What is Nostr?
ildella / Daniele
npub1ncd…r8ar
2024-02-28 23:26:24
in reply to nevent1q…jv6v

ildella on Nostr: I was giving for granted that it behave that way, then today I made an integration ...

I was giving for granted that it behave that way, then today I made an integration test over my signup API to see taht it would fail under an "attack" with a modified event.

The test failed and I got scared so I did dig deeper and wrote that test.

The whole library assembles in the "finalized event" both the original event and the sig/pub/hash properties. So when you call verifyEvent it uses the hashes that one pass as "id" rather than recalculate the hash from scratch from the original event properties.

I am no security expert but that look *very* bad to me.
Author Public Key
npub1ncdaqhk5rea29hdpaxmyhzay3d5mkrattg3dgs4yjkcml99fkqcqz4r8ar