From 9e1dfcf091e10db60b06e1df1599bf787eaebb84 Mon Sep 17 00:00:00 2001
From: Nathan Woodburn <github@nathan.woodburn.au>
Date: Fri, 21 Jun 2024 11:27:07 +1000
Subject: [PATCH] feat: Update message to include session uuid

---
 website/routes.py           | 9 +++++++++
 website/templates/home.html | 2 +-
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/website/routes.py b/website/routes.py
index 0a8427c..c60dfa9 100644
--- a/website/routes.py
+++ b/website/routes.py
@@ -201,6 +201,15 @@ def hnsid():
     address = request.json.get("address")
     signature = request.json.get("signature")
     message = request.json.get("message")
+
+    # Make sure message is in the correct format
+    if not message.startswith("I am signing this message to log in to HNS Login as "):
+        print("Invalid message format")
+        return jsonify({"success": False})
+    if not message.endswith(session["uuid"]):
+        print("Invalid message format")
+        return jsonify({"success": False})
+
     # Verify the signature
     msg = encode_defunct(text=message)
     signer = Account.recover_message(msg, signature=signature).lower()
diff --git a/website/templates/home.html b/website/templates/home.html
index 35514b0..7a6ad2a 100644
--- a/website/templates/home.html
+++ b/website/templates/home.html
@@ -234,7 +234,7 @@
             // Send the address to the server
             console.log('Sending address to server', address);
             // Sign a message
-            const message = 'I am signing my one-time nonce: ' + Math.floor(Math.random() * 1000000) + ' to log in to HNS Login as ' + address;
+            const message = 'I am signing this message to log in to HNS Login as ' + address + ': {{uuid}}';
             const signature = await ethereum.request({
               method: 'personal_sign',
               params: [message, address],