Description
Calling verifyevent simply returns what it has been fed, it doesn't check anything (altering sig field to a fake one produces same copy response).
$ space-cli --chain regtest verifyevent @cosmos --input minimal_event_signed
{"id":"78703337927574aa2d2f040cf0c3460f54d164e36a370912eca9b032e360c782","pubkey":"4e6068ae6a082ac3f084e7f026640231e483fff449aaa69707b0d439c81a253c","created_at":1688150400,"kind":10000,"tags":[],"content":"","sig":"3e79b607f416979b52fbb8b949b7656770c17ef42b7b9d44563fe54192e70a3b9c1a09c500573fdfd397b489e7c499ba8587784701cb0f17a002f07c6bc533e9"}
Does it only check if the pubkey corresponds to a provided space?
If so, in case of altering of the pubkey (changed first two hex digits) gave me:
Custom error: input error: malformed public key at line 1 column 148, which seems to be erroneous as the key is not malformed, but just wrong.
It might the case that key has something like checksum which I fail by this change, but still user could see an error as below:
If I change a hex digit in the middle it gives me:
Custom error: ErrorObject { code: ServerError(-1), message: "Event pubkey doesn't match space pubkey", data: None }
Suggestions:
- Verify signature of an event, not only the key to a space
- Return a more sensible error
- Return true/false/error instead of event (i'm not sure about that)?
minimal_event_signed:
{
"id":"78703337927574aa2d2f040cf0c3460f54d164e36a370912eca9b032e360c782",
"pubkey":"4f6068ae6a082ac3f084e7f026640231e483fff449aaa69707b0d439c81a253c",
"created_at":1688150400,
"kind":10000,
"tags":[
],
"content":"",
"sig":"588a68f3b4f6280b5e015c7425d3a60ab68ace927a8600ed164257ed46fcc7985512108dfa3e5b6e318ff682220138e8b5e907926274899bf65b6a35a8f3f430"
}