Add inbound profile signature verification#360
Add inbound profile signature verification#360alltheseas wants to merge 1 commit intonostr-dev-kit:masterfrom
Conversation
pablof7z
left a comment
pablof7z
left a comment
There was a problem hiding this comment.
Code Review: Critical Issues Found
This PR has the right intent (enforce signature verification on kind:0/Metadata events), but has two critical bugs that prevent merging:
1. verifyAndReport method doesn't exist
The PR calls this.verifyAndReport(ndkEvent, event, relay) and this.verifyAndReport(ndkEvent, event), but this method does not exist on NDKSubscription. This would cause a runtime crash for any profile event received.
2. All relay paths silently drop events
Every code path inside the if (relay) block now ends with return, which means events are never cached or emitted:
- Non-verified events:
relay.addNonValidatedEvent(); return;— drops valid events that didn't need verification - Sync-verified events:
relay.addValidatedEvent(); return;— drops events that PASS verification - Async-verified events:
ndkEvent.verifySignature(true); return;— drops events during async verification
In the original code, after the relay verification block, execution continues to caching (setEvent) and emission (emitEvent). The new code skips both for ALL events from relays.
Suggested Fix
- Define
verifyAndReport()as a private method on NDKSubscription (or inline the logic) - Only
return(drop) events that FAIL verification - Let events that pass verification (or skip verification) continue to the existing caching and emission logic below
The security concept is sound — we should always verify kind:0 events. Happy to help iterate on a fix!
alltheseas
force-pushed
the
profile-sig-verify
branch
5 times, most recently
from
47fc8e9 to
2977577
Compare
Add forceSync parameter to verifySignature() so kind:0 events always get synchronous verification regardless of asyncSigVerification setting. This prevents undefined return values from dropping valid profile events. Only failed verifications return early; valid events continue to caching and emission. Non-relay kind:0 events are also verified. Harden signature cache against poisoning: positive cache hits now require the cached sig to match the current event's sig before short-circuiting. Negative cache entries always trigger re-verification. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
alltheseas
force-pushed
the
profile-sig-verify
branch
from
2977577 to
281a8fd
Compare
|
addressed comments @pablof7z and added tests. lmk if you need anything else ser |
2 participants
problem
ndk does not validate inbound profile/kind0 events
suggested solution
context
discovered lack of profile validation via yakihonne-web: nostrability/nostrability#262 (comment)
closes #359