From da84ae2a123c069c7b9550f2294754e76903c029 Mon Sep 17 00:00:00 2001 From: maho0638 <104829390+maho0638@users.noreply.github.com> Date: Fri, 29 May 2026 14:56:39 +0300 Subject: [PATCH] fix(wagmi): secure SIWE verification with domain validation Replaced client.verifyMessage with verifySiweMessage to prevent cross-domain replay attacks. --- .../wagmi/sign-in-with-base.mdx | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/docs/base-account/framework-integrations/wagmi/sign-in-with-base.mdx b/docs/base-account/framework-integrations/wagmi/sign-in-with-base.mdx index 48fef435a..dd4900f08 100644 --- a/docs/base-account/framework-integrations/wagmi/sign-in-with-base.mdx +++ b/docs/base-account/framework-integrations/wagmi/sign-in-with-base.mdx @@ -125,13 +125,21 @@ export function SignInWithBase() { ``` ```ts Backend (Viem) import { createPublicClient, http } from 'viem'; +import { verifySiweMessage } from 'viem/siwe'; import { base } from 'viem/chains'; const client = createPublicClient({ chain: base, transport: http() }); export async function verifySig(req, res) { const { address, message, signature } = req.body; - const valid = await client.verifyMessage({ address, message, signature }); + const { isValid } = await verifySiweMessage(client, { + address, + message, + signature, + domain: req.headers.host ?? 'yourapp.com', + nonce: req.body.nonce || 'server-nonce', +}); +const valid = isValid; if (!valid) return res.status(401).json({ error: 'Invalid signature' }); // create session / JWT res.json({ ok: true }); @@ -210,4 +218,4 @@ export function SignInButton() { If you intend on using the `SignInWithBaseButton`, please follow the [Brand Guidelines](/base-account/reference/ui-elements/brand-guidelines) to ensure consistency across your application. - \ No newline at end of file +