fix: signTypedData verification for smart accounts (#2906)

Author: joaquim-verges

.changeset/afraid-pianos-cross.md

@@ -0,0 +1,5 @@
+---
+"thirdweb": patch
+---
+
+Fix signTypedData external verification for smart accounts

legacy_packages/auth/test/smart-wallet.test.ts

@@ -9,9 +9,6 @@ require("dotenv-mono").load();
 
 describe.runIf(process.env.TW_SECRET_KEY)(
   "Wallet Authentication - EVM - Smart Wallet",
-  {
-    timeout: 240000,
-  },
   async () => {
     let adminWallet: any, signerWallet: any, attackerWallet: any;
     let auth: ThirdwebAuth;
@@ -42,7 +39,9 @@ describe.runIf(process.env.TW_SECRET_KEY)(
       auth.updateWallet(signerWallet);
     });
 
-    it("Should verify logged in wallet", async () => {
+    it("Should verify logged in wallet", {
+      timeout: 240000,
+    }, async () => {
       const payload = await auth.login();
 
       auth.updateWallet(adminWallet);
@@ -51,7 +50,9 @@ describe.runIf(process.env.TW_SECRET_KEY)(
       expect(address).to.equal(await signerWallet.getAddress());
     });
 
-    it("Should verify logged in wallet with chain ID and expiration", async () => {
+    it("Should verify logged in wallet with chain ID and expiration", {
+      timeout: 240000,
+    }, async () => {
       const payload = await auth.login({
         expirationTime: new Date(Date.now() + 1000 * 60 * 5),
         chainId: "84532",
@@ -65,7 +66,9 @@ describe.runIf(process.env.TW_SECRET_KEY)(
       expect(address).to.equal(await signerWallet.getAddress());
     });
 
-    it("Should verify payload with resources", async () => {
+    it("Should verify payload with resources", {
+      timeout: 240000,
+    }, async () => {
       const payload = await auth.login({
         resources: ["https://example.com", "https://test.com"],
       });
@@ -78,7 +81,9 @@ describe.runIf(process.env.TW_SECRET_KEY)(
       expect(address).to.equal(await signerWallet.getAddress());
     });
 
-    it("Should reject payload without necessary resources", async () => {
+    it("Should reject payload without necessary resources", {
+      timeout: 240000,
+    }, async () => {
       const payload = await auth.login({
         resources: ["https://example.com"],
       });
@@ -96,7 +101,9 @@ describe.runIf(process.env.TW_SECRET_KEY)(
       }
     });
 
-    it("Should verify payload with customized statement", async () => {
+    it("Should verify payload with customized statement", {
+      timeout: 240000,
+    }, async () => {
       const payload = await auth.login({
         statement: "Please sign!",
       });
@@ -109,7 +116,9 @@ describe.runIf(process.env.TW_SECRET_KEY)(
       expect(address).to.equal(await signerWallet.getAddress());
     });
 
-    it("Should reject payload with incorrect statement", async () => {
+    it("Should reject payload with incorrect statement", {
+      timeout: 240000,
+    }, async () => {
       const payload = await auth.login({
         statement: "Please sign!",
       });
@@ -127,7 +136,9 @@ describe.runIf(process.env.TW_SECRET_KEY)(
       }
     });
 
-    it("Should reject invalid nonce", async () => {
+    it("Should reject invalid nonce", {
+      timeout: 240000,
+    }, async () => {
       const payload = await auth.login();
 
       auth.updateWallet(adminWallet);
@@ -145,7 +156,9 @@ describe.runIf(process.env.TW_SECRET_KEY)(
       }
     });
 
-    it("Should accept valid nonce", async () => {
+    it("Should accept valid nonce", {
+      timeout: 240000,
+    }, async () => {
       const payload = await auth.login();
 
       auth.updateWallet(adminWallet);
@@ -160,7 +173,9 @@ describe.runIf(process.env.TW_SECRET_KEY)(
       expect(address).to.equal(await signerWallet.getAddress());
     });
 
-    it("Should reject payload with incorrect domain", async () => {
+    it("Should reject payload with incorrect domain", {
+      timeout: 240000,
+    }, async () => {
       const payload = await auth.login();
 
       auth.updateWallet(adminWallet);
@@ -174,7 +189,9 @@ describe.runIf(process.env.TW_SECRET_KEY)(
       }
     });
 
-    it("Should reject expired login payload", async () => {
+    it("Should reject expired login payload", {
+      timeout: 240000,
+    }, async () => {
       const payload = await auth.login({
         expirationTime: new Date(Date.now() - 1000 * 60 * 5),
       });
@@ -188,7 +205,9 @@ describe.runIf(process.env.TW_SECRET_KEY)(
       }
     });
 
-    it("Should reject payload with incorrect chain ID", async () => {
+    it("Should reject payload with incorrect chain ID", {
+      timeout: 240000,
+    }, async () => {
       const payload = await auth.login({
         chainId: "1",
       });
@@ -206,7 +225,9 @@ describe.runIf(process.env.TW_SECRET_KEY)(
       }
     });
 
-    it("Should reject payload with incorrect signer", async () => {
+    it("Should reject payload with incorrect signer", {
+      timeout: 240000,
+    }, async () => {
       const payload = await auth.login();
       payload.payload.address = await attackerWallet.getAddress();
 
@@ -219,7 +240,9 @@ describe.runIf(process.env.TW_SECRET_KEY)(
       }
     });
 
-    it("Should generate valid authentication token", async () => {
+    it("Should generate valid authentication token", {
+      timeout: 240000,
+    }, async () => {
       const payload = await auth.login();
 
       auth.updateWallet(adminWallet);
@@ -229,7 +252,9 @@ describe.runIf(process.env.TW_SECRET_KEY)(
       expect(user.address).to.equal(await signerWallet.getAddress());
     });
 
-    it("Should reject token with incorrect domain", async () => {
+    it("Should reject token with incorrect domain", {
+      timeout: 240000,
+    }, async () => {
       const payload = await auth.login();
 
       auth.updateWallet(adminWallet);
@@ -245,7 +270,9 @@ describe.runIf(process.env.TW_SECRET_KEY)(
       }
     });
 
-    it("Should reject token before invalid before", async () => {
+    it("Should reject token before invalid before", {
+      timeout: 240000,
+    }, async () => {
       const payload = await auth.login();
 
       auth.updateWallet(adminWallet);
@@ -261,7 +288,9 @@ describe.runIf(process.env.TW_SECRET_KEY)(
       }
     });
 
-    it("Should reject expired authentication token", async () => {
+    it("Should reject expired authentication token", {
+      timeout: 240000,
+    }, async () => {
       const payload = await auth.login();
 
       auth.updateWallet(adminWallet);
@@ -277,7 +306,9 @@ describe.runIf(process.env.TW_SECRET_KEY)(
       }
     });
 
-    it("Should reject if admin address is not connected wallet address", async () => {
+    it("Should reject if admin address is not connected wallet address", {
+      timeout: 240000,
+    }, async () => {
       const payload = await auth.login();
 
       auth.updateWallet(adminWallet);
@@ -294,7 +325,9 @@ describe.runIf(process.env.TW_SECRET_KEY)(
       }
     });
 
-    it("Should accept token with valid token ID", async () => {
+    it("Should accept token with valid token ID", {
+      timeout: 240000,
+    }, async () => {
       const payload = await auth.login();
 
       auth.updateWallet(adminWallet);
@@ -313,7 +346,9 @@ describe.runIf(process.env.TW_SECRET_KEY)(
       expect(user.address).to.equal(await signerWallet.getAddress());
     });
 
-    it("Should reject token with invalid token ID", async () => {
+    it("Should reject token with invalid token ID", {
+      timeout: 240000,
+    }, async () => {
       const payload = await auth.login();
 
       auth.updateWallet(adminWallet);
@@ -335,7 +370,9 @@ describe.runIf(process.env.TW_SECRET_KEY)(
       }
     });
 
-    it("Should propagate session on token", async () => {
+    it("Should propagate session on token", {
+      timeout: 240000,
+    },  async () => {
       const payload = await auth.login();
 
       auth.updateWallet(adminWallet);
@@ -349,7 +386,9 @@ describe.runIf(process.env.TW_SECRET_KEY)(
       expect(user.session).to.deep.equal({ role: "admin" });
     });
 
-    it("Should call session callback function", async () => {
+    it("Should call session callback function", {
+      timeout: 240000,
+    }, async () => {
       const payload = await auth.login();
 
       auth.updateWallet(adminWallet);
@@ -368,7 +407,9 @@ describe.runIf(process.env.TW_SECRET_KEY)(
       });
     });
 
-    it("Should authenticate with issuer address", async () => {
+    it("Should authenticate with issuer address", {
+      timeout: 240000,
+    }, async () => {
       const payload = await auth.login();
 
       auth.updateWallet(adminWallet);

legacy_packages/wallets/src/evm/connectors/smart-wallet/lib/check-contract-wallet-signature.ts

@@ -74,7 +74,7 @@ export async function checkContractWalletSignature(
 
   const provider = new providers.StaticJsonRpcProvider(
     {
-      url: chainIdToThirdwebRpc(chainId),
+      url: rpcUrl,
       skipFetchSetup: _skipFetchSetup,
       headers,
     },

legacy_packages/wallets/src/evm/connectors/smart-wallet/lib/erc4337-signer.ts

@@ -227,7 +227,7 @@ Code: ${errorCode}`;
     try {
       const provider = new providers.StaticJsonRpcProvider(
         {
-          url: chainIdToThirdwebRpc(chainId, this.config.clientId),
+          url: rpcUrl,
           headers,
         },
         chainId,

legacy_packages/wallets/src/evm/wallets/abstract.ts

@@ -17,7 +17,7 @@ import { createErc20 } from "../utils/currency";
 // TODO improve this
 export function chainIdToThirdwebRpc(chainId: number, clientId?: string) {
   return `https://${chainId}.rpc.thirdweb.com${clientId ? `/${clientId}` : ""}${
-    typeof globalThis !== "undefined" && "APP_BUNDLE_ID" in globalThis
+    typeof globalThis !== "undefined" && "APP_BUNDLE_ID" in globalThis && !!(globalThis as any).APP_BUNDLE_ID
       ? `?bundleId=${(globalThis as any).APP_BUNDLE_ID as string}`
       : ""
   }`;

legacy_packages/wallets/test/smart-wallet-integration.test.ts

@@ -117,7 +117,7 @@ describeIf(!!SECRET_KEY)(
     });
 
     it("can sign and verify 1271 old factory", {
-      timeout: 120_000,
+      timeout: 240_000,
     }, async () => {
       const message = "0x1234";
       const sig = await smartWallet.signMessage(message);

packages/thirdweb/src/extensions/erc1271/checkContractWalletSignedTypedData.ts

@@ -0,0 +1,53 @@
+import { type TypedData, type TypedDataDefinition, hashTypedData } from "viem";
+import type { ThirdwebContract } from "../../contract/contract.js";
+import { isHex } from "../../utils/encoding/hex.js";
+import { isValidSignature } from "./__generated__/isValidSignature/read/isValidSignature.js";
+
+export type CheckContractWalletSignTypedDataOptions<
+  typedData extends TypedData | Record<string, unknown>,
+  primaryType extends keyof typedData | "EIP712Domain" = keyof typedData,
+> = {
+  contract: ThirdwebContract;
+  data: TypedDataDefinition<typedData, primaryType>;
+  signature: string;
+};
+const MAGIC_VALUE = "0x1626ba7e";
+
+/**
+ * Checks if a contract wallet signature is valid.
+ * @param options - The options for the checkContractWalletSignature function.
+ * @param options.contract - The contract to check the signature against.
+ * @param options.message - The message to check the signature against.
+ * @param options.signature - The signature to check.
+ * @extension ERC1271
+ * @example
+ * ```ts
+ * import { checkContractWalletSignedTypedData } from "thirdweb/extensions/erc1271";
+ * const isValid = await checkContractWalletSignedTypedData({
+ *  contract: myContract,
+ *  data: {
+ *   primaryType: "EIP712Domain",
+ *   domain: {
+ *     name: "Example",
+ *     version: "1",
+ *     chainId: 1,
+ *     verifyingContract: myContract.address,
+ *   },
+ * });
+ * ```
+ * @returns A promise that resolves with a boolean indicating if the signature is valid.
+ */
+export async function checkContractWalletSignedTypedData<
+  typedData extends TypedData | Record<string, unknown>,
+  primaryType extends keyof typedData | "EIP712Domain" = keyof typedData,
+>(options: CheckContractWalletSignTypedDataOptions<typedData, primaryType>) {
+  if (!isHex(options.signature)) {
+    throw new Error("The signature must be a valid hex string.");
+  }
+  const result = await isValidSignature({
+    contract: options.contract,
+    hash: hashTypedData(options.data),
+    signature: options.signature,
+  });
+  return result === MAGIC_VALUE;
+}