Sign-in With Ethereum (SIWE)(EIP-4361) Updates

[digiwand]

Description

Following the launch of Sign-in With Ethereum, we will update the domain binding logic, refactor code, UI/UX improvements, and fix bug(s).

EIP Spec: https://eips.ethereum.org/EIPS/eip-4361

Concerns to address from the EIP-4361 spec:

• feat: warn users when personal_sign message contains the string "wants you to sign in with your Ethereum account" #24128

   Wallet implementers SHOULD warn users if the substring `"wants you to sign in with your Ethereum account"`
   appears anywhere in an [ERC-191](https://eips.ethereum.org/EIPS/eip-191) message signing request 
   unless the message fully conforms to the format defined in this specification.
  

• https://github.com/MetaMask/MetaMask-planning/issues/2430

   address REQUIRED. The Ethereum address performing the signing. Its value SHOULD be conformant to mixed-case checksum address encoding specified in [ERC-55](https://eips.ethereum.org/EIPS/eip-55) where applicable.
  

Implementation

1. Domain Binding

• a) Discuss updated implementation involving security input
  • Discussions happening here [Bug]: Weird behavior for SIWE requests on localhost #18188 and directly
    cc: @bschorchit @danjm @digiwand @holantonela @legobeat @naugtur @skgbafa @wyc
• b) Communicate updates to Spruce and potential EIP-4361 spec updates
  • Slack: link
  • EIP-4361 Forum: https://ethereum-magicians.org/t/eip-4361-sign-in-with-ethereum/7263/3
• c) Update domain binding logic
  • Handle URL parts: URI scheme, subdomains (including www), and port
  • Enforce the matching of URL parts when specified in the message while removing matching of URL parts when included in the origin domain, but not in the message.
  • Consider Domain Binding of other EIP protocols like EIP-6384 as @holantonela suggested
  • Issues:
    • URI scheme: [Bug]: Weird behavior for SIWE requests on localhost #18188
    • Subdomains (including www): [Bug]: Deceptive site request. Domain mismatch when signing messages with matching domain #18332
    • Port: [Bug]: SIWE domain binding should handle port appropriately  #18481
  • PRs:
    • feat: controller-utils: Add Sign-in-with-Ethereum origin validation core#1163
    • Use SIWE origin validation logic from @metamask/controller-utils #18518
• d) Consider adding setting to turn off domain binding which may be useful for development
  • Issue: Support domain mismatch on SIWE on development mode #18191
• f) Communicate changes to the community
  • Issue: Communicate the plan and time we will block mismatched domains on Sign-in With Ethereum (SIWE) #18529

2. Code refactoring and other non-UI/UX changes

• a) Move SIWE logic to core library:
  • core library: feat: Add SIWE detection support for PersonalMessageManager core#1139
  • extension: feat: use siwe detection from @metamask/controller-utils #18409
• b) Move SIWE domain binding logic to core library:
  • feat: controller-utils: Add Sign-in-with-Ethereum origin validation core#1163
• c) Add e2e tests:
  • Add e2e test sign in with ethereum #17823
• d) clean createRPCMethodTrackingMiddleware logic and add tests:
  • Issue: Sign-in With Ethereum (SIWE) Cleanup #18474
  • PR: Fix Sign-in With Ethereum (SIWE) metametric, add tests, and clean RPC method middleware event logic #18008
• e) minor cleanup and add more tests:
  • Issue: Sign-in With Ethereum (SIWE) Cleanup #18474
  • PR: Sign-in With Ethereum SIWE cleanup #18230

3. UI/UX Changes

• a) Replace ActionableMessage with Banner Alerts:
  • Issue: Replace ActionableMessage components with BannerAlerts in SIWE Sign-in with Ethereum page #18207
• b) Replace PermissionsConnectHeader with the newer Signature header:
  • Issue: New header is not shown on SIWE screen #17812
• c) Replace the footer to align with other signature footers. Ensure we continue to require scroll before the user can sign:
  • Issue: Replace Sign-in With Ethereum (SIWE) Footer #18473
• d) Add bullet points for "Resources" list:
  • Issue: Add bullet points for SIWE Resources #18477
  • From EIP-4361:
    They are expressed as RFC 3986 URIs separated by `"\n- "` where `\n` is the byte `0x0a`.
• e) Add multiple signature support
  [Enhancement] Add the ability to navigate multiple SIWE notifications #17807
• f) Update SIWE confirmation page with domain binding UI
  Update SIWE confirmation page with domain binding UI #18622
• g) Support SIWE in mobile
  https://github.com/MetaMask/MetaMask-planning/issues/1128
• h) From EIP-4361: Wallet implementers SHOULD warn users if the substring "wants you to sign in with your Ethereum account"
  feat: warn users when personal_sign message contains the string "wants you to sign in with your Ethereum account" #24128

4. Bug Fixes

• [Bug]: MetaMask signature request immediately appears and then disappears depending on the content of the signature request's message #18241 (maybe fixed by domain binding subdomain update)
• [UI Bug]: Broken UI on Sign In With Ethereum W/ Resources #17913
• [Bug]: SIWE does not show Ledger dialog #18552
• https://github.com/MetaMask/MetaMask-planning/issues/2256
• https://github.com/MetaMask/MetaMask-planning/issues/2430

[legobeat]

New PR for 1c: #18518