feat(auth): validate user-provided auth signature

packages/shared/package.json

@@ -47,7 +47,8 @@
     "axios": "^1.6.8",
     "deep-equal": "^2.2.3",
     "ethers": "*",
-    "qs": "^6.12.1"
+    "qs": "^6.12.1",
+    "zod": "*"
   },
   "devDependencies": {
     "@typechain/ethers-v5": "^11.1.2",

packages/shared/src/index.ts

@@ -3,6 +3,7 @@ export * from './porter';
 export type * from './types';
 export * from './utils';
 export * from './web3';
+export * from './schemas';
 
 // Re-exports
 export {

packages/shared/src/schemas.ts

@@ -0,0 +1,4 @@
+import { z } from 'zod';
+
+export const ETH_ADDRESS_REGEXP = new RegExp('^0x[a-fA-F0-9]{40}$');
+export const EthAddressSchema = z.string().regex(ETH_ADDRESS_REGEXP);

packages/taco-auth/package.json

@@ -41,7 +41,8 @@
   "dependencies": {
     "@ethersproject/abstract-signer": "^5.7.0",
     "@nucypher/shared": "workspace:*",
-    "siwe": "^2.3.2"
+    "siwe": "^2.3.2",
+    "zod": "^3.22.4"
   },
   "devDependencies": {
     "@nucypher/test-utils": "workspace:*"

packages/taco-auth/src/auth-sig.ts

@@ -0,0 +1,18 @@
+import { EthAddressSchema } from '@nucypher/shared';
+import { z } from 'zod';
+
+import { EIP4361TypedDataSchema } from './providers/eip4361';
+import { EIP4361_AUTH_METHOD, EIP712_AUTH_METHOD } from './types';
+
+export const authSignatureSchema = z.object({
+  signature: z.string(),
+  address: EthAddressSchema,
+  scheme: z.enum([EIP712_AUTH_METHOD, EIP4361_AUTH_METHOD]),
+  typedData: z.union([
+    EIP4361TypedDataSchema,
+    // TODO(#536): Remove post EIP712 deprecation
+    z.unknown()
+  ])
+});
+
+export type AuthSignature = z.infer<typeof authSignatureSchema>;

packages/taco-auth/src/providers/eip4361.ts

@@ -1,10 +1,13 @@
 import { ethers } from 'ethers';
 import { generateNonce, SiweMessage } from 'siwe';
+import { z } from 'zod';
 
 import { LocalStorage } from '../storage';
 import { AuthSignature, EIP4361_AUTH_METHOD } from '../types';
 
-export type EIP4361TypedData = string;
+export const EIP4361TypedDataSchema = z.string();
+
+export type EIP4361TypedData = z.infer<typeof EIP4361TypedDataSchema>;
 
 export type EIP4361AuthProviderParams = {
   domain: string;

packages/taco/package.json

@@ -44,7 +44,7 @@
     "@nucypher/taco-auth": "workspace:*",
     "ethers": "*",
     "semver": "^7.5.2",
-    "zod": "^3.22.4"
+    "zod": "*"
   },
   "devDependencies": {
     "@nucypher/test-utils": "workspace:*",

packages/taco/src/conditions/const.ts

@@ -8,8 +8,6 @@ import {
 export const USER_ADDRESS_PARAM_EXTERNAL_EIP4361 =
   ':userAddressExternalEIP4361';
 
-export const ETH_ADDRESS_REGEXP = new RegExp('^0x[a-fA-F0-9]{40}$');
-
 // Only allow alphanumeric characters and underscores
 export const CONTEXT_PARAM_REGEXP = new RegExp('^:[a-zA-Z_][a-zA-Z0-9_]*$');
 
@@ -35,5 +33,4 @@ export const RESERVED_CONTEXT_PARAMS = [
   USER_ADDRESS_PARAM_EIP712,
   USER_ADDRESS_PARAM_EIP4361,
   // USER_ADDRESS_PARAM_EXTERNAL_EIP4361 is not reserved and can be used as a custom context parameter
-  // USER_ADDRESS_PARAM_EXTERNAL_EIP4361
 ];

packages/taco/src/conditions/shared.ts

@@ -1,3 +1,4 @@
+import { EthAddressSchema } from '@nucypher/shared';
 import {
   USER_ADDRESS_PARAM_DEFAULT,
   USER_ADDRESS_PARAM_EIP4361,
@@ -8,9 +9,6 @@ import { z } from 'zod';
 import {
   CONTEXT_PARAM_PREFIX,
   CONTEXT_PARAM_REGEXP,
-  ETH_ADDRESS_REGEXP,
-
-
 } from './const';
 
 export const contextParamSchema = z.string().regex(CONTEXT_PARAM_REGEXP);
@@ -41,8 +39,6 @@ export const returnValueTestSchema = z.object({
 
 export type ReturnValueTestProps = z.infer<typeof returnValueTestSchema>;
 
-const EthAddressSchema = z.string().regex(ETH_ADDRESS_REGEXP);
-
 const UserAddressSchema = z.enum([
   USER_ADDRESS_PARAM_EIP712,
   USER_ADDRESS_PARAM_EIP4361,