Merge pull request #212 from Web3Auth/feat/inputFactorKeyCheck

fix: check for invalid factor key during inputfactor

Author: himanshuchawla009

src/mpcCoreKit.ts

@@ -512,6 +512,12 @@ export class Web3AuthMPCCoreKit implements ICoreKit {
       // input tkey device share when required share > 0 ( or not reconstructed )
       // assumption tkey shares will not changed
       if (!this.tKey.secp256k1Key) {
+        const factorKeyPrivate = factorKeyCurve.keyFromPrivate(factorKey.toBuffer());
+        const factorPubX = factorKeyPrivate.getPublic().getX().toString("hex").padStart(64, "0");
+        const factorEncExist = this.tkey.metadata.factorEncs?.[this.tkey.tssTag]?.[factorPubX];
+        if (!factorEncExist) {
+          throw CoreKitError.providedFactorKeyInvalid("Invalid FactorKey provided. Failed to input factor key.");
+        }
         const factorKeyMetadata = await this.getFactorKeyMetadata(factorKey);
         await this.tKey.inputShareStoreSafe(factorKeyMetadata, true);
       }

tests/factors.spec.ts

@@ -158,6 +158,8 @@ export const FactorManipulationTest = async (testVariable: FactorTestVariable) =
 
       const browserFactor = await instance2.getDeviceFactor();
 
+      const factorBN = new BN(recoverFactor, "hex")
+
       // login with mfa factor
       await instance2.inputFactorKey(new BN(recoverFactor, "hex"));
       assert.strictEqual(instance2.status, COREKIT_STATUS.LOGGED_IN);
@@ -167,6 +169,15 @@ export const FactorManipulationTest = async (testVariable: FactorTestVariable) =
       const instance3 = await newInstance();
       assert.strictEqual(instance3.status, COREKIT_STATUS.REQUIRED_SHARE);
 
+
+
+      try {
+        await instance3.inputFactorKey(factorBN.subn(1));
+        throw Error("should not be able to input factor");
+      } catch (e) {
+        assert(e instanceof Error);
+      }
+
       await instance3.inputFactorKey(new BN(browserFactor, "hex"));
       assert.strictEqual(instance3.status, COREKIT_STATUS.LOGGED_IN);
     });