[SDK] Handle 7702 accounts in verifyTypedData #8141
Conversation
🦋 Changeset detectedLatest commit: b411922 The changes in this PR will be included in the next version bump. This PR includes changesets to release 3 packages
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
WalkthroughIntroduces an early hex signature validation and a Secp256k1-based recovery path in verifyTypedData, falling back to existing contract verification on failure. Expands the Changes
Sequence Diagram(s)sequenceDiagram
autonumber
participant C as Caller
participant V as verifyTypedData
participant S as Secp256k1
participant K as ContractVerifier
C->>V: verifyTypedData(address, message, signature)
alt Signature not hex
V-->>C: false
else Signature hex
rect rgba(220,240,255,0.5)
note over V,S: New: Local recovery path
V->>S: recoverAddress(hash(message), signature)
alt Recovery succeeds and matches (case-insensitive)
V-->>C: true
else Recovery fails or mismatch
end
note over V,K: Fallback to existing verification
V->>K: verify via contract/signature checks
K-->>V: result (true/false)
V-->>C: result
end
end
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Pre-merge checks and finishing touches❌ Failed checks (1 warning)
✅ Passed checks (2 passed)
✨ Finishing touches
🧪 Generate unit tests
Warning Review ran into problems🔥 ProblemsErrors were encountered while retrieving linked issues. Errors (1)
Comment |
joaquim-verges
changed the title
How to use the Graphite Merge QueueAdd either label to this PR to merge it via the merge queue:
You must have a Graphite account in order to use the merge queue. Sign up using this link. An organization admin has enabled the Graphite Merge Queue in this repository. Please do not merge from GitHub as this will restart CI on PRs being processed by the merge queue. This stack of pull requests is managed by Graphite. Learn more about stacking. |
size-limit report 📦
|
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
Disabled knowledge base sources:
- Linear integration is disabled by default for public repositories
You can enable these sources in your CodeRabbit configuration.
📒 Files selected for processing (2)
.changeset/cyan-windows-reply.md(1 hunks)packages/thirdweb/src/auth/verify-typed-data.ts(2 hunks)
🧰 Additional context used
📓 Path-based instructions (4)
**/*.{ts,tsx}
📄 CodeRabbit inference engine (CLAUDE.md)
**/*.{ts,tsx}: Write idiomatic TypeScript with explicit function declarations and return types
Limit each file to one stateless, single-responsibility function for clarity
Re-use shared types from@/typesor localtypes.tsbarrels
Prefer type aliases over interface except for nominal shapes
Avoidanyandunknownunless unavoidable; narrow generics when possible
Choose composition over inheritance; leverage utility types (Partial,Pick, etc.)
Comment only ambiguous logic; avoid restating TypeScript in prose
**/*.{ts,tsx}: Use explicit function declarations and explicit return types in TypeScript
Limit each file to one stateless, single‑responsibility function
Re‑use shared types from@/typeswhere applicable
Prefertypealiases overinterfaceexcept for nominal shapes
Avoidanyandunknownunless unavoidable; narrow generics when possible
Prefer composition over inheritance; use utility types (Partial, Pick, etc.)
Lazy‑import optional features and avoid top‑level side‑effects to reduce bundle size
Files:
packages/thirdweb/src/auth/verify-typed-data.ts
**/*.{ts,tsx,js,jsx}
📄 CodeRabbit inference engine (CLAUDE.md)
Load heavy dependencies inside async paths to keep initial bundle lean (lazy loading)
Files:
packages/thirdweb/src/auth/verify-typed-data.ts
packages/thirdweb/**/*.{ts,tsx}
📄 CodeRabbit inference engine (AGENTS.md)
packages/thirdweb/**/*.{ts,tsx}: Every public symbol must have comprehensive TSDoc with at least one compiling@exampleand a custom tag (@beta,@internal,@experimental, etc.)
Comment only ambiguous logic; avoid restating TypeScript in prose
Lazy‑load heavy dependencies inside async paths (e.g.,const { jsPDF } = await import("jspdf"))
Files:
packages/thirdweb/src/auth/verify-typed-data.ts
.changeset/*.md
📄 CodeRabbit inference engine (AGENTS.md)
.changeset/*.md: Each change inpackages/*must include a changeset for the appropriate package
Version bump rules: patch for non‑API changes; minor for new/modified public API
Files:
.changeset/cyan-windows-reply.md
🧠 Learnings (1)
📚 Learning: 2025-08-29T15:37:38.513Z
Learnt from: CR
PR: thirdweb-dev/js#0
File: AGENTS.md:0-0
Timestamp: 2025-08-29T15:37:38.513Z
Learning: Applies to .changeset/*.md : Version bump rules: patch for non‑API changes; minor for new/modified public API
Applied to files:
.changeset/cyan-windows-reply.md
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
- GitHub Check: Unit Tests
- GitHub Check: Size
| if (!isHex(signature)) { | ||
| return false; | ||
| } | ||
|
|
||
| try { | ||
| const recoveredAddress = ox__Secp256k1.recoverAddress({ | ||
| payload: messageHash, | ||
| signature: ox__Signature.fromHex(signature), | ||
| }); | ||
|
|
||
| if (recoveredAddress.toLowerCase() === address.toLowerCase()) { | ||
| return true; | ||
| } |
There was a problem hiding this comment.
Do not short-circuit non-hex signatures
signature is still documented and typed as string | Uint8Array | ox__Signature.Signature, but the new isHex guard returns false for the latter two cases, so previously valid Uint8Array / structured signatures now always fail verification. We need to either convert non-string signatures to hex before the guard or bypass the early return and fall back to verifyHash just like before.
One option:
- if (!isHex(signature)) {
- return false;
- }
-
- const recoveredAddress = ox__Secp256k1.recoverAddress({
- payload: messageHash,
- signature: ox__Signature.fromHex(signature),
- });
+ const signatureHex =
+ typeof signature === "string"
+ ? signature
+ : ox__Signature.toHex(signature);
+
+ if (!isHex(signatureHex)) {
+ return false;
+ }
+
+ const recoveredAddress = ox__Secp256k1.recoverAddress({
+ payload: messageHash,
+ signature: ox__Signature.fromHex(signatureHex),
+ });(Or, if toHex isn’t available, short-circuit to the legacy verifyHash path when typeof signature !== "string".) Without this, we regress valid callers.
Committable suggestion skipped: line range outside the PR's diff.
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #8141 +/- ##
=======================================
Coverage 56.28% 56.29%
=======================================
Files 906 906
Lines 59192 59208 +16
Branches 4174 4179 +5
=======================================
+ Hits 33316 33329 +13
- Misses 25771 25774 +3
Partials 105 105
🚀 New features to boost your workflow:
|
joaquim-verges
deleted the
_thirdweb_Handle_7702_accounts_in_verifyTypedData
branch
1 participant
PR-Codex overview
This PR introduces a patch for the
thirdwebpackage, enhancing theverifyTypedDatafunction to handle 7702 accounts by adding a signature verification process.Detailed summary
signatureto ensure it is a valid hex format.messageHashusingox__Secp256k1.recoverAddress.address, returningtrueif they match.Summary by CodeRabbit