Verify Signature

Hi, how do i verify signature? at the front end im sending this

authenticate({ signingMessage: message })

i cant even get it to work here
https://etherscan.io/verifySig

my whole idea is to verify the signature at my server side

What signature you want to verify?

You can search on this forum and you may find the answer in other similar thread.

Ive searched everywhere, no lead so far.

Everytime we connect to the wallet, we should receive the signature right. Im able to get the signature value from User data. Currently im sending this signature to my backend (PHP) together with wallet address and signingMessage. At my backend i want to verify the signature whether it signed by same wallet address.

1 Like

ok, so you have the signature, the wallet address and the signed message.

What did you try to do with those parameters? like what is the code that you tried

Moralis does this for you. The signature that you sign gets verified by their backend. Thats the whole point of the one line auth message. Its saves what would typically be a couple of 100 lines of code to the same from scratch. So you dont have to worrry

however if ypur tiying to implement your own own version of tihis or do β€œa” verification yourself thren you can use the below

const { recoverPersonalSignature } = require("eth-sig-util");
const  { bufferToHex, Address } = require("ethereumjs-util");

const msg = `onboadring message ${nonce}`;
     	
const msgBufferHex = bufferToHex(Buffer.from(msg, 'utf8'));
const address = recoverPersonalSignature({data: msgBufferHex, sig: signature.signature});

usually the message will have a random nonce uniquely generated for each user each time they login thus makes the signature much more difficult to hack. so together with the message you make the user sign and the actualy return value of web3.eth.personal_sign() (which is the signature in this case) we can use this ethereum function recoverpersonalSignature() which takes the exact message the user signed and also the signature. from this it does some cryptographic magic (lol) to verify the person who signed it really was he wallet owner. so what this will do is the result of recoverpersonalSignature() will output the address of the signer, then in you backed if you compare the address of thid with the actual wallet of the person who signed the message and their the same then boom you have verified their ownership

1 Like

this is a snipppet from one similiar i did in node.js not sure how you would do so if your using php

Yes exactly - you don’t have to verify anything

When the user signs the message it’s sent to Moralis for verification and moralis sets up a User row in your database if the signature is correct

1 Like

Is it possible for me to use recoverpersonalSignature() with the signature created by moralis instead of my own?

Puting aside the php, https://etherscan.io/verifySig i supposed this website should at least able to recover it. But still unable to do so. Am I missing something? Im using the authData (id, message, signature) from the moralis db

1 Like

It should work, there are two types of signatures, signing a message is not same thing as signing a transaction. The verification is also different in those two cases.

2 Likes