Security

Best Practices

1. Never expose client secrets: Store OAuth secrets server-side only

2. Validate on both sides: Check attestations client-side and on-chain

3. Use HTTPS in production: Required for OAuth and wallet connections

4. Implement rate limiting: Prevent abuse of verification endpoints

5. Monitor attestations: Track verification patterns for anomalies

OAuth Security

The SDK implements several security measures:

• CSRF Protection: State parameter validation

• PKCE for Twitter: Prevents authorization code interception

• HttpOnly Cookies: Access tokens stored securely

• Origin Validation: Ready to uncomment for production

• Timeout Protection: 5-minute OAuth timeout

• Secure postMessage: Origin-checked token transfer

Production Checklist:

1. Uncomment origin validation in oauth.ts:

// Uncomment this line:
// if (event.origin !== window.location.origin) return;

1. Use environment-specific callback URLs

2. Rotate OAuth secrets regularly

3. Monitor failed authentication attempts

Signature Validation

Attestations use EIP-712 signatures:

const domain = {
  name: "UntracedRegistry",
  version: "1",
  chainId: 5003,
  verifyingContract: registryAddress,
};

const types = {
  Attestation: [
    { name: "user", type: "address" },
    { name: "moduleType", type: "bytes32" },
    { name: "expiry", type: "uint256" },
    { name: "nonce", type: "uint256" },
  ],
};

Signatures are created server-side and verified on-chain.