It is very funny that the parse message function cannot parse internally built messages I also tried the run test case swie_test.go, but it cannot pass. This repo is open to the public. werid.

	message, err := siwe.InitMessage("example.com", "0x71C7656EC7ab88b098defB751B7401B5f6d8976F", "https://example.com", "2", map[string]interface{}{})
	assert.Nil(t, err)
	assert.Equal(t, "2", message.GetNonce())
	//fmt.Print(message.String())
	// verify nonce
	resMessage, err := siwe.ParseMessage(message.String())
	assert.Nil(t, err)
	assert.Nil(t, message, resMessage)

The above code get an error, really interesting.

When you have a parsing issue on PrepareMessage() you get a Expired Message message.

Hi,

Arthur from tally here. we use 'siwe-go' in the backend to authenticate SIWE requests. We noticed that it did not seem to work for users signing with Ledger+Metamask. I've put together some unit tests that duplicate the error.

You'll see that the javascript tests validate the signature, but the go tests for the same signature do not. We're not super familiar with how the cryptography works here. Do you know what the problem might be? We're looking for some help to fix the issue.

Happy to provide more context if that's helpful!

Tldr: I'm trying to sign (siwe) with my ledger at the tally website and got some errors. I was able to narrow down that it works on the JS code, (worked on https://login.xyz ) but it's not working with .GO

I put all replicable steps here:
https://github.com/afa7789/siwe-go

The "latest" tagged release, 0.2.0, does not include the fix for messages signed using a Ledger (#19).

We should cut a new release so folks don't accidentally pull in the tagged release without the fix.

General Description

I have a question regarding siwe-go's error implementation. I am having difficulty debugging when there's some parsing/serialization error when using siwe.ParseMessage this is mainly because the Error() implementation hides the specific error message.

Specific Example

Specifically if I initialize using something like:

msg, err := siwe.InitMessage(
		challengeReq.Domain,
		challengeReq.Identifier,
		challengeReq.URI,
		"some-random-version", // incorrect siwe message version
		msgOptions,
	)

Then try to parse it using siwe.ParseMessage, it will return an error Invalid Message without explicitly specifying which part of the message is invalid. In this case, I think I should have a way to get Message could not be parsed message from the error since the regex validation failed.

Proposed Solution

I want to try to open a discussion here on how to handle this. But there's generally 2 things that I think we need to address:

1. Have some way for devs to get a more specific error message outside of the default Error() implementation.
2. A more granular regular expression validation, resulting in a better error handling in addition to (1).

For (1), I think since siwe already have Error types such as ExpiredMessage, InvalidMessage, InvalidSignature, we can just make the error string public so that developers can type cast the error into one of these types and see the string message for themselves.
For (2), A way that I think should work is to break apart the regexp.Regexp validation into smaller regexp.Regexp so that we can find out exactly where the expression fail.

I get below error while importing library using go get -u github.com/spruceid/siwe-go

github.com/spruceid/siwe-go imports
	github.com/ethereum/go-ethereum/crypto imports
	github.com/btcsuite/btcd/btcec/v2/ecdsa tested by
	github.com/btcsuite/btcd/btcec/v2/ecdsa.test imports
	github.com/btcsuite/btcd/chaincfg/chainhash: ambiguous import: found package github.com/btcsuite/btcd/chaincfg/chainhash in multiple modules:
	github.com/btcsuite/btcd v0.20.1-beta (/Users/aniket/go/pkg/mod/github.com/btcsuite/[email protected]/chaincfg/chainhash)
	github.com/btcsuite/btcd/chaincfg/chainhash v1.0.1 (/Users/aniket/go/pkg/mod/github.com/btcsuite/btcd/chaincfg/[email protected])

Can someone suggest fix for this?

• fix EIP-55
• fix timestamp validation

We should make sure the terms validation and verification are used consistently. We should validate a SIWE message when it is parsed or created. Validation includes schema validation and making sure the message complies with EIP-4361 spec. Verification means the EIP-191 signature is correct and is verified against a given optional domain, timestamp, nonce etc.

For this I propose, we do the following for validation:

• SIWE message complies with the SIWE ABNF in general
• SIWE message contains valid types such as for address (EIP-55), authority (see RFC/EIP), Resources (should be URIs) etc.
• SIWE has all mandatory parameters (e.g., domain, address, issued at)
• SIWE only uses accepted white spaces (LF)
• Parameters in SIWE message are correctly ordered (this is required by the ABNF)

As a result of the validation above, it should not be possible to get a SIWE message that is invalid. Then verification includes the following:

• verifying the EIP-191 signature
• verifying that expiration time is < date.now() + some minimal clock skew
• verifying that expected nonce and domain are in the message (for this, a server would need to have a configuration for domain and has to remember issued nonces which should also expire individually -> note, if a server issues a nonce it is still up to the frontend WHEN to create the SIWE message which can use a different issued at and a longer expiration time).
• verifying not before date < date.now()