AuthJS Backend fails to Verify signed challenge

[sagilefl]

I am trying to implement login with wallet for a web app.
I followed the steps mentioned here: https://web3auth.io/docs/server-side-verification/external-wallets#getting-siwweb3message-from-the-authjs-backend but when I call the Verify signed challenge API I receive response:

{
    "error": {},
    "success": false
}

Steps to Reproduce
Steps to reproduce the behavior:

1. Postman: do a POST call to https://auth-js-backend.tor.us/siww/get with the following JSON body:

{
  "network": "ethereum",
  "header": {
    "t": "eip155"
  },
  "payload": {
    "domain": "localhost:3000",
    "uri": "http://localhost:3000/",
    "address": "<Metamask wallet address>",
    "chainId": 1,
    "version": "1",
    "nonce": "does-not-matter-here",
    "issuedAt": "2022-08-04T17:09:38.578Z"
  }
}

response:

{
    "challenge": "localhost:3000 wants you to sign in with your Ethereum account:\n<Metamask wallet address>\n\n\nURI: http://localhost:3000/\nVersion: 1\nChain ID: 1\nNonce: NHkzpL6sYn0Z14VJs\nIssued At: 2022-08-04T17:09:38.578Z",
    "success": true
}

2. Take the challenge string from the response and sign it with the meta mask wallet -> save the signed string, it looks something like 0x9c85a95c434715f26eeef....
3. Postman: call POST https://auth-js-backend.tor.us/siww/verify with the following JSON body:

{
  "message": "localhost:3000 wants you to sign in with your Ethereum account:\n<Metamask wallet address>\n\n\nURI: http://localhost:3000/\nVersion: 1\nChain ID: 1\nNonce: NHkzpL6sYn0Z14VJs\nIssued At: 2022-08-04T17:09:38.578Z",
  "signature": {
    "s": "<signed string from step 2>",
    "t": "eip191"
  },
  "network": "ethereum"
}

response:

{
    "error": {},
    "success": false
}

The expected response is a JWT token to be used by the signed-in user.

[YZhenY]

@1swaraj

[1swaraj]

We have just released a fix for this.
This might have happened because the auth-js backend had a small timeout.
However the error messages were missing we just added those.

[sagilefl]

I could finally get a token back from the API :)
However whenever you have time it would be great to get clarifications regarding my questions above...

[YZhenY]

@1swaraj

[1swaraj]

@sagitoptal
The payload is supposed to as per the CACAO - Chain Agnostic Standard
The point here is that wallets will also implement the same standard.
Currently issuedAt should conform to ISO-8601 and if you don't submit it we just fill it ourselves.
The significance of uri and domain is that the wallets can actually verify it (some point in the future)
version "1" is correct. This field is there for extensibility purposes.
-> Is there a time limit between getting the challenge from the /siww/get API until calling the /siww/verify API?
Yes there is a time limit which was 60s earlier, we have now increased it to 120s.

[sagilefl]

@1swaraj thanks for the information, it is really helpful. I guess that the 60 seconds expiration of the nonce coming from the /siww/get API was the reason I could not make it work when I tested it manually.
I think it would be helpful to others if you mention the time limit, the optional issuedAt filed and the other fields description in the documentation

[1swaraj]

Sure will add it thanks for the feedback