From dc2b85b8177f566e857cd30c210cd65215a37f58 Mon Sep 17 00:00:00 2001
From: maho0638 <104829390+maho0638@users.noreply.github.com>
Date: Fri, 29 May 2026 14:47:36 +0300
Subject: [PATCH] fix(privy): secure SIWE verification in authentication.mdx

Replaced client.verifyMessage with verifySiweMessage to prevent cross-domain replay attacks. Added domain and nonce validation.
---
 .../privy/authentication.mdx                       | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/docs/base-account/framework-integrations/privy/authentication.mdx b/docs/base-account/framework-integrations/privy/authentication.mdx
index 4fac05f7c..49c92fcd2 100644
--- a/docs/base-account/framework-integrations/privy/authentication.mdx
+++ b/docs/base-account/framework-integrations/privy/authentication.mdx
@@ -212,6 +212,7 @@ export async function GET() {
 import { NextRequest, NextResponse } from 'next/server';
 import { createPublicClient, http } from 'viem';
 import { base } from 'viem/chains';
+import { verifySiweMessage } from 'viem/siwe';
 import { nonceStore } from '@/lib/nonce-store';
 
 const client = createPublicClient({ 
@@ -233,12 +234,15 @@ export async function POST(request: NextRequest) {
       );
     }
 
-    // Verify signature using viem
-    const valid = await client.verifyMessage({ 
-      address: address as `0x${string}`, 
-      message, 
-      signature: signature as `0x${string}` 
+    // Verify signature using viem with SIWE validation
+    const { isValid } = await verifySiweMessage(client, {
+      address: address as `0x${string}`,
+      message,
+      signature: signature as `0x${string}`,
+      domain: request.headers.get('host') ?? 'yourapp.com',
+      nonce: nonce,
     });
+    const valid = isValid;
 
     if (!valid) {
       return NextResponse.json(