Increase auth nonce entropy (#1383)

Increases the nonce entropy the auth implementation to match that of the official SiWe implementation (18 characters).
safe-global · Apr 10, 2024 · 3358128 · 3358128
1 parent 4d143d0
commit 3358128
Showing 1 changed file with 18 additions and 1 deletion.
diff --git a/src/datasources/auth-api/siwe-api.service.ts b/src/datasources/auth-api/siwe-api.service.ts
@@ -7,7 +7,24 @@ import { verifyMessage } from 'viem';
 
 @Injectable()
 export class SiweApi implements IAuthApi {
-  private static readonly NONCE_LENGTH = 8;
+  /**
+   * The official SiWe implementation uses a nonce length of 17:
+   *
+   * > 96 bits has been chosen as a number to sufficiently balance size and security
+   * > considerations relative to the lifespan of it's usage.
+   *
+   * ```
+   * const ALPHANUMERIC = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
+   * const length = Math.ceil(96 / (Math.log(ALPHANUMERIC.length) / Math.LN2)) // 17
+   * ```
+   *
+   * @see https://github.com/spruceid/siwe/blob/0e63b05cd3c722abd282dd1128aa8878648a8620/packages/siwe/lib/utils.ts#L36-L53
+   * @see https://github.com/StableLib/stablelib/blob/5243520e343c217b6a751464dec1bc980cb510d8/packages/random/random.ts#L80-L99
+   *
+   * As we rely on typed arrays to generate random values, we must use an even number.
+   * We therefore use a length of 18 to be compatible and remain as similar as possible.
+   */
+  private static readonly NONCE_LENGTH = 18;
 
   constructor(
     @Inject(LoggingService)