From 54f3bedf38a2fe4c1a03e979e5f0503e0f8db367 Mon Sep 17 00:00:00 2001 From: Alex Gleason Date: Sat, 2 Sep 2023 17:31:39 -0500 Subject: [PATCH] verifySignature: return `false` if the id is invalid --- event.test.ts | 23 ++++++++++++++++++++++- event.ts | 8 +++++++- 2 files changed, 29 insertions(+), 2 deletions(-) diff --git a/event.test.ts b/event.test.ts index 625447a..ca19e8c 100644 --- a/event.test.ts +++ b/event.test.ts @@ -278,6 +278,27 @@ describe('Event', () => { expect(isValid).toEqual(false) }) + + it('should return false for an invalid event id', () => { + const privateKey = 'd217c1ff2f8a65c3e3a1740db3b9f58b8c848bb45e26d00ed4714e4a0f4ceecf' + + const event = finishEvent( + { + kind: 1, + tags: [], + content: 'Hello, world!', + created_at: 1617932115, + }, + privateKey, + ) + + // tamper with the id + event.id = event.id.replace(/0/g, '1') + + const isValid = verifySignature(event) + + expect(isValid).toEqual(false) + }) }) describe('getSignature', () => { @@ -296,9 +317,9 @@ describe('Event', () => { const sig = getSignature(unsignedEvent, privateKey) // verify the signature - // @ts-expect-error const isValid = verifySignature({ ...unsignedEvent, + id: getEventHash(unsignedEvent), sig, }) diff --git a/event.ts b/event.ts index e0440fb..75dc650 100644 --- a/event.ts +++ b/event.ts @@ -115,8 +115,14 @@ export function validateEvent(event: T): event is T & UnsignedEvent { /** Verify the event's signature. This function mutates the event with a `verified` symbol, making it idempotent. */ export function verifySignature(event: Event): event is VerifiedEvent { if (typeof event[verifiedSymbol] === 'boolean') return event[verifiedSymbol] + + const hash = getEventHash(event) + if (hash !== event.id) { + return false + } + try { - event[verifiedSymbol] = schnorr.verify(event.sig, getEventHash(event), event.pubkey) + event[verifiedSymbol] = schnorr.verify(event.sig, hash, event.pubkey) return event[verifiedSymbol] } catch (err) { return false