Add origin checks.

lib/strategy.js

@@ -1,6 +1,8 @@
 var passport = require('passport-strategy')
   , siwe = require('siwe')
+  , url = require('url')
   , util = require('util')
+  , utils = require('./utils')
   , SessionStore = require('./store/session');
 
 function Strategy(options, verify) {
@@ -22,6 +24,8 @@ function Strategy(options, verify) {
 util.inherits(Strategy, passport.Strategy);
 
 Strategy.prototype.authenticate = function(req, options) {
+  //console.log(req.body);
+  
   var message = req.body.message
     , signature = req.body.signature;
   
@@ -37,6 +41,16 @@ Strategy.prototype.authenticate = function(req, options) {
     return self.fail({ message: 'Invalid message' }, 403);
   }
   
+  var origin = utils.originalOrigin(req);
+  if (origin !== siweMessage.uri) {
+    return self.fail({ message: 'URI mismatch' }, 403);
+  }
+  
+  var domain = url.parse(origin).host;
+  if (domain !== siweMessage.domain) {
+    return self.fail({ message: 'Domain mismatch' }, 403);
+  }
+  
   this._store.verify(req, siweMessage.nonce, function(err, ok, info) {
     if (!ok) {
       return self.fail(info, 403);

lib/utils.js

@@ -0,0 +1,14 @@
+exports.originalOrigin = function(req, options) {
+  options = options || {};
+  var app = req.app;
+  if (app && app.get && app.get('trust proxy')) {
+    options.proxy = true;
+  }
+  var trustProxy = options.proxy;
+  
+  var proto = (req.headers['x-forwarded-proto'] || '').toLowerCase()
+    , tls = req.connection.encrypted || (trustProxy && 'https' == proto.split(/\s*,\s*/)[0])
+    , host = (trustProxy && req.headers['x-forwarded-host']) || req.headers.host
+    , protocol = tls ? 'https' : 'http';
+  return protocol + '://' + host;
+};