描述
We should look into implementing EIP 4361 in Clef:
Sign-In with Ethereum describes how Ethereum accounts authenticate with off-chain services by signing a standard message format parameterized by scope, session details, and security mechanisms (e.g., a nonce).
The goals of this specification are to provide a self-custodied alternative to centralized identity providers, improve interoperability across off-chain services for Ethereum-based authentication, and provide wallet vendors a consistent machine-readable message format to achieve improved user experiences and consent management.
This should already work out of the box (since it's just signing a text message), however:
- The full message MUST be checked for conformance to the ABNF above.
- Wallet implementers SHOULD warn users if the substring "wants you to sign in with your Ethereum account" appears anywhere in an EIP-191 message signing request unless the message fully conforms to the format defined in EIP-4361.
- Wallet implementers MUST prevent phishing attacks by matching on the domain term when processing a signing request. For example, when processing the message beginning with "service.org wants you to sign in...", the wallet checks that the request actually originated from service.org.
- The domain SHOULD be read from a trusted data source such as the browser window or over WalletConnect (EIP-1328) sessions for comparison against the signing message contents.
- Wallet implementers MAY construct a custom Sign-In With Ethereum user interface by parsing the ABNF terms into data elements for use in the interface. The display rules above still apply to custom interfaces.
Reference implementation + testcases here: https://github.com/spruceid/siwe