feat: drop SIWE params in constructUrl (#214)

## Change Summary Drop SIWE params from `constructUrl` in relay. ## Merge Checklist _Choose all relevant options below by adding an `x` now or at any time before submitting for review_ - [x] PR title adheres to the [conventional commits](https://www.conventionalcommits.org/en/v1.0.0/) standard - [x] PR has a changeset - [x] PR has been tagged with a change label(s) (i.e. documentation, feature, bugfix, or chore) - [ ] PR includes documentation if necessary - [x] All commits have been signed
farcasterxyz · Aug 21, 2024 · 827053c · 827053c
1 parent fbf4471
commit 827053c
Show file tree

Hide file tree

Showing 4 changed files with 39 additions and 19 deletions.
diff --git a/.changeset/lovely-mangos-itch.md b/.changeset/lovely-mangos-itch.md
@@ -0,0 +1,5 @@
+---
+"@farcaster/auth-relay": patch
+---
+
+drop SIWE params in constructUrl
diff --git a/apps/relay/src/handlers.ts b/apps/relay/src/handlers.ts
@@ -46,8 +46,8 @@ export type RelaySession = {
   metadata: SessionMetadata;
 };
 
-const constructUrl = (channelToken: string, nonce: string, extraParams: CreateChannelRequest): string => {
-  const params = { channelToken, nonce, ...extraParams };
+const constructUrl = (channelToken: string): string => {
+  const params = { channelToken };
   const query = new URLSearchParams(params);
   return `${URL_BASE}?${query.toString()}`;
 };
@@ -57,7 +57,7 @@ export async function createChannel(request: FastifyRequest<{ Body: CreateChanne
   if (channel.isOk()) {
     const channelToken = channel.value;
     const nonce = request.body.nonce ?? generateNonce();
-    const url = constructUrl(channelToken, nonce, request.body);
+    const url = constructUrl(channelToken);
 
     const update = await request.channels.update(channelToken, {
       state: "pending",

diff --git a/apps/relay/src/server.test.ts b/apps/relay/src/server.test.ts
@@ -86,7 +86,7 @@ describe("relay server", () => {
       const expirationTime = "2023-12-31T00:00:00Z";
       const requestId = "some-request-id";
       const redirectUrl = "http://some-redirect-url";
-      const response = await http.post(getFullUrl("/v1/channel"), {
+      let response = await http.post(getFullUrl("/v1/channel"), {
         ...channelParams,
         nonce: customNonce,
         notBefore,
@@ -99,17 +99,25 @@ describe("relay server", () => {
       const { channelToken, url, connectUri, nonce, ...rest } = response.data;
       // parse query params from URI
       const params = new URLSearchParams(url.split("?")[1]);
-      expect(params.get("siweUri")).toBe(channelParams.siweUri);
-      expect(params.get("domain")).toBe(channelParams.domain);
-      expect(params.get("nonce")).toBe(customNonce);
-      expect(params.get("notBefore")).toBe(notBefore);
-      expect(params.get("expirationTime")).toBe(expirationTime);
-      expect(params.get("requestId")).toBe(requestId);
-      expect(params.get("redirectUrl")).toBe(redirectUrl);
+      expect(params.get("channelToken")).toBe(channelToken);
       expect(channelToken).toMatch(/[2-9A-HJ-NP-Z]{8}/);
       expect(nonce).toBe(customNonce);
       expect(url).toBe(connectUri);
       expect(rest).toStrictEqual({});
+
+      response = await http.get(getFullUrl("/v1/channel/status"), {
+        headers: { Authorization: `Bearer ${channelToken}` },
+      });
+
+      const siweParams = response.data.signatureParams;
+
+      expect(siweParams.siweUri).toBe(channelParams.siweUri);
+      expect(siweParams.domain).toBe(channelParams.domain);
+      expect(siweParams.nonce).toBe(customNonce);
+      expect(siweParams.notBefore).toBe(notBefore);
+      expect(siweParams.expirationTime).toBe(expirationTime);
+      expect(siweParams.requestId).toBe(requestId);
+      expect(siweParams.redirectUrl).toBe(redirectUrl);
     });
 
     test("validates extra SIWE parameters", async () => {

diff --git a/test/client/src/e2e.test.ts b/test/client/src/e2e.test.ts
@@ -61,29 +61,36 @@ describe("clients", () => {
 
       // 3. Auth client generates a sign in message
 
-      // 3a. Parse connect URI to get channel token and SIWE message params
-      const { channelToken: token, params } = walletClient.parseSignInURI({
+      // 3a. Parse connect URI to get channel token
+      const { channelToken: token } = walletClient.parseSignInURI({
         uri: url,
       });
       expect(token).toBe(channelToken);
 
-      expect(params.uri).toBe("https://example.com");
+      // 3b. Get signature params from channel
+      const {
+        data: { signatureParams: params },
+      } = await appClient.status({ channelToken });
+
+      expect(params.siweUri).toBe("https://example.com");
       expect(params.domain).toBe("example.com");
       expect(params.nonce).toBe("abcd1234");
 
-      // 3b. Build sign in message
+      const messageParams = { ...params, uri: params.siweUri };
+
+      // 3c. Build sign in message
       const { message: messageString } = walletClient.buildSignInMessage({
-        ...params,
+        ...messageParams,
         address: account.address,
         fid: 1,
       });
 
-      // 3c. Collect user signature
+      // 3d. Collect user signature
       const sig = await account.signMessage({
         message: messageString,
       });
 
-      // 3d. Look up userData
+      // 3e. Look up userData
       const userData = {
         fid: 1,
         username: "alice",
@@ -92,7 +99,7 @@ describe("clients", () => {
         pfpUrl: "https://example.com/alice.png",
       };
 
-      // 3e. Send back signed message
+      // 3f. Send back signed message
       const { response: authResponse } = await walletClient.authenticate({
         channelToken,
         authKey: "farcaster-connect-auth-key",