Just a heads up, I had to fork this packaged because the latest version on the package hasn’t been built / published just yet. This is was needed because the readme does not reflect what in the current available version on npm ;)

Thanks for your great work, love the package!

Hello,
For some reasons, a few users of my app are facing an issue while verifying their tokens.
As an example, this token eyJzaWduYXR1cmUiOiIweDAwMDUwMTAyMTE3YzhhYzQ5OWE1MDc0YjYxNWU0ZGIyNjk0Y2I0OWU4ZDRhNWI1ODAwMDIzOTRlNWVjNThlMWJkY2U0NTFjNmFiYTA2MTNkMmZkMmFmMzg1OGZiYTVhMTgxNGU4MDYxNzVmOGVkYWRiZWVhM2U4ZDgxM2Y1N2Y0NzEyYmRmMGQ3YTE3MGE5MjAzZDdmZmMwMTkyZGFhYTU4ZjVjYmVkNjcyMDEzMzJlMzIyNDFjMDIwMTAyMmYwYzNlMzg5ZTMwMjY4NDM4MjhkYmZiZTRiYmNjYjBkZGQ1OGYxNDAyMDM1OTZhZjkwY2VjZGJmOWE3Njg4ODZlNzcxMTc4ZmQ1NTYxZGQyN2FiMDA1ZDAwMDEwMDAxN2JhYzAyMjA5NDk0ZmQ4ZjAxNTdlZDNhYmZlYmZlMzYzN2MwOGNiNjFhYWJhZThjNGNhNGE4NzlhNDNkZjdkODA3ODgxMzQ2MzlmNmQyOGY5MWJhNjM4NzE0YjJjYWNhZjhjYjUwMDkyMzNjNzg1YmVkZTk4YzE5OGQ0NTIzNGMxYzAyMDEwMWM1MGFkZWFkYjdmZTE1YmVlNDVkY2I4MjA2MTBjZGVkY2QzMTRlYjAwMzAwMDM4MWNlMGIwYzhlYTcyY2ZmMjQyNzc1OWFjNWNmYjViZThjYTZmNWY0ZGRmMzYxNTAzOTA1NDRiM2NmN2RlNjZjNDFjZTY1NjYwZDVkMTk0MDZlMjA0NmE0NThkNmQ2ZGNhOTU0NWMxNWQzOTMyZjYwMDBkYWYwN2YxOWViZTQwNTFiMDIiLCJib2R5IjoiZ29wb3BtZS52ZXJjZWwuYXBwIHdhbnRzIHlvdSB0byBzaWduIGluIHdpdGggeW91ciBFdGhlcmV1bSBhY2NvdW50LlxuXG5BdXRoZW50aWNhdGluZyBteXNlbGYgKDB4MTcxQjY4Zjk5ODllZDc0NGQwYTI1M2Q0Njc4OWQzNDQ0NEYxYTY3MSkgdG8gYWNjZXNzIEdvIFBvcCBNZS5cblxuVVJJOiBodHRwczovL3Rva2VuLmdvcG9wLm1lL1xuV2ViMyBUb2tlbiBWZXJzaW9uOiAyXG5Jc3N1ZWQgQXQ6IDIwMjMtMDUtMjVUMTA6MTA6MDcuNDQ4WlxuRXhwaXJhdGlvbiBUaW1lOiAyMDIzLTA1LTI3VDEwOjEwOjA3LjQ0OFoifQ (which is being generated through my frontend using web3token) returns an Number can only safely store up to 53 bits error message when being verified.

What is causing that?

Thanks

You have some eslint errors:

error: Unnecessary escape character: \- (no-useless-escape) at src/lib/sign/sign.js:5:130:
  3 |
  4 | function isDomain(val) {
> 5 |   const domain_regex = /^(?!(https:\/\/|http:\/\/|www\.|mailto:|smtp:|ftp:\/\/|ftps:\/\/))(((([a-zA-Z0-9])|([a-zA-Z0-9][a-zA-Z0-9\-]{0,86}[a-zA-Z0-9]))\.(([a-zA-Z0-9])|([a-zA-Z0-9][a-zA-Z0-9\-]{0,73}[a-zA-Z0-9]))\.(([a-zA-Z0-9]{2,12}\.[a-zA-Z0-9]{2,12})|([a-zA-Z0-9]{2,25})))|((([a-zA-Z0-9])|([a-zA-Z0-9][a-zA-Z0-9\-]{0,162}[a-zA-Z0-9]))\.(([a-zA-Z0-9]{2,12}\.[a-zA-Z0-9]{2,12})|([a-zA-Z0-9]{2,25}))))$/g;
    |                                                                                                                                  ^
  6 |   return domain_regex.test(val);
  7 | }
  8 |


error: Unnecessary escape character: \- (no-useless-escape) at src/lib/sign/sign.js:5:191:
  3 |
  4 | function isDomain(val) {
> 5 |   const domain_regex = /^(?!(https:\/\/|http:\/\/|www\.|mailto:|smtp:|ftp:\/\/|ftps:\/\/))(((([a-zA-Z0-9])|([a-zA-Z0-9][a-zA-Z0-9\-]{0,86}[a-zA-Z0-9]))\.(([a-zA-Z0-9])|([a-zA-Z0-9][a-zA-Z0-9\-]{0,73}[a-zA-Z0-9]))\.(([a-zA-Z0-9]{2,12}\.[a-zA-Z0-9]{2,12})|([a-zA-Z0-9]{2,25})))|((([a-zA-Z0-9])|([a-zA-Z0-9][a-zA-Z0-9\-]{0,162}[a-zA-Z0-9]))\.(([a-zA-Z0-9]{2,12}\.[a-zA-Z0-9]{2,12})|([a-zA-Z0-9]{2,25}))))$/g;
    |                                                                                                                                                                                               ^
  6 |   return domain_regex.test(val);
  7 | }
  8 |


error: Unnecessary escape character: \- (no-useless-escape) at src/lib/sign/sign.js:5:315:
  3 |
  4 | function isDomain(val) {
> 5 |   const domain_regex = /^(?!(https:\/\/|http:\/\/|www\.|mailto:|smtp:|ftp:\/\/|ftps:\/\/))(((([a-zA-Z0-9])|([a-zA-Z0-9][a-zA-Z0-9\-]{0,86}[a-zA-Z0-9]))\.(([a-zA-Z0-9])|([a-zA-Z0-9][a-zA-Z0-9\-]{0,73}[a-zA-Z0-9]))\.(([a-zA-Z0-9]{2,12}\.[a-zA-Z0-9]{2,12})|([a-zA-Z0-9]{2,25})))|((([a-zA-Z0-9])|([a-zA-Z0-9][a-zA-Z0-9\-]{0,162}[a-zA-Z0-9]))\.(([a-zA-Z0-9]{2,12}\.[a-zA-Z0-9]{2,12})|([a-zA-Z0-9]{2,25}))))$/g;
    |                                                                                                                                                                                                                                                                                                                           ^
  6 |   return domain_regex.test(val);
  7 | }
  8 |


error: Unexpected negating the left operand of 'instanceof' operator (no-unsafe-negation) at src/lib/sign/sign.js:72:32:
  70 |   }
  71 |
> 72 |   if(params.expiration_time && !params.expiration_time instanceof Date) {
     |                                ^
  73 |     throw new Error('expiration_time must be an instance of Date');
  74 |   }
  75 |


error: Unexpected negating the left operand of 'instanceof' operator (no-unsafe-negation) at src/lib/sign/sign.js:76:27:
  74 |   }
  75 |
> 76 |   if(params.not_before && !params.expiration_time instanceof Date) {
     |                           ^
  77 |     throw new Error('expiration_time must be an instance of Date');
  78 |   }
  79 | };


error: 'signature' is assigned a value but never used (no-unused-vars) at src/lib/verify/verify.js:69:35:
  67 | export const verify = (token, params = {}) => {
  68 |
> 69 |   const { version, address, body, signature } = decrypt(token);
     |                                   ^
  70 |
  71 |   if(version === 1) {
  72 |     throw new Error('Tokens version 1 are not supported by the current version of module')


error: 'Web3' is not defined (no-undef) at src/main.js:6:20:
  4 |
  5 |   // Connection to MetaMask wallet
> 6 |   const web3 = new Web3(ethereum);
    |                    ^
  7 |   await ethereum.request({ method: 'eth_requestAccounts'});
  8 |
  9 |   // getting address from which we will sign message


error: 'ethereum' is not defined (no-undef) at src/main.js:6:25:
  4 |
  5 |   // Connection to MetaMask wallet
> 6 |   const web3 = new Web3(ethereum);
    |                         ^
  7 |   await ethereum.request({ method: 'eth_requestAccounts'});
  8 |
  9 |   // getting address from which we will sign message


error: 'ethereum' is not defined (no-undef) at src/main.js:7:9:
   5 |   // Connection to MetaMask wallet
   6 |   const web3 = new Web3(ethereum);
>  7 |   await ethereum.request({ method: 'eth_requestAccounts'});
     |         ^
   8 |
   9 |   // getting address from which we will sign message
  10 |   const your_address = (await web3.eth.getAccounts())[0];

Hello @bytesbay,

First of all, Appreciated your idea and work!

The Issue:

I'm thinking if the hacker has access to a token (even expired ones) and he tries to decode the signature by looking at verify.js code you have and gets the signature. now he can set a new expiry date the way you did it in sign.js of course it is not possible to set expiry through the package but he can do it with his own code(since I believe, there's no jwt secret involved to encode). Then he can send this token to backend API which in turn gets validated by API(since it will never expire if he's greedy). won't this be a problem? or am I missing something? I think there should be a way to encode and decode messages with a secret. No?

@bytesbay thoughts?

Your regex doesn't handle longer domain names like AWS can give.

For instance, the domain example.s3-website.us-east-1.amazonaws.com isn't considered valid although this is something which is perfectly possible in the real world.

I suggest you should use a package for this validation instead: https://www.npmjs.com/package/is-valid-domain for instance.

In a NextJS 12.0.4 app using Typescript, I am getting npm run build errors when I import the package like this:

import Web3Token from "web3-token";

The error:

Failed to compile.

./components/providers/Modal.tsx:125:23
Type error: 'Web3Token' only refers to a type, but is being used as a value here.

  123 |       });
  124 |       if (!token) {
> 125 |         token = await Web3Token.sign(
      |                       ^

Please advise.

The EIP4361 spec pretty much standardises what this library is somewhat doing. Any plans to make some super tiny changes to be in exact accordance to the spec?

MetaMask is now compatible with EIP-4361, aka Sign In with Ethereum!
see https://twitter.com/MetaMask/status/1639028559162511360

The verify() function isn't a promise but you are using await with it everywhere. Is it a mistake or to be future-proof? Or to be consistent with await sign()?

Because of that I get a warning:

'await' has no effect on the type of this expression.

Hi!
I was doing some tests to understand what would occur if the body of the message had been tampered and the attacker provided the same signature to the verify function. This snippet illustrates the basics of the attempt:

const token = String(req.header("Authorization"))
const { signature, body } = JSON.parse(Buffer.from(token, "base64").toString())
const tamperedBody = body + "X"

const tamperedToken = Base64.encode(JSON.stringify({
    signature,
    body: tamperedBody,
}))

const { address } = Web3Token.verify(tamperedToken)

console.log("Didn't brake, address is " + address)

And, unfortunately, no exception is thrown. Also, what I find the most confusing part, an actual address is recovered from the payload! Fortunately it is not the same address that signed the message, but still, a valid address.
Am I missing something regarding web3 signatures? Isn't the whole point of signatures to guarantee that a given payload hasn't been tampered?

Is it possible to prepend a custom message similar to OpenSea?

I know you can append a message but it would be nice to add a custom message first informing the user what they are signing..

This line doesn't work. You can access it with window['web3-token'] though.

Here is the CDN link I use: https://cdn.jsdelivr.net/npm/[email protected]/dist/web3-token.umd.min.js

I'm trying to run unit tests for my API on the server-side. But I get:

window is not defined

I believe you tried to check if the window object exists here with the optional chaining operator.

But it doesn't work like that. You should check with typeof window === 'undefined' instead.

If you do that, the lib will entirely work both on Node.js and in the browser.

Would it be possible to export the decrypt function?

I'd like to be able to decrypt the token even when verification fails.

If this sounds ok to you then I can provide a PR.

Thanks!

Hello to @bytesbay
_We are using web3-token all the way since our team trying to do authenticate user on block chain in our project ,witch is a grate job!!,we'v tried nodejs backend excmaple code await Web3Token.verify(token); witch is useful, very convenient to do verify in nodejs backend environment, but in these days we wish to do something like "Web3Token.verify(token)" in JAVA .

it's becuse when we'r using await Web3Token.sign(msg => web3.eth.personal.sign(msg, address), '1d'); token from here could verify with await Web3Token.verify(token); witch is nodejs backend, but doesn't work with WEB3J in JAVA,we tried using token from web3.eth.personal.sign(msg, address) here & send this token to JAVA backend with WEB3J, it's works fine in many wallet excepet "imtoken" wallet, but if i'm using await Web3Token.sign(msg => web3.eth.personal.sign(msg, address), '1d'); to await Web3Token.verify(token); in nodejs backend with "imtoken" wallet, it will going very well, Considering my colleagues are using Java to buildding backend verify serve,is there any similar way to do verify in JAVA like await Web3Token.verify(token); in nodejs environment?

if you got any idea please tell us below ,it's fire bunning_

=====================================
ok it's solved it's a funny issue, ImToken make all charactors in wallet address string are UPPERCASE... so ... you know... this is how it happend

Hi,

I am trying to use this to replace a JWT flow.

i was wondering what options we have to automatically refresh a token using some kind of refresh token ?

so we can safely expire these tokens BUT we can re-create them without user interaction..

This is pretty much a similar flow to JWT with refresh tokens.

Has anybody figured this out yet ?

Or maybe its not needed ?

Thanks in advance

Hi there,

I am trying out your example but get this console error.:

Howto reproduce:

• create a react app with vite or a svelte app
• add package with yarn add web3-token
• implement a button and use your example code

import Web3Token from 'web3-token';
...
  const onClick = useCallback(async () => {
    const web3 = new Web3(ethereum);
    await ethereum.enable();
    
    // getting address from which we will sign message
    const address = (await web3.eth.getAccounts())[0];

    // generating a token with 1 day of expiration time
    const token = await Web3Token.sign(msg => web3.eth.personal.sign(msg, address), '1d');
  }, [])

This adds quite a lot of size to a webpack bundle.

webpack production run results:

Any suggestions?

Hi!
The verify() function returns an uppercase version of the Ethereum address, but this uppercase version is not a valid address anymore.
Is there a way to fix this, I would love to help 👍

You have access to an API which is very well-written and useful, which will throw an error if a string is not a valid URL. I think you should use this instead of a random regex found on the web.

The expiration fields in the sign function is expiration-time, but in the verify function, you are checking the expiration-date field.

Link code:

• The sign function
• The verify function

My code look like this :

const localToken = await web3Token.sign(
  (msg) => signer.signMessage(msg, account),
  {
    statement: rawMessage,
    expire_in: "1m",
  }
);

I try many things for the expire_in params but every time the message saiys that the token expire in 1 day

Are there any plans to support Solana? I would be willing to contribute.

The actual output object looks like this:

{
  address: string;
  body: {
    "expiration-time": string;
    "issued-at": string;
    "nonce": string;
    "uri": string;
    "web3-token-version": string;
  }
}

But the type defined is this:

The problem is VerifyBody doesn't have those fields mentioned above. I think having another type for verifying result is reasonable (probably as VerifyResult).

Hi,
how about using the ethers package to verify instead of ethereumjs-util. There are several benefits IMO ...

• reduce package size and possible increase the performance
• increase security because of reducing the amount of packages - ethers is already use for testing

best regards

This test does not pass, you are missing a toThrowError().

Let's assume that there are two websites using web3-token:

• website1 which is under my control
• website2 which is under my competitors control.

What stops me from performing the following scenario?

1. A user logs into my website1 and sends it into my server.
2. My server makes a request to website2 using the valid user's token created for my website1.
3. Since I now have access to the website2 as the user I can steal confidential data.
4. user have no way of knowing about this attack unless website2 sends some notifications about for example new ip address being used.
5. website2 also has no way of knowing about this attack since the token is freshly signed valid.

Hey @bytesbay, I like web3-token very much, and I am using it, would you consider adding a nonce check in verify, if the nonce is incorrect, verify will fail.

I get the following error during compile time

node_modules/web3-token/dist/web3-token.d.ts:7:31 - error TS2307: Cannot find module './lib/interfaces' or its corresponding type declarations.

7         sign: (signer: import("./lib/interfaces").Signer, opts?: string | import("./lib/interfaces").SignOpts) => Promise<string>;
                                ~~~~~~~~~~~~~~~~~~

node_modules/web3-token/dist/web3-token.d.ts:7:82 - error TS2307: Cannot find module './lib/interfaces' or its corresponding type declarations.

7         sign: (signer: import("./lib/interfaces").Signer, opts?: string | import("./lib/interfaces").SignOpts) => Promise<string>;
                                                                                   ~~~~~~~~~~~~~~~~~~

node_modules/web3-token/dist/web3-token.d.ts:8:47 - error TS2307: Cannot find module './lib/interfaces' or its corresponding type declarations.

8         verify: (token: string, opts?: import("./lib/interfaces").VerifyOpts) => {
                                                ~~~~~~~~~~~~~~~~~~

node_modules/web3-token/dist/web3-token.d.ts:10:26 - error TS2307: Cannot find module './lib/interfaces' or its corresponding type declarations.

10             body: import("./lib/interfaces").DecryptedBody;
                            ~~~~~~~~~~~~~~~~~~


Found 4 errors in the same file, starting at: node_modules/web3-token/dist/web3-token.d.ts:7

source code:

export async function authorize(token) {
    try {

        const { address, body } = await verify(token);

        return {};
    } catch (e) {
        // eslint-disable-next-line no-console
        return null;
    }
}

package.json

  "name": "",
  "version": "1.0.0",
  "description": "",
  "scripts": {
    "build": "tsc",
    "watch": "tsc -w",
    "prestart": "npm run build",
    "start": "func start",
    "test": "echo \"No tests yet...\""
  },
  "dependencies": {
    "@moralisweb3/streams-typings": "^1.0.5",
    "ethers": "^5.7.1",
    "i": "^0.3.7",
    "npm": "^8.19.2",
    "web3-token": "^1.0.2"
  },
  "devDependencies": {
    "@azure/functions": "^3.0.0",
    "typescript": "^4.0.0"
  }
}

Hi, I've put in the nonce and request_id during the Web3Token.sign, but the nonce and the request_id was not returned during Web3Token.verify. Any ideas on how to solve this?

Hi, I get the errors

Property 'domain' of type 'string | undefined' is not assignable to 'string' index type 'string | string[]'
Property 'statement' of type 'string | undefined' is not assignable to 'string' index type 'string | string[]'

in Angular 13 when I use

const token = await sign( (msg) => web3.eth.personal.sign(msg, address,""), '1d');

now it would be advisable to add undefined in the VerifyBody interface of the web3-token.d.ts file in line 15 ?

Result:

interface VerifyBody extends Record<string, string | string[] | undefined> {

I've tried to add SIWE format to the message but it's not working well with the library.
Is there any workaround or willing to add this feature in the future?
https://docs.metamask.io/wallet/how-to/sign-data/siwe/