Important: Because of fixed security vulnerabilities, we advise all forums still running the original SpruceID Sign in with Ethereum Discourse plugin to upgrade to our new plugin immediately (instructions below). The ENS forum has already updated to the latest version. Details of the patched security vulnerabilities will be disclosed in 30 days.
User Action Needed: All users will have to reconnect their forum accounts to their Ethereum wallets to continue to use SIWE (instructions below).
Background
The original Sign in with Ethereum Discourse plugin by SpruceID (spruceid/discourse-siwe-auth) has been broken and unmaintained for a while now. The plugin no longer worked, had an outdated WalletConnect integration, broken ENS resolution, and didn’t work with smart contract wallets, among other issues. We also discovered multiple security vulnerabilities.
EthID, the ENS DAO Service Provider i joined a couple weeks ago, took over management of the Sign in with Ethereum project last year (new website, Twitter, Github). We now released a new version of the SIWE discourse plugin (signinwithethereum/discourse-siwe-auth) with multiple updates:
What changed
Full UI rewrite. The old Web3Modal/wagmi stack was outdated and broken. We replaced it with a modern UI using wagmi v2. Supports any injected wallet like MetaMask, Rainbow or Rabby, as well as Safe, and optionally WalletConnect (just add a project ID in the settings).
Smart contract wallet support. Server-side EIP-1271 signature verification, so Safe multisig wallets and other contract wallets can now sign in.
Server-side ENS resolution. ENS names and avatars are now resolved on the server via the configured RPC endpoint, fixing flaky client-side resolution that relied on (often rate-limited) public RPCs. Avatars are fetched via the ENS Metadata Service, handling all formats (IPFS, Arweave, NFTs). Forward verification ensures the name actually belongs to the signing address.
Security fixes. We identified and fixed critical vulnerabilities in how the old plugin handled account identity and authentication. Details will be disclosed in 30 days.
User action: Reconnect your account
Existing users who were using the old SIWE option with an ENS account will need to reconnect their wallet in their Discourse profile settings.
To do this:
- Log in to Discourse with your existing username and password.
- Go to your profile — click your avatar in the top-right corner, then click the person icon or your username.
- Click Preferences, then Account.
- Scroll down to the Associated Accounts section and click Connect for the SIWE connector. You may need to first delete the old SIWE connection.
- Select your wallet and approve the connection.
- Sign the message when prompted — this links your wallet address to your account.
Once reconnected, you can use Sign in with Ethereum going forward.
Installation (for forum maintainers)
If you’re already running the old SpruceID plugin, just swap the git URL in your app.yml:
hooks:
after_code:
- exec:
cd: $home/plugins
cmd:
- sudo -E -u discourse git clone https://github.com/signinwithethereum/discourse-siwe-auth.git
Then rebuild:
cd /var/discourse
./launcher rebuild app
After rebuild, go to Admin > Settings and set siwe_ethereum_rpc_url to a dedicated Ethereum RPC endpoint (Alchemy, Infura, etc.). This is needed for ENS resolution and smart contract wallet support.