Skip to content

fix(docs): warn that client-side SIWE nonce provides no replay protection#1722

Open
Kewe63 wants to merge 1 commit into
base:masterfrom
Kewe63:fix/1452-siwe-client-nonce-warning
Open

fix(docs): warn that client-side SIWE nonce provides no replay protection#1722
Kewe63 wants to merge 1 commit into
base:masterfrom
Kewe63:fix/1452-siwe-client-nonce-warning

Conversation

@Kewe63

@Kewe63 Kewe63 commented Jul 14, 2026

Copy link
Copy Markdown

Summary

Fixes #1452

Adds a prominent <Warning> block above the SIWE code example in the "Replace auth and identity" step of the Base App migration guide. The example generates the SIWE nonce with generateSiweNonce() in the browser; a client-issued nonce provides no replay protection — any attacker who captures a valid message + signature pair can replay it against the server because the server has no record of which nonces it issued.

The new warning explicitly:

  • Names the security limitation (no replay protection)
  • Explains the attack model (capture + replay)
  • Clarifies when the pattern is acceptable (apps without server-side sessions)
  • Points developers at the Authenticate users guide's server-issued nonce pattern

The existing <Note> disclaimer that sits closer to the code example is kept for context but is easier to miss — the new <Warning> immediately above the example is harder to overlook.


Changes

docs/apps/guides/migrate-to-standard-web-app.mdx (Step "Replace auth and identity", before the SIWE code example)

  • Added a 4-line <Warning> block calling out the replay protection gap.

How to Test

  1. Checkout the branch.
  2. Open docs/apps/guides/migrate-to-standard-web-app.mdx and navigate to the "Replace auth and identity" step.
  3. Confirm the rendered guide shows the <Warning> directly above the SIWE code snippet.
  4. The warning text should match the issue description: explain client-side nonce + replay attack model + link to /base-account/guides/authenticate-users.

Checklist

  • Follows Contributing Guide and Conventional Commits
  • No duplicate PRs — searched existing
  • Changes scoped to this fix only
  • Tested on docs/base chain preview
  • No config keys changed
  • No architecture changes
  • Cross-platform impact: docs only

Risk & Impact

None. Documentation-only addition of a warning block. No code, config, or behavior changes.

Type: 🐛 Bug fix / 📝 Documentation update
Fixes: #1452

…tion

The 'Replace auth and identity' code example in the Base App migration
guide generates the nonce in the browser with generateSiweNonce(). A
client-issued nonce provides no replay protection — any attacker who
captures a valid SIWE message + signature pair can replay it against
the server, because the server has no record of which nonces it issued.

Add a prominent <Warning> block immediately before the code example
explaining the security limitation and pointing developers at the
Authenticate users guide for the server-issued nonce pattern. The
existing <Note> disclaimer closer to the example is kept for
context but the new <Warning> is harder to miss.

Fixes base#1452
@cb-heimdall

Copy link
Copy Markdown
Collaborator

🟡 Heimdall Review Status

Requirement Status More Info
Reviews 🟡 0/2
Denominator calculation
Show calculation
1 if user is bot 0
1 if user is external 0
2 if repo is sensitive 0
From .codeflow.yml 1
Additional review requirements
Show calculation
Max 0
0
From CODEOWNERS 0
Global minimum 0
Max 1
1
1 if commit is unverified 1
Sum 2

@baperezagustin40-debug

baperezagustin40-debug commented Jul 14, 2026 via email

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

fix(docs): client-side nonce in SIWE example is insecure — add server-side nonce warning

3 participants