From 48e6d50cae738e55869758cb25c52b2244069f09 Mon Sep 17 00:00:00 2001
From: agsola <agsola@users.noreply.github.com>
Date: Tue, 4 Jun 2024 18:30:05 +0200
Subject: [PATCH] fix: properly manage `RFC 3986 authority domain` check
 (#2351)

* fix: properly manage `RFC 3986 authority domain` check

## PR overview
Using the current regex expression only second level domains are accepted. However, that is not the way it is specified on RFC 3986.

With the current implementation for instance all country code second-level domains (ccSLD) like domain.co.uk are not accepted.

The fix allows multi-level domains.

### Detailed summary
Changed `domainRegex` regex to allow multiple level domains.

* Create rfc3986-authority-domain.md

* Fix: Replace instead of adding

* Update .changeset/rfc3986-authority-domain.md

Co-authored-by: awkweb <tom@meagher.co>

* test(siwe): sub/multi-level domains

---------

Co-authored-by: awkweb <tom@meagher.co>
---
 .changeset/rfc3986-authority-domain.md   |  5 +++
 src/utils/siwe/createSiweMessage.test.ts | 41 ++++++++++++++++++++++++
 src/utils/siwe/createSiweMessage.ts      |  2 +-
 3 files changed, 47 insertions(+), 1 deletion(-)
 create mode 100644 .changeset/rfc3986-authority-domain.md

diff --git a/.changeset/rfc3986-authority-domain.md b/.changeset/rfc3986-authority-domain.md
new file mode 100644
index 0000000000..a2387965c1
--- /dev/null
+++ b/.changeset/rfc3986-authority-domain.md
@@ -0,0 +1,5 @@
+---
+"viem": patch
+---
+
+Fixed `createSiweMessage` domain check to be RFC 3986 compliant.
diff --git a/src/utils/siwe/createSiweMessage.test.ts b/src/utils/siwe/createSiweMessage.test.ts
index 0da4dde547..eb5f7517c8 100644
--- a/src/utils/siwe/createSiweMessage.test.ts
+++ b/src/utils/siwe/createSiweMessage.test.ts
@@ -32,6 +32,47 @@ test('default', () => {
   vi.useRealTimers()
 })
 
+test('parameters: domain', () => {
+  vi.useFakeTimers()
+  vi.setSystemTime(new Date(Date.UTC(2023, 1, 1)))
+
+  expect(
+    createSiweMessage({
+      ...message,
+      domain: 'foo.example.com',
+    }),
+  ).toMatchInlineSnapshot(`
+    "foo.example.com wants you to sign in with your Ethereum account:
+    0xA0Cf798816D4b9b9866b5330EEa46a18382f251e
+
+
+    URI: https://example.com/path
+    Version: 1
+    Chain ID: 1
+    Nonce: foobarbaz
+    Issued At: 2023-02-01T00:00:00.000Z"
+  `)
+
+  expect(
+    createSiweMessage({
+      ...message,
+      domain: 'example.co.uk',
+    }),
+  ).toMatchInlineSnapshot(`
+    "example.co.uk wants you to sign in with your Ethereum account:
+    0xA0Cf798816D4b9b9866b5330EEa46a18382f251e
+
+
+    URI: https://example.com/path
+    Version: 1
+    Chain ID: 1
+    Nonce: foobarbaz
+    Issued At: 2023-02-01T00:00:00.000Z"
+  `)
+
+  vi.useRealTimers()
+})
+
 test('parameters: scheme', () => {
   vi.useFakeTimers()
   vi.setSystemTime(new Date(Date.UTC(2023, 1, 1)))
diff --git a/src/utils/siwe/createSiweMessage.ts b/src/utils/siwe/createSiweMessage.ts
index f1b6a20319..cda7c2b30e 100644
--- a/src/utils/siwe/createSiweMessage.ts
+++ b/src/utils/siwe/createSiweMessage.ts
@@ -170,7 +170,7 @@ export function createSiweMessage(
 }
 
 const domainRegex =
-  /^([a-zA-Z0-9][-a-zA-Z0-9]{0,61}[a-zA-Z0-9])\.[a-zA-Z]{2,}(:[0-9]{1,5})?$/
+  /^([a-zA-Z0-9]([a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,}(:[0-9]{1,5})?$/
 const ipRegex =
   /^(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(:[0-9]{1,5})?$/
 const localhostRegex = /^localhost(:[0-9]{1,5})?$/