Comments (2)
herzog0
commented on August 21, 2024
I've downloaded your code and searched a bit, and I've come to the conclusion that tampering can't be detected solely looking at the combo signature+message, the expect public key has to be there too for a true verification, right?
The problem in my case is that I don't have the user's public key prior to their signing up in my platform. I wonder however if a little trick could be done so that it is almost impossible for someone to be tampering the message, which is to generate two tokens instead of one in the browser, each token having a different signature+message pair.
This way, in the backend, I can check that the public addresses recovered from the tokens are the same, therefore those tokens MUST have been generated by the same private key and, therefore, the likelihood of the bodies having been tampered is almost zero.
Do you think this is a good approach?
from web3-token.
dvartic
commented on August 21, 2024
I think in the current implementation you should check address against expected address to avoid any potential unwanted behaviour.
from web3-token.
Related Issues (20)
- Import UMD in browser
- Is there any way to make this smaller? HOT 3
- Future Solana Support?
- About JAVA Backend support
- Renew expired token without metamask - aka JWT refresh token HOT 2
- Invalid `domain` although it should be valid HOT 3
- Use `new URL()` instead of regex in isUrl()
- Incorrect type for verify() output HOT 1
- Time always 1days HOT 1
- Property 'domain' of type 'string | undefined' is not assignable to 'string' index type 'string | string[] HOT 2
- Unable to execute verify function HOT 5
- rebase origin code
- rebase origin code
- Unable to retrieve nonce in the token verification HOT 4
- Feature request: Export decrypt function HOT 3
- MetaMask announced - it is compatible with EIP-4361 HOT 1
- Number can only safely store up to 53 bits HOT 1
- Add nonce check in verify function HOT 2
- SIWE message HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from web3-token.