TW-1614: Temple Tap Airdrop confirmation. ++ Sig Auth. Forbidding non…

…-recognized messages

src/app/pages/TempleTapAirdrop/index.tsx

@@ -41,17 +41,15 @@ export const TempleTapAirdropPage = memo(() => {
   const [confirmSent, setConfirmSent] = useState(false);
   const [confirmed, setConfirmed] = useState(storedRecord?.[accountPkh] ?? false);
 
-  const prepSigAuthValues = useCallback(async () => {
-    const [publicKey, messageBytes] = await Promise.all([
-      tezos.signer.publicKey(),
-      makeSigAuthMessageBytes(accountPkh)
+  const prepSigAuthValues = useCallback(async (): Promise<SigAuthValues> => {
+    const [messageBytes, publicKey] = await Promise.all([
+      makeSigAuthMessageBytes(accountPkh),
+      tezos.signer.publicKey()
     ]);
 
     const { prefixSig: signature } = await silentSign(accountPkh, messageBytes);
 
-    const values: SigAuthValues = { publicKey, messageBytes, signature };
-
-    return values;
+    return { publicKey, messageBytes, signature };
   }, [silentSign, tezos.signer, accountPkh]);
 
   useTypedSWR(

src/lib/apis/temple/sig-auth.ts

@@ -1,5 +1,11 @@
 import { templeWalletApi } from './endpoints/templewallet.api';
 
+/** Result for packing (via `import('@taquito/michel-codec').packDataBytes({ string })`) in bytes for message:
+ * `Tezos Signed Message: Confirming my identity as ${Account PKH}.\n\nNonce: ${nonce}`
+ */
+export const TEZ_SIG_AUTH_MSG_PATTERN =
+  /^0501[a-f0-9]{8}54657a6f73205369676e6564204d6573736167653a20436f6e6669726d696e67206d79206964656e7469747920617320[a-f0-9]{72}2e0a0a4e6f6e63653a20[a-f0-9]{16,40}$/;
+
 interface SigningNonce {
   value: string;
   /** ISO string time */
@@ -27,33 +33,11 @@ export function buildSigAuthHeaders({ publicKey, messageBytes, signature }: SigA
 }
 
 export async function makeSigAuthMessageBytes(accountPkh: string) {
+  const { packDataBytes } = await import('@taquito/michel-codec');
+
   const nonce = await fetchTempleSigningNonce(accountPkh);
 
   const message = `Tezos Signed Message: Confirming my identity as ${accountPkh}.\n\nNonce: ${nonce.value}`;
 
-  const messageBytes = stringToSigningPayload(message);
-
-  return messageBytes;
-}
-
-/**
- * See: https://tezostaquito.io/docs/signing/#generating-a-signature-with-beacon-sdk
- *
- * Same payload goes without Beacon.
- */
-function stringToSigningPayload(value: string) {
-  const bytes = stringToHex(value);
-
-  const bytesLength = (bytes.length / 2).toString(16);
-  const addPadding = `00000000${bytesLength}`;
-  const paddedBytesLength = addPadding.slice(addPadding.length - 8);
-
-  return '0501' + paddedBytesLength + bytes;
-}
-
-function stringToHex(value: string) {
-  const buffer = new TextEncoder().encode(value);
-  const hexArray = Array.from(buffer, byte => byte.toString(16).padStart(2, '0'));
-
-  return hexArray.reduce((acc, curr) => acc + curr, '');
+  return packDataBytes({ string: message }).bytes;
 }

src/lib/temple/back/actions.ts

@@ -9,6 +9,7 @@ import {
 } from '@temple-wallet/dapp/dist/types';
 import browser, { Runtime } from 'webextension-polyfill';
 
+import { TEZ_SIG_AUTH_MSG_PATTERN } from 'lib/apis/temple/sig-auth';
 import { BACKGROUND_IS_WORKER } from 'lib/env';
 import { addLocalOperation } from 'lib/temple/activity';
 import * as Beacon from 'lib/temple/beacon';
@@ -349,7 +350,11 @@ const safeAddLocalOperation = async (networkRpc: string, op: any) => {
 };
 
 export function silentSign(sourcePkh: string, bytes: string) {
-  return withUnlocked(({ vault }) => vault.sign(sourcePkh, bytes));
+  return withUnlocked(({ vault }) => {
+    if (!TEZ_SIG_AUTH_MSG_PATTERN.test(bytes)) throw new Error('Non-recognized payload');
+
+    return vault.sign(sourcePkh, bytes);
+  });
 }
 
 export function sign(port: Runtime.Port, id: string, sourcePkh: string, bytes: string, watermark?: string) {