-
Notifications
You must be signed in to change notification settings - Fork 79
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Change message to sign #30
Labels
enhancement
New feature or request
Comments
We also need to update all the messages to sign, not just the one at |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This is not an MVP feature, but something I think we should consider.
I see the message to be signed something like a CSRF token. If we always send the same message, the same addresses will always produce the same signature, so an eavesdropper will be able to re-authenticate maliciously with the signature they found.
Why we shouldn't worry too much
I don't think this is a big deal because:
Why I think this should be implemented at some point
However, I think changing the message to be signed shouldn't be too hard. The only concern here is storing the message to compare it with the signed message. For that, an in-memory dictionary with
{ [address]: messageToBeSigned }
should work completely fine. At least until we have >10k users signing in at the same time (should be fine).(cc @carletex @sogasg)
The text was updated successfully, but these errors were encountered: