verifySignature: return false if the id is invalid

2025-12-10 00:58:51 +00:00 · 2023-09-02 17:31:39 -05:00
parent 34e0ad8c41
commit 54f3bedf38
2 changed files with 29 additions and 2 deletions
--- a/event.test.ts
+++ b/event.test.ts
@@ -278,6 +278,27 @@ describe('Event', () => {

      expect(isValid).toEqual(false)
    })
+
+    it('should return false for an invalid event id', () => {
+      const privateKey = 'd217c1ff2f8a65c3e3a1740db3b9f58b8c848bb45e26d00ed4714e4a0f4ceecf'
+
+      const event = finishEvent(
+        {
+          kind: 1,
+          tags: [],
+          content: 'Hello, world!',
+          created_at: 1617932115,
+        },
+        privateKey,
+      )
+
+      // tamper with the id
+      event.id = event.id.replace(/0/g, '1')
+
+      const isValid = verifySignature(event)
+
+      expect(isValid).toEqual(false)
+    })
  })

  describe('getSignature', () => {
@@ -296,9 +317,9 @@ describe('Event', () => {
      const sig = getSignature(unsignedEvent, privateKey)

      // verify the signature
-      // @ts-expect-error
      const isValid = verifySignature({
        ...unsignedEvent,
+        id: getEventHash(unsignedEvent),
        sig,
      })