Mintbase/mintbase-js

Return User Signature as a URL Fragment Instead of Query Parameter

zavodil opened this issue · 5 comments

When invoking the signMessage function in Bitte Wallet, the user's signature is currently being returned in the URL as a query parameter. For example:

http://callbackUrl?signature=<signature>

Returning sensitive information like a user's signature in the URL query parameters introduces security concerns:

  • Logging Risks: Query parameters are often logged by web servers, proxies, and even browsers, which could inadvertently expose sensitive information.
  • History Storage: URLs with query parameters can be stored in the browser's history, further increasing the risk of unintentional leakage.

Proposed Solution:
To mitigate these risks, it would be more secure to return the signature as a URL fragment (hash). For example:

http://callbackUrl#signature=<signature>

This has been addressed on the wallet.

Yes, signing the message with the existing account is working fine now.

Could you please check the following scenario:

  • Logout in the Bitte wallet
  • Go to demo.fastnear.ai -> Sign in -> Bitte
  • Create a new account and sign

In my case, the browser showed an error "Application error: a client-side exception has occurred (see the browser console for more information).", and the URL changed to this: https://wallet.bitte.ai/account/new?auth_url=https://wallet.bitte.ai/sign-message?message=Are+you+ready+to+accelerate%3F&nonce=MDAwMDAwMDAwMDAwMDAwMDAwMDE3MjY2ODEzMDQ4NDM%3D&recipient=ai.near&callbackUrl=https%3A%2F%2Fdemo.fastnear.ai

will take a look @zavodil

should be fixed @zavodil . thanks for reporting this issue

@sainthiago yes, thank you, it works great!