feat: check load address

ithacaxyz · Nov 25, 2024 · 8d609a6 · 8d609a6
1 parent feeebe6
commit 8d609a6
Showing 1 changed file with 11 additions and 0 deletions.
diff --git a/src/internal/accountDelegation.ts b/src/internal/accountDelegation.ts
@@ -434,6 +434,17 @@ export async function load<chain extends Chain | undefined>(
     })
     raw = rest.raw
 
+    // if `address` and `credentialId` were passed (to remove first signature),
+    // check to make sure `address` matches the key used for the second signature.
+    if (parameters.address && parameters.credentialId) {
+      const response = rest.raw.response as AuthenticatorAssertionResponse
+      const userHandle = Bytes.toHex(new Uint8Array(response.userHandle!))
+      if (address !== userHandle)
+        throw new Error(
+          `supplied address "${address}" does not match signature address "${userHandle}"`,
+        )
+    }
+
     const wrappedSignature = wrapSignature({
       metadata: getWebAuthnMetadata(metadata),
       signature,