From 862a9d89dfca8c7cd3f1b19d059cdfc5803a8043 Mon Sep 17 00:00:00 2001
From: maho0638 <104829390+maho0638@users.noreply.github.com>
Date: Fri, 29 May 2026 15:07:28 +0300
Subject: [PATCH] fix(sign-in-with-base-button): secure NextAuth SIWE
 verification

Replaced verifyMessage with verifySiweMessage in NextAuth example to prevent cross-domain replay attacks.
---
 .../reference/ui-elements/sign-in-with-base-button.mdx    | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/docs/base-account/reference/ui-elements/sign-in-with-base-button.mdx b/docs/base-account/reference/ui-elements/sign-in-with-base-button.mdx
index 03809c855..9e15cb56b 100644
--- a/docs/base-account/reference/ui-elements/sign-in-with-base-button.mdx
+++ b/docs/base-account/reference/ui-elements/sign-in-with-base-button.mdx
@@ -445,7 +445,7 @@ Below is an example of how to configure NextAuth to use Base Account as a creden
 
 import NextAuth from 'next-auth'
 import CredentialsProvider from 'next-auth/providers/credentials'
-import { verifyMessage } from 'viem'
+import { verifySiweMessage } from 'viem/siwe'
 
 export default NextAuth({
   providers: [
@@ -458,10 +458,14 @@ export default NextAuth({
       },
       async authorize(credentials) {
         try {
-          const isValid = await verifyMessage({
+          // Extract nonce from SIWE message for validation
+          const nonce = credentials.message.match(/Nonce: (\w+)/)?.[1] || 'server-nonce';
+          const { isValid } = await verifySiweMessage(client, {
             address: credentials.address,
             message: credentials.message,
             signature: credentials.signature,
+            domain: 'yourapp.com', // In production: req.headers.host
+            nonce: nonce,
           });
 
           if (isValid) {