You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently, mobile wallets, like Phantom and Solflare, are signing MWA requests only if the authToken matches the selected account in the wallet app. If there is a mismatch, then the request will fail with an authToken invalid error.
This is actually incorrect behavior according to the MWA spec because the authToken is valid. See the repro for an example.
This is poor UX for users that could have multiple accounts for different dApps. Users are bound to encounter this issue and won't fully understand how to fix it (they need to switch back to 'Account 1' in the wallet app or disconnect from the wallet and reconnect with 'Account 2')
Repro/Video
Steps to repro:
User is currently selected on Wallet App Account 1
User connects to Wallet App on dApp and is authorized and given authToken Z
User switches back to Wallet App and switches to Account 2
User switches back to dApp and tries to authorize with authToken Z for signing/sending, and fails with SolanaMobileWalletAdapterError: -1/auth_token not valid for signing
Proposal/Fix
The wallet should conform to the MWA Spec and always sign a transaction if the authToken is valid (and sign with the authorized accounts). From the spec "the wallet endpoint should sign the transactions with the private keys for the requested authorized account addresses, and return the signed transactions to the dapp endpoint."
When requested for signing, the wallet app should:
Check the transactions for requested account signatures
Check the authToken for authorized accounts
Sign the transactions with the private keys for the requested authorized accounts
The text was updated successfully, but these errors were encountered:
Not to pick on Phantom here but the same confusing UX exists on desktop.
‘Connect’ website X to wallet A using the Phantom browser extension
Website X caches the authorized pubkey (eg. in localStorage)
Switch to wallet B in the Phantom browser extension
Having switched away from wallet A, the authorization that website X sought from the Phantom browser extension (eg. the pubkey of that account) is unusable until the user switches from wallet B back to wallet A.
As I move between websites and wallets in the Phantom UI, mismatches between the wallet a website received authorization for and the wallet that's currently selected in the Phantom browser extension is a persistent source of microaggression that contributes to the ecosystem feeling a bit janky. I'd love to see wallets simply honour the authorizations they dole out, when asked, as you've described.
Issue
Currently, mobile wallets, like Phantom and Solflare, are signing MWA requests only if the authToken matches the selected account in the wallet app. If there is a mismatch, then the request will fail with an authToken invalid error.
This is actually incorrect behavior according to the MWA spec because the
authToken
is valid. See the repro for an example.This is poor UX for users that could have multiple accounts for different dApps. Users are bound to encounter this issue and won't fully understand how to fix it (they need to switch back to 'Account 1' in the wallet app or disconnect from the wallet and reconnect with 'Account 2')
Repro/Video
Steps to repro:
SolanaMobileWalletAdapterError: -1/auth_token not valid for signing
Proposal/Fix
The wallet should conform to the MWA Spec and always sign a transaction if the authToken is valid (and sign with the authorized accounts). From the spec "the wallet endpoint should sign the transactions with the private keys for the requested authorized account addresses, and return the signed transactions to the dapp endpoint."
When requested for signing, the wallet app should:
The text was updated successfully, but these errors were encountered: