Ethers.js: How to Verify Signature in Backend with Web3.py

ethers.jsmetamaskweb3js

I'm trying to implement a 'Login with Metamask' button on my dapp.

On the frontend I'm using ethers.js code:

 const provider = new ethers.providers.Web3Provider(window.ethereum);
    var [account] = await ethereum.request({
        method: 'eth_requestAccounts'
    });

    
 const signer = provider.getSigner(account);
 signature = await signer.signMessage("Hello World");

This as expected, generates a signed message hash (lets assume its: 0xec325c188547379c92df21225c624206ba68bb2a87994c7e2937375ad6fbe609109780a5ed6e9633c132708fd66d6edf2bd993e9ce346797e7e33448639f751d1c)

On the backend, I want to use web3.py to verify this address.

message_hash = web3.keccak(text="Hello World")
signature = 0xec325c188547379c92df21225c624206ba68bb2a87994c7e2937375ad6fbe609109780a5ed6e9633c132708fd66d6edf2bd993e9ce346797e7e33448639f751d1c
web3.eth.account.recoverHash(message_hash, signature=signature)

However, this doesnt quite work, and the address I receive back is different to the address that signed the original message.

>>> web3.eth.account.recoverHash(message, signature=signature)
'0xAA1A56093f7Dd7a8Df755c616ccdc295e0a2af5f'
>>>

How do I correctly verify the signature in web3.py and return the correct address that signed 'Hello World' in the frontend ethers.js code?

Best Answer

Thank you to the wonderful chinese website that explained this well and I figured it out.

from web3 import Web3, HTTPProvider
import sys
from eth_account.messages import defunct_hash_message

w3 = Web3() 

signature = sys.argv[1]

original_message = "Hello World"
message_hash = defunct_hash_message(text=original_message)

signer = w3.eth.account.recoverHash(message_hash, signature=signature)
return signer

Related Solutions

[Ethereum] account recovery with web3 privateKeyToAccount()

Use 0xfdba67e41f7c6767100969ae3f045d10a59e35d380acf5b37a3b208bd2969347 instead (with a 0x prefix) so web3 knows the format of the private key:

web3.eth.accounts.privateKeyToAccount('0xfdba67e41f7c6767100969ae3f045d10a59e35d380acf5b37a3b208bd2969347').address
"0xa6CDA44CEA3Ac87435d9fDF548B051dDE90D128F"

Web3js – Backend-Based Signature Verification: How to Implement?

From my perspective, you should include a wallet nonce to the signature message for a unique clarification. However, I believe it's best practice to use @metamask/eth-sig-util (https://www.npmjs.com/package/@metamask/eth-sig-util) for verify wallet signature. Also, each project has its own way of validating the wallet signature. Here is our method. For FE, I use https://wagmi.sh/react/hooks/useSignMessage for message signing, and for BE, I use metamask/eth-sig-util to do verification.

After user click connect metamask wallet:

FE will call a GET API from BE with query params is the "wallet_address" to get the nonce message.
BE return the nonce message for FE, e.g., "Welcome to ...., Here's a unique message ID: ${user_nonce}"
Then, FE will perform a POST request to BE to verify the user signature using wagmi and axios request as

import { useSignMessage, useWalletClient } from 'wagmi';

export const useEnhanceSignMessage = () => {
  const { signMessageAsync } = useSignMessage();
  const { data } = useWalletClient();

  // signMessageAsync required signer behind the scene, so we need to wait for signer to be ready
  if (data) {
    return { signMessageAsync };
  } else {
    return { signMessageAsync: null };
  }
};


const { signMessageAsync } = useEnhanceSignMessage();

const signature = await signMessageAsync({
       message: nonce as string,
});

res = await axios.post(`/v1/auth`, {
       signature: signature,
       walletAddress: address,
 });

Then, BE receives the signature string message from FE to validate as

const msg = `${defaultConfig.AUTH_MESSAGE.login} ${user.nonce}`;
const msgBufferHex = Buffer.from(msg, 'utf8').toString('hex');
let address = ''
 try {
   address = recoverPersonalSignature({
      data: msgBufferHex,
      signature: signature
   });
 } catch (err) {
    console.log(err);
    throw new UnauthorizedException("Error! Invalid signature");
 }

// Generate token or else.

Hope it helps you.

Related Topic