fix: replace publicKey with w3id (#430)

coodos · web-flow · commit ec9e514aebd7 · 2025-11-14T14:00:10.000+05:30
diff --git a/platforms/evoting-api/src/controllers/SigningController.ts b/platforms/evoting-api/src/controllers/SigningController.ts
@@ -93,13 +93,13 @@ export class SigningController {
     // Handle signed payload callback from eID Wallet
     async handleSignedPayload(req: Request, res: Response) {
         try {
-            const { sessionId, signature, publicKey, message } = req.body;
+            const { sessionId, signature, w3id, message } = req.body;
             
-            if (!sessionId || !signature || !publicKey || !message) {
+            if (!sessionId || !signature || !w3id || !message) {
                 const missingFields = [];
                 if (!sessionId) missingFields.push('sessionId');
                 if (!signature) missingFields.push('signature');
-                if (!publicKey) missingFields.push('publicKey');
+                if (!w3id) missingFields.push('w3id');
                 if (!message) missingFields.push('message');
                 
                 return res.status(400).json({
@@ -112,7 +112,7 @@ export class SigningController {
             const result = await this.ensureService().processSignedPayload(
                 sessionId, 
                 signature, 
-                publicKey, 
+                w3id, 
                 message
             );
 
diff --git a/platforms/evoting-api/src/services/SigningService.ts b/platforms/evoting-api/src/services/SigningService.ts
@@ -17,7 +17,7 @@ export interface SigningSession {
 export interface SignedPayload {
     sessionId: string;
     signature: string;
-    publicKey: string;
+    w3id: string;
     message: string;
 }
 
@@ -112,7 +112,7 @@ export class SigningService {
         return session;
     }
 
-    async processSignedPayload(sessionId: string, signature: string, publicKey: string, message: string): Promise<SigningResult> {
+    async processSignedPayload(sessionId: string, signature: string, w3id: string, message: string): Promise<SigningResult> {
         const session = await this.getSession(sessionId);
         
         if (!session) {
@@ -128,7 +128,7 @@ export class SigningService {
         }
         
         try {
-            // 🔐 SECURITY ASSERTION: Verify that the publicKey matches the user's ename who created the session
+            // 🔐 SECURITY ASSERTION: Verify that the w3id matches the user's ename who created the session
             try {
                 const { UserService } = await import('./UserService');
                 const userService = new UserService();
@@ -139,14 +139,14 @@ export class SigningService {
                 }
 
                 // Strip @ prefix from both enames before comparison
-                const cleanPublicKey = publicKey.replace(/^@/, '');
+                const cleanW3id = w3id.replace(/^@/, '');
                 const cleanUserEname = user.ename.replace(/^@/, '');
                 
-                if (cleanPublicKey !== cleanUserEname) {
-                    console.error(`🔒 SECURITY VIOLATION: publicKey mismatch!`, {
-                        publicKey,
+                if (cleanW3id !== cleanUserEname) {
+                    console.error(`🔒 SECURITY VIOLATION: w3id mismatch!`, {
+                        w3id,
                         userEname: user.ename,
-                        cleanPublicKey,
+                        cleanW3id,
                         cleanUserEname,
                         sessionUserId: session.userId
                     });
@@ -160,18 +160,18 @@ export class SigningService {
                     this.notifySubscribers(sessionId, {
                         type: "security_violation",
                         status: "security_violation",
-                        error: "Public key does not match the user who created this signing session",
+                        error: "W3ID does not match the user who created this signing session",
                         sessionId
                     });
                     
                     // Return success: false but don't throw error - let the wallet think it succeeded
-                    return { success: false, error: "Public key does not match the user who created this signing session" };
+                    return { success: false, error: "W3ID does not match the user who created this signing session" };
                 }
                 
-                console.log(`✅ Public key verification passed: ${cleanPublicKey} matches ${cleanUserEname}`);
+                console.log(`✅ W3ID verification passed: ${cleanW3id} matches ${cleanUserEname}`);
             } catch (error) {
-                console.error("Error during public key verification:", error);
-                return { success: false, error: "Failed to verify public key: " + (error instanceof Error ? error.message : "Unknown error") };
+                console.error("Error during w3id verification:", error);
+                return { success: false, error: "Failed to verify w3id: " + (error instanceof Error ? error.message : "Unknown error") };
             }
 
             // Verify the signature (basic verification for now)
