Randomly get `OpenLogin - RPC Error: Bad signature` — unable to replicate

wahid · June 2, 2023, 4:29pm

We’ve encountered this error several times, and it hasn’t been clear as to exactly why. If an engineer experiences this issue, it is not so that everyone else also experiences the same. We use dynamic subdomains in our apps so it is required that we whitelist the domains dynamically. I have a hunch that’s where things are going wrong somehow, but has not been replicable across our team.

SDK Version: ^5.2.0
Platform: Mac OS/Brave Browser
Browser Console Screenshots:

image1170×804 183 KB

Initializing web3auth

        // This is required to dynamically whitelist app domains.
        const signature = await getWeb3AuthSignature();

        const web3auth = new Web3AuthNoModal({
          clientId: web3AuthClientId,
          web3AuthNetwork: web3authNetwork,
          chainConfig: {
            chainNamespace: CHAIN_NAMESPACES.OTHER,
            rpcTarget: 'wss://testnet-rpc.polymesh.live',
            displayName: 'Polymesh Testnet',
            ticker: 'POLYX',
            tickerName: 'Polymesh',
            blockExplorer: 'https://polymesh-testnet.subscan.io/',
          },
        });

        const openloginAdapter = new OpenloginAdapter({
          loginSettings: {
            curve: SUPPORTED_KEY_CURVES.ED25519,
          },
          adapterSettings: {
            clientId: web3AuthClientId,
            network: web3authNetwork,
            uxMode: UX_MODE.POPUP,
            originData: {
              [window.location.origin]: signature,
            },
          },
        });

        web3auth.configureAdapter(openloginAdapter);

        await web3auth.init();

Logging in

          const isEmailLogin =
            loginProvider === LOGIN_PROVIDER.EMAIL_PASSWORDLESS && email;
          const extraLoginOptions = isEmailLogin ? { login_hint: email } : null;

          const provider = await web3auth.connectTo(WALLET_ADAPTERS.OPENLOGIN, {
            loginProvider,
            extraLoginOptions,
          });

Providing signature to the client app (when client app calls getWeb3AuthSignature)

    const origin = req.get('origin');

    if (!origin)
      throw new Error('LP_AUTH: Origin header is required to whitelist domain');

    const paddedSecret = LP_WEB3_AUTH_CLIENT_SECRET.padStart(64, '0');
    const web3authSecretBuffer = Buffer.from(paddedSecret, 'hex');
    const appPublicKey = base64url.encode(getPublic(web3authSecretBuffer));

    if (appPublicKey !== LP_WEB3_AUTH_CLIENT_ID)
      throw new Error('LP_AUTH: Web3Auth app key mismatch');

    const originHash = keccak('keccak256').update(origin).digest('hex');
    const hashedOriginBuffer = Buffer.from(originHash, 'hex');

    const signatureBuffer = await sign(
      web3authSecretBuffer,
      hashedOriginBuffer,
    );

    const signature = base64url.encode(signatureBuffer);

    res.send({ signature });

shahbaz · June 6, 2023, 1:39pm

Hey @wahid

How are you whitelisting these domains?

vjgee · October 6, 2023, 3:55am

@wahid We didn’t hear back from you. If you still need help, you may respond.

You can join our upcoming community call Web3Auth Community Call #4 · Zoom · Luma