# Sign in With Ethereum Community Call #6 ### Date: 2021/11/18 ### Agenda: - [General] Reader Notes & Updates - [General] Introductions - [Show & Tell] SIWE Library - [General] Q&A ### Reader Notes & Updates - We should be moving EIP-4361 out of draft status shortly. - If you’re interested in being listed as a supporter, reach out either on Discord or on Twitter. - The Discord is still open for any async chat about SIWE. - The library for SIWE is now available [here](https://github.com/spruceid/siwe) ### Additional Introductions - [sidcode] - Appreciate the openness on the community calls. I am building a similar authentication service for Web3 which uses proof of location, proof of position of a device, and very excited about the effort and prototype. Have yet to check it out and looking forward to it. ### SIWE Library - [Rocco] - First thing I'd love to get kicked off with is the [SIWE library](github.com/spruceid/siwe) and example application. As mentioned, we released an example on login.xyz of signing in with Ethereum, but now we have our library and example for anyone to take off the shelf. Included with this is the quickstart example that looks like Notepad from old Windows versions. I'll give a quick demonstration (demonstrates the quickstart example). - You should be redirected by default to `localhost:4361` as a nod to the EIP number. The clock in the lower right-hand corner works and the start menu links out to login.xyz. We included MetaMask and WalletConnect to have options off the shelf. If you connect via MetaMask you have the signature formatted in compliance with EIP-4361. Once you sign in, you should be able to type anything you want in the Notepad window, save that, disconnect, and once you reconnect, the text should reappear and should still be there. It's a fun toy, but we wanted to include it to show something off-the-shelf. - [Wayne] - What we've done is give an example where you can persist some data, but in deeper cases it can be preferences for dapps or even a normal Web2 experience. For this example, it's saved on localhost in a text file, if you connect on another machine it won't show up again. It's a really simple localhost demonstration and we have a hosted version (notepad.spruceid.xyz). We're running the server so don't paste your favorite 12 words there. - We're going to go through a walkthrough of the library. This is the repository (showing the github.com/spruceid/siwe repo). It's pretty standard NPM package and javascript library and has a bunch of tests such as negative and positive test cases. We're testing parsing and validation of the message, and we also have it in a language agnostic JSON format so if you wanted to write your library in a different language, you can use the test vectors. - If you look at the library it's straightforward, but what's nice about ABNF, we have literally what we have in the spec as the grammar. It's very rigid and pretty well understood. Most languages have ABNF parsers with production use-cases. That's ABNF - we also have a regex you can use to parse as well to maximize language compatibility. - We have a client that gets imported and everything is commented - we decided to release because we have an example that uses it. You can even fork our notepad example. - We've seen people implement the message generation, but not the validation, but we're more than happy to provide support for anyone using this. - I will now share brief changes on the actual specification. We need to fix the CI build and we should be good to go, and we linked all the previous resources. We wanted to make sure those artifacts were linked as well and once we fix the CI, we'll be moving it from draft status. ### Q&A - [Greg @ Rivet] - Great work on all this stuff and thanks for the research as well. It's really helpful to more folks who are looking at that standard. - [Wayne] - This work was great for the ecosystem because it sparked additional conversations around standards such as representing EIP-712 signatures. Ethereum transactions don't have to be the only things we sign - users can use their keys for many more things. - [Ripley] - Curious - was there a protocol for testing because it slipped my mind! How do you guys go about testing and what does it look like for you. - [Wayne] - We haven't started usability testing for the interface but we would love to start working on that. Now that it's out there, we'd love to see an issue in the GitHub even if it's a UX concern. We welcome you to open issues and discussions to be had in the public. ### Next Steps - [Wayne] - We made a commitment to the ecosystem to get it shipped before the end of the year and we want to make sure people can use it securely. Part of this was looking at how people add authentication methods today - today one method is username and password. Another one is going to Google and they say it's okay. How would we add an additional authentication method - well a lot of them use libraries such as passport.js, Auth0, so we're building a lot of modules so people can use them right away. One of the biggest challenges is that SIWE can be more private than traditional login systems. You don't even have to give your primary address - and a lot of systems rely on email for password resets. ### Q&A pt. 2 - [Bill Ottman] - Just curious about how you're approaching mobile. We've had some issues with WalletConnect deeplinking but just curious about your thoughts on mobile. - [Wayne] - Just to kind of level-set for everyone here: when you're trying to interact with a dapp or a SIWE-enabled app, if it's a browser extension, you can just do it, but if it's on your phone, it requires a different system. One of the most popular solutions is WalletConnect which sets up an encrypted link between your phone and the session you have in your browser. (References the screen-switch problem on mobile) - it would be better if we can batch the transactions and have a better UX there. - [Caleb] - I just wanted to comment that the user experience using the demo was absolutely fantastic with ledger. It's the first time I've seen ledger-live work with a browser nicely and I'm able to sign using a hardware wallet. - (If there are more wallets please let us know to test out) - (Question) - What about the Goerli testnet? Are there tests? - [Ronin] - We are talking about the Goerli testnet - it's well supported and we're ready for such tests. - [Wayne] - As part of the specification, we have a chainID field where you can specify the EVM number, so it can be great to have low-cost tests for smart contract wallets. - (Question) - Do the new Safari extensions of iOS 15 change the lay of the land at all for signing on mobile? - [Rocco] We haven't tested it yet but looking forward to that testing.