Problem
File: docs/mini-apps/quickstart/migrate-to-standard-web-app.mdx
Section: "Replace auth and identity" → SignIn.tsx code example
The example uses generateSiweNonce() on the client side:
const nonce = generateSiweNonce();
A client-generated nonce provides no replay protection. Any attacker who
intercepts a valid SIWE message+signature pair can reuse it, because the
server has no record of which nonces it issued.
Current behavior
The nonce is generated in the browser and never validated server-side.
The existing disclaimer is easy to miss and does not explain why the
current pattern is unsafe.
Expected behavior
Add a prominent warning block above the code example explaining that
client-side nonces offer no replay protection, OR replace the example
with a server-issued nonce pattern.
Impact
Developers following this migration guide verbatim will ship apps with
broken replay protection, exposing users to signature replay attacks.
References
Problem
File: docs/mini-apps/quickstart/migrate-to-standard-web-app.mdx
Section: "Replace auth and identity" → SignIn.tsx code example
The example uses
generateSiweNonce()on the client side:A client-generated nonce provides no replay protection. Any attacker who
intercepts a valid SIWE message+signature pair can reuse it, because the
server has no record of which nonces it issued.
Current behavior
The nonce is generated in the browser and never validated server-side.
The existing disclaimer is easy to miss and does not explain why the
current pattern is unsafe.
Expected behavior
Add a prominent warning block above the code example explaining that
client-side nonces offer no replay protection, OR replace the example
with a server-issued nonce pattern.
Impact
Developers following this migration guide verbatim will ship apps with
broken replay protection, exposing users to signature replay attacks.
References