Fix: Auto-claim should not validate claim message format

Auto-claim was incorrectly using validateUsernameClaim() which expects 'claim:{username}:{timestamp}' message format. This failed when users tried to auto-claim via publishService or getService. Now auto-claim only: - Validates username format - Verifies signature against the actual message - Claims the username This allows implicit username claiming on first authenticated request.
2025-12-13 20:33:25 +00:00 · 2025-12-12 21:03:44 +01:00
parent 876ac2602c
commit 34babd036e
1 changed files with 9 additions and 11 deletions
--- a/src/rpc.ts
+++ b/src/rpc.ts
@@ -9,6 +9,7 @@ import {
  isVersionCompatible,
  verifyEd25519Signature,
  validateAuthMessage,
+  validateUsername,
 } from './crypto.ts';

 /**
@@ -67,18 +68,15 @@ async function verifyAuth(
    }

    // Validate username format before claiming
-    const validation = await validateUsernameClaim(
-      username,
-      publicKey,
-      signature,
-      message
-    );
+    const usernameValidation = validateUsername(username);
+    if (!usernameValidation.valid) {
+      return usernameValidation;
+    }

-    if (!validation.valid) {
-      return {
-        valid: false,
-        error: validation.error || 'Invalid username claim',
-      };
+    // Verify signature against the current message (not a claim message)
+    const signatureValid = await verifyEd25519Signature(publicKey, signature, message);
+    if (!signatureValid) {
+      return { valid: false, error: 'Invalid signature for auto-claim' };
    }

    // Auto-claim the username