User authentification using custom sign message dangers

ThomasDEV · January 18, 2023, 9:59pm

Hello to who may be reading this, thanks for your help in advance!
I have an app based around crypto wallets & their NFTs with which moralis has helped a lot!

I have a concern regarding security, currently I ask all users to sign the same message, which (the signature hash) I store in their cookies with sameSite strict, and secure attributes set.

Whenever I want to auth the users for certain actions, I check their cookies, if they have a signature hash I decode it, if their public key matches the one metamask claims they are, I authorize the action.

I’ve seen moralis has an auth feature with nonces & everything, which to be honest seems a bit overkill, especially at this point.

My questions are, what exactly would I be vulnerable to with this approach?
The only issue I see is if someone steals the users private key, (in which case its all over anyways)
OR someone steals the cookie contents (signature hash, stored unencrypted inside cookies) and then poses as that someone with those cookies, but isn’t this very difficult to do with the attributes sameSite & secure?

How would a nonce/or moralis auth improve this?
I am not saying my method is better of fail-proof, just fail to see how it would be ‘very’ vulnerable.

Thank you very much!!

YosephKS · January 19, 2023, 1:16am

Hey @ThomasDEV,

thanks for reaching out to us

So as far as what we provide, our Auth API service only give user an easy way/workflow to request challenge and verify that signed challenge. The nonce and timestamp that is included in every challenge message combined with the limited timeout window (max. 2 mins) minimize the likelihood of a malicious actor to authenticate as another user, as those different nonce and timestamp is going to result in vastly different signature for verification.

Of course, in case that someone steals a wallet, unfortunately it’s the same case if a malicious actor have your email, we cannot help the user out and due to the wallet decentralized nature, we have no power to stop the wallet from not misused by the malicious actor, unless you would like to blacklist the wallet address altogether.

Another case where cookie contents are stolen and unencrypted, it should not affect anything on the Moralis side as we only provide verification and those signature hash. However, it might affect the user’s session which could be potentially dangerous as a malicious actor can pose as a legitimate user to use the application. In this case, it is the developer’s responsibility that they use the best practice to implement the JWT correctly and securely to ensure such thing does not happen.

For authentication with Moralis, it is recommended that you use Auth API along with JWT and store it the user sessions in httpOnly cookies. Moralis Auth API itself is not responsible much on the security other than verification of the user’s wallet signature verification. Much of the security should still be handle by the developer by implementing best practice with JWT.

Hope this helps out~

YosephKS · January 22, 2023, 1:16am

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.