Page MenuHomePhabricator

[native] Don't allow using cached SIWE signature if nonce is expired
ClosedPublic

Authored by ashoat on May 12 2024, 7:32 PM.
Tags
None
Referenced Files
Unknown Object (File)
Thu, Nov 7, 10:18 PM
Unknown Object (File)
Sun, Nov 3, 5:38 AM
Unknown Object (File)
Oct 12 2024, 2:56 PM
Unknown Object (File)
Oct 12 2024, 2:56 PM
Unknown Object (File)
Oct 12 2024, 2:55 PM
Unknown Object (File)
Oct 12 2024, 2:55 PM
Unknown Object (File)
Sep 5 2024, 10:18 PM
Unknown Object (File)
Aug 29 2024, 6:36 PM
Subscribers

Details

Summary

If the nonce used for SIWE will be rejected by the relevant backend (authoritative keyserver or identity service, depending on usingCommServicesAccessToken) due to expiration, then we should force the user to generate a new SIWE signature.

Would normally put @varun on the review here, but going to ask @inka instead because he is out.

Depends on D12007

Test Plan

I tested (or will test) this diff stack as follows:

  1. Be in a multi-keyserver environment, testing SIWE with iOS simulator
  2. Do a SIWE and then wait 2 minutes to let the nonce expire in the following screens:
    • FullscreenSIWEPanel for an account that doesn't exist yet when the new registration flow is disabled
    • FullscreenSIWEPanel for an account that doesn't exist yet when the new registration flow is enabled
    • FullscreenSIWEPanel for an account that does exist
    • New registration flow for an account that doesn't exist yet (RegistrationTerms)
    • New registration flow for an account that does exist (ExistingEthereumAccount)
  3. Make sure there are no duplicate Alerts, that in all cases an Alert is shown, and that the "back" action activates when the user confirms the Alert

Diff Detail

Repository
rCOMM Comm
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

native/account/registration/connect-ethereum.react.js
224–231 ↗(On Diff #40101)

Are we sure this effect will be triggered when the nonce becomes expired?

native/account/registration/connect-ethereum.react.js
224–231 ↗(On Diff #40101)

It's not very important, to be honest. I added the effect for "correctness", but the important thing is that every place we use cachedSelections.ethereumAccount (just here and in D12007), we check if the nonce is expired before we use it.

I added the effect because I figured it's better to clear the expired SIWE state than to have invalid state lying around. But since we check it at all places we use it, there is no risk in the expired SIWE state being there.

This revision is now accepted and ready to land.May 13 2024, 7:12 AM