eth-sign

A wrapper for performing eth based sign and verify (client and server side).

Notes

When providing a message to sign, you should explain "why they need to sign, and what will happen"

For example:

Hi there from {firstName}! Press "Sign this message" to prove you have access to this wallet and we’ll log you in. This won’t cost you anything! To scuttle the plans of would-be wrong doers, here’s a one time message that is hard to guess (no need to save this): d458fa15-dcab-4d85-a477–004d6febca12

What this message does:

• Addresses the user
• Uses human language, no jargon
• Reiterates who the message is from
• Asks them to sign and explains what they’re signing
• Sets expectations and frames the message in terms of their goal: “by doing this you’ll be logged in”
• Explains why
• Makes it clear it’s not financial
• Includes the nonce for security purposes
• Or in other words… when faced with this message, your user understands what they need to do, why they need to do it and what will happen next.

ClientSide (UI) TLDR;

Provide user actions, to connect a wallet and sign a message:

Typescript

import ProviderWrapper from '@mountainpass/eth-sign'

const provider = new ProviderWrapper(new ethers.providers.Web3Provider(ethereum))

// state
const [accounts, setAccounts] = React.useState([] as string[])
const [signature, setSignature] = React.useState('-')

// actions
const doConnect = () => provider.connect(setAccounts)
const doSign = (msg: string) => provider.signMessage(msg).then(setSignature)
React.useEffect(() => provider.onAccountsChanged(setAccounts), [])

ServerSide (Backend) TLDR;

On the backend, determine the wallet that signed the message (based on having the original unsigned message):

Javascript

const ProviderWrapper = require('@mountainpass/eth-sign').default

const signerWallet = await new ProviderWrapper().verifyMessage(originalMessageSlashSalt, theSignedMessage)

License

Apache 2.0 © nickgrealy