Description
Is there an existing issue for this?
- I have searched the existing issues
SDK version
Using Lit JS SDK (master branch)
Lit Network
N/A (this is a unit test issue, not network-specific)
Description of the bug/issue
A test in lit-node-client-nodejs fails with the error message:
Invalid SIWE message. Missing expirationTime or issuedAt.
Specifically, the test suite:
❯ npx nx run lit-node-client-nodejs:test
FAIL lit-node-client-nodejs packages/lit-node-client-nodejs/src/lib/helpers/validate-bls-session-sigs.spec.ts
● BlsSessionSigVerify › should verify valid bls signatrue
Invalid SIWE message. Missing expirationTime or issuedAt.
It appears that the SIWE message in the test does not include issuedAt, which is required by the blsSessionSigVerify function. According to the logic in validate-bls-session-sig.ts, both expirationTime and issuedAt must be present.
Severity of the bug
This breaks the test for lit-node-client-nodejs, causing CI to fail unless the test is adjusted to include issuedAt in the SIWE message.
Steps To Reproduce
- Run
npx nx run lit-node-client-nodejs:test - Observe that
BlsSessionSigVerifytest fails withInvalid SIWE message. Missing expirationTime or issuedAt.
Link to code
Proposed fix
- Add
issuedAtto the SIWE message in the failing test. For example:
it(`should verify valid bls signatrue`, async () => {
expect(
await blsSessionSigVerify(
async (
publicKey: String,
message: Uint8Array,
signature: Uint8Array
): Promise<void> => {
expect(typeof publicKey).toBe('string');
expect(typeof message).toBe('object');
expect(typeof signature).toBe('object');
},
networkPubKey,
authSig,
new SiweMessage({
domain: 'localhost',
statement:
'litprotocol.com wants you to sign in with your Ethereum account:\n' +
'0xf087a967D9eA9445D9182692C2944DcC0Af57341\n' +
'\n' +
"Lit Protocol PKP session signature I further authorize the stated URI to perform the following actions on my behalf: I further authorize the stated URI to perform the following actions on my behalf: (1) 'Threshold': 'Execution' for 'lit-litaction://*'. (2) 'Threshold': 'Signing' for 'lit-pkp://*'. I further authorize the stated URI to perform the following actions on my behalf: (1) 'Threshold': 'Execution' for 'lit-litaction://*'. (2) 'Threshold': 'Signing' for 'lit-pkp://*'. (3) 'Auth': 'Auth' for 'lit-resolvedauthcontext://*'.\n",
address: authSig.address,
uri: 'lit:session:efebafcc9063827a49dffdb11c36b2d64a33330631ac7f5825e2960946bcc8ff',
version: '1',
nonce:
'0x1f623ab8dfe6bbd3b3dc22c7a041deb697c14817bce471b1bd1d86a25d5a319c',
expirationTime: new Date(
Date.now() + 1000 * 60 * 60 * 24 * 7
).toISOString(),
notBefore: new Date(Date.now()).toISOString(),
issuedAt: new Date().toISOString(), => Add issuedAt
})
)
).toBeUndefined();
});After adding issuedAt, the test should pass without throwing Invalid SIWE message. Missing expirationTime or issuedAt.
If for some reason we do not want issuedAt, we'd need to update the logic in blsSessionSigVerify to remove the strict requirement, but that seems less aligned with standard SIWE usage.
Anything else?
If there's any reason we shouldn't require issuedAt, we could discuss adjusting the validation. However, EIP-4361 (“Sign-In with Ethereum”) typically includes issuedAt, so adding it is likely the correct fix.