Deceptive Site Warning After Switching to Self Hosted Server

Hello,

I have a problem after switching to self hosted server. My domain is lets say : example.com
Self hosted is running on http://localhost:1337. In self hosted server’s .env config the server is http://localhost:1337
I have added an a record to my dns like moralis.example.com what uses apache config to proxy to port 1337 and enabled https via cloudflare so everything works like that after chaning the env config’s server directive to https://moralis.example.com/server
But as the request making site is example.com, metamask shows deceptive site warning although the domain is same but sobdomain is different: moralis.example.com. How can I solve this issue. My users don’t want to connect with this warning.

Thanks

I think that you should set the complete domain in the message that is generated to be signed, this is a new feature on metamask side to validate the message that is signed

How to set it ? currently using this:

 const { message } = await Moralis.Cloud.run("requestMessage", {
     address: account,
     chain: parseInt(chainId, 16),
     network: "evm",
   });

   await Moralis.authenticate({
     signingMessage: message,
     throwOnError: true,
   }).then((user) => {
     console.log(user);
     console.log("success")
   });

check that cloud function named requestMessage, it should have some options, or you can try to send domain as parameter to it

Even if i do it, i still get this…

   const { message } = await Moralis.Cloud.run("requestMessage", {
     address: account,
     chain: parseInt(chainId, 16),
     network: "evm",
     domain: 'moralis.example.com',   //(also tried with example.com)
     statement: 'Please sign this message to confirm your identity.',
     uri: 'https://moralis.example.com',
   });

check the exact message that you get from requestMessage, the beginning of the message, it is not the uri that matters, only the domain that is at the beginning of the message

Result: {“message”:"moralis.kriptomevsimi.com wants you to sign in with your Ethereum account:\n0xC744c3

Self hosted server is runnning on moralis.kriptomevsimi.com
domain that auth is made is : kriptomevsimi.com

If I change the request to

   const { message } = await Moralis.Cloud.run("requestMessage", {
     address: account,
     chain: parseInt(chainId, 16),
     network: "evm",
     domain: 'kriptomevsimi.com',
     statement: 'Please sign this message to confirm your identity.',
     uri: 'https://kriptomevsimi.com',
   });

still the request message is like this :

Result: {"message":"moralis.kriptomevsimi.com wants you to sign in with your Ethereum account:\n0xC

,Self hosted is running on moralis.kriptomevsimi.com I think that is the problem. But there are no other ways because I cant change it to kriptomevsimi.com obviously.

Somewhere should be that domain set, that should be configurable to set it to any value you want.

1 Like

The domain of self hosted or the message’s origin ?

I can set any domain I want here in the swagger for request message:
https://authapi.moralis.io/api-docs/#/Challenge/requestChallengeEvm

I also can set it there with swagger but on my code

even if i set it with

   const { message } = await Moralis.Cloud.run("requestMessage", {
     address: account,
     chain: parseInt(chainId, 16),
     network: "evm",
     domain: "kriptomevsimi.com",
     statement: 'Please sign this message to confirm your identity.',
     uri: 'https://kriptomevsimi.com',
   });

requesting domain becomes : moralis.kriptomevsimi.com ( which is where the hosted server is running

Blockquote

Check the code for that cloud function to see what it does

You can also create a separate cloud function if you want that generates that message

For anyone else who has came across this error:

The issue is that when u deploy to production your sever hostname is different than your frontends hostname

This appears to be an issue within the authService.ts file for self hosted parse server.

const result = await Moralis.Auth.requestMessage({
    address,
    chain,
    networkType,
    domain: "frontend.URL.hostname", //eg. 'example.com' 
    uri: url.toString(),
    statement: STATEMENT,
    notBefore: now.toISOString(),
    expirationTime: expirationTime.toISOString(),
    timeout: TIMEOUT,
  });

hardcoding the value for domain will get rid of that error,


You could also do a more permanent fix by adding this to your .env
FRONTEND_URL="yourUrl"

Then, adding this to your `config.ts

  FRONTEND_URL: str({
    desc: 'Referenece to your frontend URL. Replace this when your frontend is deployed',
    devDefault: `http://localhost:3000',
  }),

and adjust ur authService.ts accordingly

import Moralis from 'moralis';
import config from '../config';

export interface RequestMessage {
  address: string;
  chain: string;
  networkType: string;
}

const STATEMENT = 'Please sign this message to confirm your identity.';
const EXPIRATION_TIME = 900000;
const TIMEOUT = 15;

export async function requestMessage({
  address,
  chain,
  networkType,
}: {
  address: string;
  chain: string;
  networkType: 'evm';
}) {
  const serverURL = new URL(config.SERVER_URL);
  const frontendURL = new URL(config.FRONTEND_URL);
  const now = new Date();
  const expirationTime = new Date(now.getTime() + EXPIRATION_TIME);

  const result = await Moralis.Auth.requestMessage({
    address,
    chain,
    networkType,
    domain: frontendURL.hostname,
    uri: serverURL.toString(),
    statement: STATEMENT,
    notBefore: now.toISOString(),
    expirationTime: expirationTime.toISOString(),
    timeout: TIMEOUT,
  });

  const { message } = result.toJSON();

  return message;
}
``