Authentication API (after Metamask 10.26.1 update)

cemleme · March 20, 2023, 12:07pm

Hello,

I have been using Moralis Authentication API and it was working beautifully until recent Metamask API.

here is our message configuration for moralis from docs

const config = {
  domain: 'amazing.finance',
  statement: 'Please sign this message to confirm your identity.',
  uri: process.env.REACT_URL,
  timeout: 60,
};

so now metamask considers this as a bad domain and sign message never shows up on metamask. when we manually fix the message to have domain of https://amazing.finance, then sign message show up and works

(for example on frontend I can replace ‘amazing.finance’ with ‘https://amazing.finance’ and metamask accepts it and works, but of course on backend the message - signature comparison fails

the thing is when I send config with
domain: ‘https://amazing.finance’,
Moralis api does not accept this domain format and gives this error

MoralisError [Moralis SDK Core Error]: [C0006] Request failed, Bad Request(400): domain must be a valid domain name

the previous code still works for metamask 10.25

any suggestion on this?

thanks

cryptokid · March 20, 2023, 12:24pm

hello, you have to change that amazing.finance with the domain from where the signature is asked, metamask now checks the domain that asks for a signature and if the domain from the message doesn’t match with the domain from the browser then metamask closes automatically

cemleme · March 20, 2023, 12:50pm

thanks for the reply but I am using the correct domain. as I mentioned when I add https:// in front of domain it works and metamask accepts.

but moralis api doesnt accept the domain with https://

cryptokid · March 20, 2023, 12:52pm

You don’t have to use that http

We also use it on moralismoney.com and it works there without issues with the correct domain

web2jeff · March 21, 2023, 4:36pm

That does work, however, this still breaks anything with a port (like localhost:3000). Can you guys update the API to be more lax? This is a weird and sudden change from Metamask causing a lot of issues downstream

cryptokid · March 21, 2023, 4:39pm

We should support a port number in the domain name?

web2jeff · March 21, 2023, 4:43pm

Unfortunately metamask is doing this check:

const { host } = new URL(origin);
isSIWEDomainValid = parsedMessage.domain === host;

If you disagree on the spec and how they implemented, I think the weight of your role at Moralis may be useful on this ticket:

cryptokid · March 21, 2023, 4:53pm

Should that be fixed if we add the port near the domain in the original generated message?

web2jeff · March 21, 2023, 4:56pm

I believe so, however, then you’ll be using the URI as the Domain: ${} which may not be to spec.

Iulian · March 21, 2023, 5:00pm

You can test your app using ngrok for now until our team decides if the port should be accepted in the domain

domain: "xxxxxxxxx.eu.ngrok.io",
uri: "https://xxxxxxx.eu.ngrok.io",