From e95db1de5dd4eca3110e3f0b2e4bce8ab4fae875 Mon Sep 17 00:00:00 2001
From: maho0638 <104829390+maho0638@users.noreply.github.com>
Date: Fri, 29 May 2026 14:15:32 +0300
Subject: [PATCH] fix(signInWithEthereum): secure SIWE verification with
 domain/nonce validation in all examples

Replaced insecure `client.verifyMessage` with `verifySiweMessage` in 3 backend code examples to prevent cross-domain replay attacks.

Added explicit `domain` and `nonce` validation as required by EIP-4361. This ensures that signatures are not only cryptographically valid but also intended for the correct application and not reused.

Updates documentation to reflect the use of `verifySiweMessage` instead of `verifyMessage`.

Part of #1502.
---
 .../core/capabilities/signInWithEthereum.mdx  | 42 ++++++++++++-------
 1 file changed, 27 insertions(+), 15 deletions(-)

diff --git a/docs/base-account/reference/core/capabilities/signInWithEthereum.mdx b/docs/base-account/reference/core/capabilities/signInWithEthereum.mdx
index ed5cf53fc..966b886b6 100644
--- a/docs/base-account/reference/core/capabilities/signInWithEthereum.mdx
+++ b/docs/base-account/reference/core/capabilities/signInWithEthereum.mdx
@@ -78,6 +78,7 @@ try {
 ```typescript Backend Verification
 import { createPublicClient, http } from 'viem';
 import { base } from 'viem/chains';
+import { verifySiweMessage } from 'viem/siwe';
 
 const client = createPublicClient({ 
   chain: base, 
@@ -89,11 +90,15 @@ export async function verifyAuthentication(req, res) {
   
   try {
     // Verify the signature
-    const isValid = await client.verifyMessage({ 
-      address, 
-      message, 
-      signature 
-    });
+// Nonce'u mesajın içinden çıkarıyoruz
+const nonce = message.match(/Nonce: (\w+)/)?.[1];
+const { isValid } = await verifySiweMessage(client, {
+  address,
+  message,
+  signature,
+  domain: req.headers.host ?? 'yourapp.com',
+  nonce: nonce,
+});
     
     if (!isValid) {
       return res.status(401).json({ 
@@ -172,11 +177,14 @@ export async function verifyAuth(req, res) {
   }
   
   // Verify signature
-  const isValid = await client.verifyMessage({ 
-    address, 
-    message, 
-    signature 
-  });
+// Nonce daha önce 'extractNonceFromMessage' ile çıkarılmıştı
+const { isValid } = await verifySiweMessage(client, {
+  address,
+  message,
+  signature,
+  domain: req.headers.host ?? 'yourapp.com',
+  nonce: nonce,
+});
   
   if (isValid) {
     usedNonces.add(nonce);
@@ -221,11 +229,15 @@ app.post('/auth/verify', async (req, res) => {
   }
   
   // Verify signature
-  const valid = await client.verifyMessage({ 
-    address, 
-    message, 
-    signature 
-  });
+// Nonce daha önce 'message.match' ile çıkarılmıştı
+const { isValid } = await verifySiweMessage(client, {
+  address,
+  message,
+  signature,
+  domain: req.headers.host ?? 'yourapp.com',
+  nonce: nonce,
+});
+const valid = isValid; // Eski kodla uyumlu olması için
   
   if (!valid) {
     return res.status(401).json({