ Verificates message successfully: tally_example (232 ms)
    ✓ Fails to verify message: expired message and rejects the promise (249 ms)
    ✓ Fails to verify message: domain binding and rejects the promise (239 ms)
    ✓ Fails to verify message: custom time and rejects the promise (236 ms)
    ✓ Fails to verify message: custom nonce and rejects the promise (233 ms)
    ✓ Fails to verify message: malformed signature and rejects the promise (2 ms)
    ✓ Fails to verify message: wrong signature and rejects the promise (237 ms)
    ✓ Fails to verify message: invalid expiration time and rejects the promise
    ✓ Fails to verify message: not yet valid and rejects the promise (232 ms)
  Message verification with suppressExceptions
    ✓ Fails to verify message: expired message but still resolves the promise (261 ms)
    ✓ Fails to verify message: domain binding but still resolves the promise (238 ms)
    ✓ Fails to verify message: custom time but still resolves the promise (235 ms)
    ✓ Fails to verify message: custom nonce but still resolves the promise (235 ms)
    ✓ Fails to verify message: malformed signature but still resolves the promise (1 ms)
    ✓ Fails to verify message: wrong signature but still resolves the promise (235 ms)
    ✓ Fails to verify message: invalid expiration time but still resolves the promise
    ✓ Fails to verify message: not yet valid but still resolves the promise (230 ms)
  Round Trip
    ✓ Generates a Successfully Verifying message: couple of optional fields (314 ms)
    ✓ Generates a Successfully Verifying message: no optional field (315 ms)
    ✓ Generates a Successfully Verifying message: timestamp without microseconds (302 ms)
    ✓ Generates a Successfully Verifying message: domain is RFC 3986 authority with IP (313 ms)
    ✓ Generates a Successfully Verifying message: domain is RFC 3986 authority with userinfo (411 ms)
    ✓ Generates a Successfully Verifying message: domain is RFC 3986 authority with port (317 ms)
    ✓ Generates a Successfully Verifying message: domain is localhost authority with port (401 ms)
    ✓ Generates a Successfully Verifying message: domain is RFC 3986 authority with userinfo and port (321 ms)
    ✓ Generates a Successfully Verifying message: no statement (308 ms)
    ✓ Generates a Successfully Verifying message: domain ipv6 (302 ms)
    ✓ Generates a Successfully Verifying message: uri ipv6 (337 ms)
    ✓ Generates a Successfully Verifying message: uri ipv4 (316 ms)
    ✓ Generates a Successfully Verifying message: uri with port (323 ms)
    ✓ Generates a Successfully Verifying message: uri ipv4 query params and fragment (317 ms)
    ✓ Generates a Successfully Verifying message: chainId not 1 (318 ms)
    ✓ Generates a Successfully Verifying message: couple of optional fields (397 ms)
    ✓ Generates a Successfully Verifying message: no optional field (421 ms)
    ✓ Generates a Successfully Verifying message: timestamp without microseconds (405 ms)
    ✓ Generates a Successfully Verifying message: domain is RFC 3986 authority with IP (353 ms)
    ✓ Generates a Successfully Verifying message: domain is RFC 3986 authority with userinfo (327 ms)
    ✓ Generates a Successfully Verifying message: domain is RFC 3986 authority with port (315 ms)
    ✓ Generates a Successfully Verifying message: domain is localhost authority with port (424 ms)
    ✓ Generates a Successfully Verifying message: domain is RFC 3986 authority with userinfo and port (319 ms)
    ✓ Generates a Successfully Verifying message: no statement (313 ms)
    ✓ Generates a Successfully Verifying message: domain ipv6 (377 ms)
    ✓ Generates a Successfully Verifying message: uri ipv6 (314 ms)
    ✓ Generates a Successfully Verifying message: uri ipv4 (325 ms)
    ✓ Generates a Successfully Verifying message: uri with port (309 ms)
    ✓ Generates a Successfully Verifying message: uri ipv4 query params and fragment (319 ms)
    ✓ Generates a Successfully Verifying message: chainId not 1 (318 ms)
  EIP1271
    ✓ Verificates message successfully: argent (1249 ms)
    ✓ Verificates message successfully: loopring (704 ms)
  Unit
    ✓ Should throw if validateMessage is called with arguments (1 ms)
    ✓ Should not throw if params are valid. (2283 ms)
    ✓ Should throw if params are invalid. (1673 ms)
    ✓ Should throw if opts are invalid. (2249 ms)

Test Suites: 1 passed, 1 total
Tests:       118 passed, 118 total
Snapshots:   0 total
Time:        30.126 s, estimated 37 s
Ran all test suites.