check timestamps of BLS session sigs

LIT-Protocol · Jul 2, 2024 · 7281f14 · 7281f14
1 parent 278381b
commit 7281f14
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 3 deletions.
diff --git a/packages/lit-node-client-nodejs/src/lib/helpers/validate-bls-session-sig.ts b/packages/lit-node-client-nodejs/src/lib/helpers/validate-bls-session-sig.ts
@@ -1,6 +1,7 @@
 import { AuthSig } from '@lit-protocol/types';
 import { uint8arrayToString } from '@lit-protocol/uint8arrays';
 import { ethers } from 'ethers';
+import { SiweError, SiweErrorType, SiweMessage } from 'siwe';
 
 const LIT_SESSION_SIGNED_MESSAGE_PREFIX = 'lit_session:';
 
@@ -18,7 +19,8 @@ export const blsSessionSigVerify = (
   // TODO: refactor type with merger of PR 'https://github.com/LIT-Protocol/js-sdk/pull/503`
   verifier: (public_key: any, message: any, signature: any) => void,
   networkPubKey: string,
-  authSig: AuthSig
+  authSig: AuthSig,
+  authSigSiweMessage: SiweMessage
 ): void => {
   let sigJson = JSON.parse(authSig.sig);
   // we do not nessesarly need to use ethers here but was a quick way
@@ -32,6 +34,34 @@ export const blsSessionSigVerify = (
   );
   const signatureBytes = Buffer.from(sigJson.ProofOfPossession, `hex`);
 
+  /** Check time or now */
+  const checkTime = new Date();
+
+  if (!authSigSiweMessage.expirationTime || !authSigSiweMessage.notBefore) {
+    throw new Error(
+      'Invalid SIWE message. Missing expirationTime or notBefore.'
+    );
+  }
+
+  // check timestamp of SIWE
+  const expirationDate = new Date(authSigSiweMessage.expirationTime);
+  if (checkTime.getTime() >= expirationDate.getTime()) {
+    throw new SiweError(
+      SiweErrorType.EXPIRED_MESSAGE,
+      `${checkTime.toISOString()} < ${expirationDate.toISOString()}`,
+      `${checkTime.toISOString()} >= ${expirationDate.toISOString()}`
+    );
+  }
+
+  const notBefore = new Date(authSigSiweMessage.notBefore);
+  if (checkTime.getTime() < notBefore.getTime()) {
+    throw new SiweError(
+      SiweErrorType.NOT_YET_VALID_MESSAGE,
+      `${checkTime.toISOString()} >= ${notBefore.toISOString()}`,
+      `${checkTime.toISOString()} < ${notBefore.toISOString()}`
+    );
+  }
+
   verifier(
     networkPubKey,
     shaHashed,

diff --git a/packages/lit-node-client-nodejs/src/lib/lit-node-client-nodejs.ts b/packages/lit-node-client-nodejs/src/lib/lit-node-client-nodejs.ts
@@ -518,7 +518,7 @@ export class LitNodeClientNodeJs
     // it will fail. If the  algo is not defined we can assume that it was an EOA wallet signing the message so we can use SIWE.
     if (authSig.algo === `ed25519` || authSig.algo === undefined) {
       try {
-        await authSigSiweMessage.validate(authSig.sig);
+        await authSigSiweMessage.verify(authSig.sig);
       } catch (e) {
         log(`Error while verifying ECDSA signature: `, e);
         return true;
@@ -528,7 +528,8 @@ export class LitNodeClientNodeJs
         blsSessionSigVerify(
           blsSdk.verify_signature,
           this.networkPubKey!,
-          authSig
+          authSig,
+          authSigSiweMessage
         );
       } catch (e) {
         log(`Error while verifying bls signature: `, e);