From 233de9fdb1f8442a6c140662882571ed6d165ee4 Mon Sep 17 00:00:00 2001 From: Kewe63 Date: Tue, 14 Jul 2026 14:46:36 +0300 Subject: [PATCH] fix(docs): warn that client-side SIWE nonce provides no replay protection MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The 'Replace auth and identity' code example in the Base App migration guide generates the nonce in the browser with generateSiweNonce(). A client-issued nonce provides no replay protection — any attacker who captures a valid SIWE message + signature pair can replay it against the server, because the server has no record of which nonces it issued. Add a prominent block immediately before the code example explaining the security limitation and pointing developers at the Authenticate users guide for the server-issued nonce pattern. The existing disclaimer closer to the example is kept for context but the new is harder to miss. Fixes #1452 --- docs/apps/guides/migrate-to-standard-web-app.mdx | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/docs/apps/guides/migrate-to-standard-web-app.mdx b/docs/apps/guides/migrate-to-standard-web-app.mdx index afe2fd066..88c0828ad 100644 --- a/docs/apps/guides/migrate-to-standard-web-app.mdx +++ b/docs/apps/guides/migrate-to-standard-web-app.mdx @@ -99,6 +99,10 @@ Your app uses the Farcaster SDK. The migration replaces Farcaster-specific auth, Farcaster sign-in and FID-based identity are not available in the Base App. Replace them with [SIWE](https://viem.sh/docs/siwe/utilities/createSiweMessage) for authentication and the connected wallet address for user identity. + + The example below generates the SIWE nonce in the browser with `generateSiweNonce()`. A client-issued nonce provides **no replay protection**: any attacker who captures a valid SIWE message + signature pair can replay it against your server, because the server has no record of which nonces it issued. Only use this pattern if your app does not require server-side sessions or replay protection. For verified, server-issued nonces, follow the [Authenticate users](/base-account/guides/authenticate-users) guide and confirm nonces server-side before accepting the SIWE message. + + Build, sign, and verify the SIWE message: ```tsx SignIn.tsx lines expandable wrap highlight={1,9,14-18,33-34}