Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

verify_user_signature returning false when true is expected #65

Open
alexisprunier opened this issue Sep 17, 2024 · 8 comments
Open

verify_user_signature returning false when true is expected #65

alexisprunier opened this issue Sep 17, 2024 · 8 comments
Assignees
Labels
bug Something isn't working

Comments

@alexisprunier
Copy link

Hi,

At first, thanks for the SDK you put at disposal! Very useful!

I have an issue with the recent v2 of the library. I have adapted my backend python code to keep having the signature verification of Dapper wallets.

My code with v1: https://github.com/alexisprunier/mfl-assistant/blob/main/api/utils/flow.py
My code with v2: https://github.com/alexisprunier/mfl-assistant/blob/home/api/utils/flow.py

Since the usage of the v2, I only get the false value from the flow_py_sdk.utils.verify_user_signature function.

The parameters seems to be very similar. The PY objects also seems to do the same work. I see that the major modification for this feature is the script, probably due to the flow network upgrade.

I can ensure that I reach the following piece of code.

return script_result.as_type(cadence.Bool).value

Is there any hint you could give to me about this?

Regards,
Alexis

@janezpodhostnik janezpodhostnik self-assigned this Sep 25, 2024
@janezpodhostnik janezpodhostnik added the bug Something isn't working label Sep 25, 2024
@janezpodhostnik
Copy link
Owner

Thank you for reporting!

I'll take a look soon (likely tomorrow). There is probably a bug (or a change) in the result parsing.

@janezpodhostnik
Copy link
Owner

It looks like your previous iteration of the code was using the FCLCrypto smart contract to verify the user signatures. The python sdk does not use FCLCrypto, but instead runs similar logic in the script body. The major difference I can see and that probably applies here, is this part from the FCLCrypto contract:

        // Non-custodial users can only generate a weight of 999
        return totalWeight >= 999.0

(shouldn't the comment say "Custodial users ..."?)

So since you are doing verification on dapper wallets this might apply. Can you give me an address you tested this on so I can confirm this theory?

If it is correct I think I might add a optional parameter for the case of custodial users.

@alexisprunier
Copy link
Author

Hi,

Here is the address I use: 0xdf26376de6cba19e

I know that several users have the same issue with other addresses. My case is not isolated.

Thanks for all this.

Regards,
Alexis

@janezpodhostnik
Copy link
Owner

Thanks!

It looks like the 999 weight is not a problem for that particular scenario. I'll try to replicate the scenario.

@janezpodhostnik
Copy link
Owner

@alexisprunier In your code can you try

 signature_is_valid = await utils.verify_user_signature(
-           message=bytes(fields.hex(), "utf-8"),
+           message=fields,
            client=client,
            composite_signatures=[signer],
        )

FCLCrypto expects a hex encoded message, but the python-sdk currently expects utf-8 bytes.

See these lines in the example:

message = b"Hello World!"

@alexisprunier
Copy link
Author

alexisprunier commented Sep 30, 2024

Hi,

I have this error with the suggested change:

2024-09-30 18:35:19 Traceback (most recent call last):
2024-09-30 18:35:19   File "/usr/local/lib/python3.9/site-packages/uvicorn/protocols/http/httptools_impl.py", line 375, in run_asgi
2024-09-30 18:35:19     result = await app(self.scope, self.receive, self.send)
2024-09-30 18:35:19   File "/usr/local/lib/python3.9/site-packages/uvicorn/middleware/proxy_headers.py", line 75, in __call__
2024-09-30 18:35:19     return await self.app(scope, receive, send)
2024-09-30 18:35:19   File "/usr/local/lib/python3.9/site-packages/fastapi/applications.py", line 1054, in __call__
2024-09-30 18:35:19     await super().__call__(scope, receive, send)
2024-09-30 18:35:19   File "/usr/local/lib/python3.9/site-packages/starlette/applications.py", line 116, in __call__
2024-09-30 18:35:19     await self.middleware_stack(scope, receive, send)
2024-09-30 18:35:19   File "/usr/local/lib/python3.9/site-packages/starlette/middleware/errors.py", line 186, in __call__
2024-09-30 18:35:19     raise exc
2024-09-30 18:35:19   File "/usr/local/lib/python3.9/site-packages/starlette/middleware/errors.py", line 164, in __call__
2024-09-30 18:35:19     await self.app(scope, receive, _send)
2024-09-30 18:35:19   File "/usr/local/lib/python3.9/site-packages/starlette/middleware/cors.py", line 91, in __call__
2024-09-30 18:35:19     await self.simple_response(scope, receive, send, request_headers=headers)
2024-09-30 18:35:19   File "/usr/local/lib/python3.9/site-packages/starlette/middleware/cors.py", line 146, in simple_response
2024-09-30 18:35:19     await self.app(scope, receive, send)
2024-09-30 18:35:19   File "/usr/local/lib/python3.9/site-packages/starlette/middleware/exceptions.py", line 62, in __call__
2024-09-30 18:35:19     await wrap_app_handling_exceptions(self.app, conn)(scope, receive, send)
2024-09-30 18:35:19   File "/usr/local/lib/python3.9/site-packages/starlette/_exception_handler.py", line 55, in wrapped_app
2024-09-30 18:35:19     raise exc
2024-09-30 18:35:19   File "/usr/local/lib/python3.9/site-packages/starlette/_exception_handler.py", line 44, in wrapped_app
2024-09-30 18:35:19     await app(scope, receive, sender)
2024-09-30 18:35:19   File "/usr/local/lib/python3.9/site-packages/starlette/routing.py", line 746, in __call__
2024-09-30 18:35:19     await route.handle(scope, receive, send)
2024-09-30 18:35:19   File "/usr/local/lib/python3.9/site-packages/starlette/routing.py", line 288, in handle
2024-09-30 18:35:19     await self.app(scope, receive, send)
2024-09-30 18:35:19   File "/usr/local/lib/python3.9/site-packages/starlette/routing.py", line 75, in app
2024-09-30 18:35:19     await wrap_app_handling_exceptions(app, request)(scope, receive, send)
2024-09-30 18:35:19   File "/usr/local/lib/python3.9/site-packages/starlette/_exception_handler.py", line 55, in wrapped_app
2024-09-30 18:35:19     raise exc
2024-09-30 18:35:19   File "/usr/local/lib/python3.9/site-packages/starlette/_exception_handler.py", line 44, in wrapped_app
2024-09-30 18:35:19     await app(scope, receive, sender)
2024-09-30 18:35:19   File "/usr/local/lib/python3.9/site-packages/starlette/routing.py", line 70, in app
2024-09-30 18:35:19     response = await func(request)
2024-09-30 18:35:19   File "/usr/local/lib/python3.9/site-packages/fastapi/routing.py", line 299, in app
2024-09-30 18:35:19     raise e
2024-09-30 18:35:19   File "/usr/local/lib/python3.9/site-packages/fastapi/routing.py", line 294, in app
2024-09-30 18:35:19     raw_response = await run_endpoint_function(
2024-09-30 18:35:19   File "/usr/local/lib/python3.9/site-packages/fastapi/routing.py", line 191, in run_endpoint_function
2024-09-30 18:35:19     return await dependant.call(**values)
2024-09-30 18:35:19   File "/app/./main.py", line 98, in login
2024-09-30 18:35:19     if await verify_signature(service):
2024-09-30 18:35:19   File "/app/./utils/flow.py", line 37, in verify_signature
2024-09-30 18:35:19     signature_is_valid = await utils.verify_user_signature(
2024-09-30 18:35:19   File "/usr/local/lib/python3.9/site-packages/flow_py_sdk/utils/verify_user_signature.py", line 33, in verify_user_signature
2024-09-30 18:35:19     cadence_message = cadence.String(str(message, "utf-8"))
2024-09-30 18:35:19 UnicodeDecodeError: 'utf-8' codec can't decode byte 0xf8 in position 0: invalid start byt

@alexisprunier
Copy link
Author

To bring more context:

I am using this javacript library to handle the login:

"@onflow/fcl": "^1.11.0",

All the users of the app gets identified via the Dapper wallet.

It looks like, when you get logged, you get a signature based on a message composed of the wallet address, the app name (in this case, "mfl-assistant" and the nonce, generated by the backend of the app.

In our case, the message seems to be wrong. The content of it, in this flow.py file, hasn't changed. It has been working properly. The element that has change is the version of Flow and the version of the flow-py-sdk that has been upgraded.

Is that possible that:

  • The dapper login process is different so the message should be composed differently?
  • The new version of your library, with the new script, alters the provided message.

Would you have any suggestions?

Thanks in advance for your reply.

Regards,
Alexis

@alexisprunier
Copy link
Author

Hey, just a little up on that topic.

Btw, you can reproduce quite easily with docker by executing "docker compose up" from the ".docker" directory of the project on this branch:

https://github.com/alexisprunier/mfl-assistant/tree/home

Then you can go on the webapp and click the "login" button on the bottom left to trigger the piece of code.

Regards

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

2 participants