feat(entrykit): validate signature (#3632)

frolic · web-flow · commit 454387765857 · 2025-03-18T05:50:47.000-07:00
diff --git a/.changeset/wet-monkeys-destroy.md b/.changeset/wet-monkeys-destroy.md
@@ -0,0 +1,5 @@
+---
+"@latticexyz/entrykit": patch
+---
+
+Exported an internal method to validate signatures for login flows that use session signer on behalf of user accounts.
diff --git a/packages/entrykit/src/exports/internal.ts b/packages/entrykit/src/exports/internal.ts
@@ -15,3 +15,4 @@ export { createWagmiConfig, type CreateWagmiConfigOptions } from "../createWagmi
 // And some additional internal things
 export * from "../getConnectors";
 export * from "../getWallets";
+export * from "../validateSigner";
diff --git a/packages/entrykit/src/onboarding/getDelegation.ts b/packages/entrykit/src/onboarding/getDelegation.ts
@@ -1,20 +1,29 @@
-import { Address, Chain, Client, Transport } from "viem";
+import { Address, Client } from "viem";
 import { getRecord } from "@latticexyz/store/internal";
 import { unlimitedDelegationControlId, worldTables } from "../common";
 
 export type GetDelegationParams = {
-  client: Client<Transport, Chain>;
+  client: Client;
   worldAddress: Address;
   userAddress: Address;
   sessionAddress: Address;
+  blockTag?: "pending" | "latest";
 };
 
-export async function getDelegation({ client, worldAddress, userAddress, sessionAddress }: GetDelegationParams) {
+// TODO: rename to `hasDelegation`?
+export async function getDelegation({
+  client,
+  worldAddress,
+  userAddress,
+  sessionAddress,
+  // TODO: move everything to latest instead of pending
+  blockTag = "pending",
+}: GetDelegationParams) {
   const record = await getRecord(client, {
     address: worldAddress,
     table: worldTables.UserDelegationControl,
     key: { delegator: userAddress, delegatee: sessionAddress },
-    blockTag: "pending",
+    blockTag,
   });
   return record.delegationControlId === unlimitedDelegationControlId;
 }
diff --git a/packages/entrykit/src/validateSigner.ts b/packages/entrykit/src/validateSigner.ts
@@ -0,0 +1,59 @@
+import { Address, Client } from "viem";
+import { readContract } from "viem/actions";
+import { getDelegation } from "./onboarding/getDelegation";
+
+/**
+ * @internal
+ */
+export async function internal_validateSigner({
+  client,
+  worldAddress,
+  userAddress,
+  sessionAddress,
+  signerAddress,
+}: {
+  client: Client;
+  worldAddress: Address;
+  userAddress: Address;
+  sessionAddress: Address;
+  signerAddress: Address;
+}) {
+  const ownerAddress = await readContract(client, {
+    address: sessionAddress,
+    abi: simpleAccountAbi,
+    functionName: "owner",
+  });
+
+  if (ownerAddress.toLowerCase() !== signerAddress.toLowerCase()) {
+    throw new Error(`Session account owner (${ownerAddress}) does not match message signer (${signerAddress}).`);
+  }
+
+  const hasDelegation = await getDelegation({
+    client,
+    worldAddress,
+    sessionAddress,
+    userAddress,
+    blockTag: "latest",
+  });
+
+  if (!hasDelegation) {
+    throw new Error(`Session account (${sessionAddress}) does not have delegation for user account (${userAddress}).`);
+  }
+}
+
+// TODO: import ABI once we can get strongly typed JSON or expose `getOwner` or similar method on smart account
+const simpleAccountAbi = [
+  {
+    inputs: [],
+    name: "owner",
+    outputs: [
+      {
+        internalType: "address",
+        name: "",
+        type: "address",
+      },
+    ],
+    stateMutability: "view",
+    type: "function",
+  },
+] as const;
