Skip to content

fix(rewards): accept SIMD-0048 off-chain wrapped signatures (Ledger)#811

Merged
raymondjacobson merged 1 commit into
mainfrom
rj-ledger-signature
May 15, 2026
Merged

fix(rewards): accept SIMD-0048 off-chain wrapped signatures (Ledger)#811
raymondjacobson merged 1 commit into
mainfrom
rj-ledger-signature

Conversation

@raymondjacobson
Copy link
Copy Markdown
Member

@raymondjacobson raymondjacobson commented May 15, 2026

Summary

  • Authorized Ledger users were getting 403 Unauthorized when calling POST /v1/rewards/code.
  • Root cause: hardware wallets (Ledger via Phantom/Solflare) won't sign arbitrary bytes — they sign Solana's SIMD-0048 off-chain message envelope (\xffsolana offchain | version | format | len | message). The signature is valid, but valid for the wrapped bytes, not the raw timestamp string we were comparing against.
  • verifySignature now tries the raw message first (hot-wallet path, unchanged) and falls back to the SIMD-0048 envelope across all three message formats (0=ASCII, 1=limited UTF-8, 2=extended UTF-8) since wallet implementations vary.
  • No client/API changes; existing hot-wallet flows still match on the first attempt.

Test plan

  • go test ./api/ -run 'TestVerifySignature' — new subtest verifies wrapped-signature acceptance for all three formats; existing negative tests still pass.
  • Manual: Ledger-backed wallet on the gift-rewards admin tool can now create a reward code (previously 403).
  • Manual: hot wallet (Phantom software) still creates reward codes (no regression).

🤖 Generated with Claude Code

@raymondjacobson @claude
fix(rewards): accept SIMD-0048 off-chain wrapped signatures
435c33a 
Hardware wallets (e.g. Ledger via Phantom) refuse to sign arbitrary
bytes and instead sign the SIMD-0048 off-chain message envelope
(\xffsolana offchain | version | format | len | message). This caused
authorized Ledger users to receive 403 Unauthorized when creating
reward codes, since verification was only attempted against the raw
message bytes.

verifySignature now tries the raw message first (hot-wallet path) and
falls back to the wrapped envelope across all three message formats.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@raymondjacobson raymondjacobson merged commit 6167b90 into main May 15, 2026
4 checks passed
@raymondjacobson raymondjacobson deleted the rj-ledger-signature branch May 15, 2026 03:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@raymondjacobson