From 34babd036e31bf91c181fd5332a4cdb112f23c5e Mon Sep 17 00:00:00 2001 From: Bas van den Aakster Date: Fri, 12 Dec 2025 21:03:44 +0100 Subject: [PATCH] Fix: Auto-claim should not validate claim message format Auto-claim was incorrectly using validateUsernameClaim() which expects 'claim:{username}:{timestamp}' message format. This failed when users tried to auto-claim via publishService or getService. Now auto-claim only: - Validates username format - Verifies signature against the actual message - Claims the username This allows implicit username claiming on first authenticated request. --- src/rpc.ts | 20 +++++++++----------- 1 file changed, 9 insertions(+), 11 deletions(-) diff --git a/src/rpc.ts b/src/rpc.ts index b176914..2c5f9a2 100644 --- a/src/rpc.ts +++ b/src/rpc.ts @@ -9,6 +9,7 @@ import { isVersionCompatible, verifyEd25519Signature, validateAuthMessage, + validateUsername, } from './crypto.ts'; /** @@ -67,18 +68,15 @@ async function verifyAuth( } // Validate username format before claiming - const validation = await validateUsernameClaim( - username, - publicKey, - signature, - message - ); + const usernameValidation = validateUsername(username); + if (!usernameValidation.valid) { + return usernameValidation; + } - if (!validation.valid) { - return { - valid: false, - error: validation.error || 'Invalid username claim', - }; + // Verify signature against the current message (not a claim message) + const signatureValid = await verifyEd25519Signature(publicKey, signature, message); + if (!signatureValid) { + return { valid: false, error: 'Invalid signature for auto-claim' }; } // Auto-claim the username