fix: properly manage RFC 3986 authority domain check (#2351)

* fix: properly manage `RFC 3986 authority domain` check ## PR overview Using the current regex expression only second level domains are accepted. However, that is not the way it is specified on RFC 3986. With the current implementation for instance all country code second-level domains (ccSLD) like domain.co.uk are not accepted. The fix allows multi-level domains. ### Detailed summary Changed `domainRegex` regex to allow multiple level domains. * Create rfc3986-authority-domain.md * Fix: Replace instead of adding * Update .changeset/rfc3986-authority-domain.md Co-authored-by: awkweb <tom@meagher.co> * test(siwe): sub/multi-level domains --------- Co-authored-by: awkweb <tom@meagher.co>
wevm · Jun 4, 2024 · 48e6d50 · 48e6d50
1 parent 8984eee
commit 48e6d50
Show file tree

Hide file tree

Showing 3 changed files with 47 additions and 1 deletion.
diff --git a/.changeset/rfc3986-authority-domain.md b/.changeset/rfc3986-authority-domain.md
@@ -0,0 +1,5 @@
+---
+"viem": patch
+---
+
+Fixed `createSiweMessage` domain check to be RFC 3986 compliant.
diff --git a/src/utils/siwe/createSiweMessage.test.ts b/src/utils/siwe/createSiweMessage.test.ts
@@ -32,6 +32,47 @@ test('default', () => {
   vi.useRealTimers()
 })
 
+test('parameters: domain', () => {
+  vi.useFakeTimers()
+  vi.setSystemTime(new Date(Date.UTC(2023, 1, 1)))
+
+  expect(
+    createSiweMessage({
+      ...message,
+      domain: 'foo.example.com',
+    }),
+  ).toMatchInlineSnapshot(`
+    "foo.example.com wants you to sign in with your Ethereum account:
+    0xA0Cf798816D4b9b9866b5330EEa46a18382f251e
+
+
+    URI: https://example.com/path
+    Version: 1
+    Chain ID: 1
+    Nonce: foobarbaz
+    Issued At: 2023-02-01T00:00:00.000Z"
+  `)
+
+  expect(
+    createSiweMessage({
+      ...message,
+      domain: 'example.co.uk',
+    }),
+  ).toMatchInlineSnapshot(`
+    "example.co.uk wants you to sign in with your Ethereum account:
+    0xA0Cf798816D4b9b9866b5330EEa46a18382f251e
+
+
+    URI: https://example.com/path
+    Version: 1
+    Chain ID: 1
+    Nonce: foobarbaz
+    Issued At: 2023-02-01T00:00:00.000Z"
+  `)
+
+  vi.useRealTimers()
+})
+
 test('parameters: scheme', () => {
   vi.useFakeTimers()
   vi.setSystemTime(new Date(Date.UTC(2023, 1, 1)))

diff --git a/src/utils/siwe/createSiweMessage.ts b/src/utils/siwe/createSiweMessage.ts
@@ -170,7 +170,7 @@ export function createSiweMessage(
 }
 
 const domainRegex =
-  /^([a-zA-Z0-9][-a-zA-Z0-9]{0,61}[a-zA-Z0-9])\.[a-zA-Z]{2,}(:[0-9]{1,5})?$/
+  /^([a-zA-Z0-9]([a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,}(:[0-9]{1,5})?$/
 const ipRegex =
   /^(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(:[0-9]{1,5})?$/
 const localhostRegex = /^localhost(:[0-9]{1,5})?$/