Skip to content

chore: make applications reject older wallets #424

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Nov 13, 2025
Merged

chore: make applications reject older wallets #424

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions infrastructure/eid-wallet/src/routes/(app)/scan-qr/scanLogic.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -262,6 +262,7 @@ export function createScanLogic({
session: get(session),
w3id: w3idResult,
signature: signature,
appVersion: "0.4.0",
};

console.log("🔐 Auth payload with signature:", {
Expand Down
25 changes: 24 additions & 1 deletion platforms/blabsy-w3ds-auth-api/src/controllers/AuthController.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,10 @@ import { Request, Response } from "express";
import { v4 as uuidv4 } from "uuid";
import { EventEmitter } from "events";
import { auth } from "firebase-admin";
import { isVersionValid } from "../utils/version";

const MIN_REQUIRED_VERSION = "0.4.0";

export class AuthController {
private eventEmitter: EventEmitter;

Expand Down Expand Up @@ -51,13 +55,32 @@ export class AuthController {

login = async (req: Request, res: Response) => {
try {
const { ename, session } = req.body;
const { ename, session, appVersion } = req.body;

console.log(req.body)
Copy link
Contributor

@coderabbitai coderabbitai bot Nov 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Remove debug console.log statement.

This debug logging statement should be removed before merging to production. Logging the entire request body can expose sensitive data (ename, session tokens, etc.) in production logs.

-            console.log(req.body)
-
             if (!ename) {
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
console.log(req.body)
if (!ename) {
🤖 Prompt for AI Agents 
In platforms/blabsy-w3ds-auth-api/src/controllers/AuthController.ts around line
60, remove the debug console.log(req.body) statement; if you need request
inspection keep it out of production by replacing it with a proper logger call
that only logs non-sensitive fields or use logger.debug behind an environment
check (e.g., log only when NODE_ENV !== 'production' or redact tokens/PII) so no
full request bodies are written to production logs.


if (!ename) {
return res.status(400).json({ error: "ename is required" });
}

if (!session) {
return res.status(400).json({ error: "session is required" });
}

// Check app version - missing version is treated as old version
if (!appVersion || !isVersionValid(appVersion, MIN_REQUIRED_VERSION)) {
const errorMessage = {
error: true,
message: `Your eID Wallet app version is outdated. Please update to version ${MIN_REQUIRED_VERSION} or later.`,
type: "version_mismatch"
};
this.eventEmitter.emit(session, errorMessage);
return res.status(400).json({
error: "App version too old",
message: errorMessage.message
});
}

const token = await auth().createCustomToken(ename);
console.log(token);

Expand Down
32 changes: 32 additions & 0 deletions platforms/blabsy-w3ds-auth-api/src/utils/version.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
/**
* Compares two semantic version strings
* @param version1 - First version string (e.g., "0.4.0")
* @param version2 - Second version string (e.g., "0.3.0")
* @returns -1 if version1 < version2, 0 if equal, 1 if version1 > version2
*/
export function compareVersions(version1: string, version2: string): number {
const v1Parts = version1.split('.').map(Number);
const v2Parts = version2.split('.').map(Number);

for (let i = 0; i < Math.max(v1Parts.length, v2Parts.length); i++) {
const v1Part = v1Parts[i] || 0;
const v2Part = v2Parts[i] || 0;

if (v1Part < v2Part) return -1;
if (v1Part > v2Part) return 1;
}

return 0;
}
Comment on lines +7 to +20
Copy link
Contributor

@coderabbitai coderabbitai bot Nov 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

Critical: Handle invalid version strings to prevent NaN comparison bugs.

The function uses .map(Number) without validating that version strings contain only numeric segments. If a version contains non-numeric parts (e.g., "1.2.a", "abc"), Number() returns NaN, and all comparisons with NaN evaluate to false. This causes the function to incorrectly return 0 (versions equal), which could allow malformed version strings to bypass validation in the authentication flow.

Apply this diff to add validation:

 export function compareVersions(version1: string, version2: string): number {
     const v1Parts = version1.split('.').map(Number);
     const v2Parts = version2.split('.').map(Number);
+
+    // Validate that all parts are valid numbers
+    if (v1Parts.some(isNaN) || v2Parts.some(isNaN)) {
+        throw new Error('Invalid version format: versions must contain only numeric segments');
+    }

     for (let i = 0; i < Math.max(v1Parts.length, v2Parts.length); i++) {
         const v1Part = v1Parts[i] || 0;
         const v2Part = v2Parts[i] || 0;

         if (v1Part < v2Part) return -1;
         if (v1Part > v2Part) return 1;
     }

     return 0;
 }
🤖 Prompt for AI Agents 
In platforms/blabsy-w3ds-auth-api/src/utils/version.ts around lines 7 to 20, the
compareVersions implementation maps segments to Number without validating, which
yields NaN for non-numeric segments and makes comparisons always false; update
the function to first trim the input, split on '.', validate each segment with a
strict numeric check (e.g., /^\d+$/) and reject invalid version strings by
throwing a descriptive error (or returning a distinct error code) before
performing numeric comparisons, then parse segments with parseInt and proceed
with the existing numeric comparison logic.


/**
* Checks if the app version meets the minimum required version
* @param appVersion - The version from the app (e.g., "0.4.0")
* @param minVersion - The minimum required version (e.g., "0.4.0")
* @returns true if appVersion >= minVersion, false otherwise
*/
export function isVersionValid(appVersion: string, minVersion: string): boolean {
return compareVersions(appVersion, minVersion) >= 0;
}
Comment on lines +7 to +30
Copy link
Contributor

@coderabbitai coderabbitai bot Nov 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Major: Consolidate duplicated version utilities into a shared module.

This exact implementation is duplicated across 5 platform APIs (dreamsync-api, evoting-api, group-charter-manager-api, pictique-api, and blabsy-w3ds-auth-api). This violates DRY principles and creates maintenance burden—any bug fix or enhancement must be applied to all 5 copies.

Consider extracting these utilities into a shared package (e.g., @project/version-utils or a shared/utils module) that all platform APIs can import.



17 changes: 16 additions & 1 deletion platforms/blabsy/src/components/common/maintenance-banner.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,9 @@ export function MaintenanceBanner(): JSX.Element | null {
const registryUrl =
process.env.NEXT_PUBLIC_REGISTRY_URL ||
'http://localhost:4321';
const response = await axios.get<Motd>(`${registryUrl}/motd`);
const response = await axios.get<Motd>(`${registryUrl}/motd`, {
timeout: 5000 // 5 second timeout
});
setMotd(response.data);

// Check if this message has been dismissed
Expand All @@ -27,6 +29,19 @@ export function MaintenanceBanner(): JSX.Element | null {
setIsDismissed(dismissed === response.data.message);
}
} catch (error) {
// Silently handle network errors - registry service may not be available
// Only log non-network errors for debugging
if (axios.isAxiosError(error)) {
if (
error.code === 'ECONNABORTED' ||
error.code === 'ERR_NETWORK' ||
error.message === 'Network Error'
) {
// Network error - registry service unavailable, silently fail
return;
}
}
// Log other errors (like 404, 500, etc.) for debugging
console.error('Failed to fetch motd:', error);
}
};
Expand Down
41 changes: 37 additions & 4 deletions platforms/blabsy/src/components/login/login-main.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ import { isMobileDevice, getDeepLinkUrl } from '@lib/utils/mobile-detection';
export function LoginMain(): JSX.Element {
const { signInWithCustomToken } = useAuth();
const [qr, setQr] = useState<string>();
const [errorMessage, setErrorMessage] = useState<string | null>(null);

function watchEventStream(id: string): void {
const sseUrl = new URL(
Expand All @@ -19,13 +20,37 @@ export function LoginMain(): JSX.Element {

eventSource.onopen = (): void => {
console.log('Successfully connected.');
setErrorMessage(null);
};

eventSource.onmessage = async (e): Promise<void> => {
const data = JSON.parse(e.data as string) as { token: string };
const { token } = data;
console.log(token);
await signInWithCustomToken(token);
const data = JSON.parse(e.data as string) as {
token?: string;
error?: boolean;
message?: string;
type?: string;
};

// Check for error messages (version mismatch)
if (data.error && data.type === 'version_mismatch') {
setErrorMessage(
data.message ||
'Your eID Wallet app version is outdated. Please update to continue.'
);
eventSource.close();
return;
}

// Handle successful authentication
if (data.token) {
console.log(data.token);
await signInWithCustomToken(data.token);
}
};

eventSource.onerror = (): void => {
console.error('SSE connection error');
eventSource.close();
};
}
const getOfferData = async (): Promise<void> => {
Expand Down Expand Up @@ -89,6 +114,14 @@ export function LoginMain(): JSX.Element {
Join Blabsy today.
</h2>
<div>
{errorMessage && (
<div className='mb-4 p-4 bg-red-100 border border-red-400 text-red-700 rounded-lg'>
<p className='font-semibold'>
Authentication Error
</p>
<p className='text-sm'>{errorMessage}</p>
</div>
)}
{isMobileDevice() ? (
<div className='flex flex-col gap-4 items-center'>
<div className='text-xs text-gray-500 text-center max-w-xs'>
Expand Down
17 changes: 17 additions & 0 deletions platforms/dreamSync/client/src/components/auth/login-screen.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ export function LoginScreen() {
const [sessionId, setSessionId] = useState<string>("");
const [isConnecting, setIsConnecting] = useState(false);
const [isLoading, setIsLoading] = useState(true);
const [errorMessage, setErrorMessage] = useState<string | null>(null);

useEffect(() => {
const getAuthOffer = async () => {
Expand Down Expand Up @@ -45,6 +46,15 @@ export function LoginScreen() {
eventSource.onmessage = (event) => {
try {
const data = JSON.parse(event.data);

// Check for error messages (version mismatch)
if (data.error && data.type === 'version_mismatch') {
setErrorMessage(data.message || 'Your eID Wallet app version is outdated. Please update to continue.');
eventSource.close();
return;
}

// Handle successful authentication
if (data.user && data.token) {
setIsConnecting(true);
// Store the token and user ID directly
Expand Down Expand Up @@ -108,6 +118,13 @@ export function LoginScreen() {
</p>
</div>

{errorMessage && (
<div className="mb-4 p-4 bg-red-100 border border-red-400 text-red-700 rounded-lg">
<p className="font-semibold">Authentication Error</p>
<p className="text-sm">{errorMessage}</p>
</div>
)}

{qrCode && (
<div className="flex justify-center mb-6">
{isMobileDevice() ? (
Expand Down
19 changes: 18 additions & 1 deletion platforms/dreamsync-api/src/controllers/AuthController.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,9 @@ import { v4 as uuidv4 } from "uuid";
import { UserService } from "../services/UserService";
import { EventEmitter } from "events";
import { signToken } from "../utils/jwt";
import { isVersionValid } from "../utils/version";

const MIN_REQUIRED_VERSION = "0.4.0";

export class AuthController {
private userService: UserService;
Expand Down Expand Up @@ -53,7 +56,7 @@ export class AuthController {

login = async (req: Request, res: Response) => {
try {
const { ename, session, w3id, signature } = req.body;
const { ename, session, w3id, signature, appVersion } = req.body;

if (!ename) {
return res.status(400).json({ error: "ename is required" });
Expand All @@ -63,6 +66,20 @@ export class AuthController {
return res.status(400).json({ error: "session is required" });
}

// Check app version - missing version is treated as old version
if (!appVersion || !isVersionValid(appVersion, MIN_REQUIRED_VERSION)) {
const errorMessage = {
error: true,
message: `Your eID Wallet app version is outdated. Please update to version ${MIN_REQUIRED_VERSION} or later.`,
type: "version_mismatch"
};
this.eventEmitter.emit(session, errorMessage);
return res.status(400).json({
error: "App version too old",
message: errorMessage.message
});
}

// Find user by ename (handles @ symbol variations)
const user = await this.userService.findByEname(ename);

Expand Down
32 changes: 32 additions & 0 deletions platforms/dreamsync-api/src/utils/version.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
/**
* Compares two semantic version strings
* @param version1 - First version string (e.g., "0.4.0")
* @param version2 - Second version string (e.g., "0.3.0")
* @returns -1 if version1 < version2, 0 if equal, 1 if version1 > version2
*/
export function compareVersions(version1: string, version2: string): number {
const v1Parts = version1.split('.').map(Number);
const v2Parts = version2.split('.').map(Number);

for (let i = 0; i < Math.max(v1Parts.length, v2Parts.length); i++) {
const v1Part = v1Parts[i] || 0;
const v2Part = v2Parts[i] || 0;

if (v1Part < v2Part) return -1;
if (v1Part > v2Part) return 1;
}

return 0;
}
Comment on lines +7 to +20
Copy link
Contributor

@coderabbitai coderabbitai bot Nov 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

Add input validation and handle malformed version strings.

The function doesn't validate inputs or handle non-numeric segments. When split('.').map(Number) encounters non-numeric segments (e.g., "1.a.0"), it produces NaN. Since NaN < x and NaN > x both return false, the function incorrectly returns 0 (equal) for malformed versions.

Apply this diff to add validation:

 export function compareVersions(version1: string, version2: string): number {
+    if (!version1 || !version2) {
+        throw new Error('Version strings cannot be null or empty');
+    }
+    
     const v1Parts = version1.split('.').map(Number);
     const v2Parts = version2.split('.').map(Number);
+    
+    if (v1Parts.some(isNaN) || v2Parts.some(isNaN)) {
+        throw new Error('Version strings must contain only numeric segments');
+    }

     for (let i = 0; i < Math.max(v1Parts.length, v2Parts.length); i++) {
🤖 Prompt for AI Agents 
In platforms/dreamsync-api/src/utils/version.ts around lines 7 to 20, the
compareVersions function currently maps segments with Number and fails silently
on non-numeric parts (yielding NaN and incorrect equality). Change the
implementation to validate inputs: ensure both inputs are non-empty strings,
split on '.', parse each segment with parseInt(segment, 10), and if any parsed
segment is NaN or not a valid integer (or contains non-digit characters after
trimming) throw a clear Error (or return a distinct value) indicating a
malformed version string; then compare numeric segments with missing parts
treated as 0 as before. Ensure you add unit tests or callers handle the thrown
error.


/**
* Checks if the app version meets the minimum required version
* @param appVersion - The version from the app (e.g., "0.4.0")
* @param minVersion - The minimum required version (e.g., "0.4.0")
* @returns true if appVersion >= minVersion, false otherwise
*/
export function isVersionValid(appVersion: string, minVersion: string): boolean {
return compareVersions(appVersion, minVersion) >= 0;
}


Comment on lines +1 to +32
Copy link
Contributor

@coderabbitai coderabbitai bot Nov 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion | 🟠 Major

Extract duplicated version utilities to a shared package.

This exact implementation is duplicated across at least 5 services in the codebase. In a monorepo, shared utilities should be extracted to a common package (e.g., packages/shared-utils or packages/version-utils) and imported by each service.

Consider creating a shared package structure:

// packages/shared-utils/src/version.ts
export function compareVersions(version1: string, version2: string): number {
  // implementation
}

export function isVersionValid(appVersion: string, minVersion: string): boolean {
  // implementation
}

Then import in each service:

import { isVersionValid } from '@metastate/shared-utils/version';
🤖 Prompt for AI Agents 
platforms/dreamsync-api/src/utils/version.ts lines 1-32: this version utility is
duplicated across services and should be extracted to a shared package; create a
new workspace package (e.g., packages/shared-utils or packages/version-utils),
move the compareVersions and isVersionValid implementations into that package
and export them, update the monorepo package.json/workspace config to include
the new package, replace the local functions here with an import from the new
package (e.g., import { isVersionValid } from '@your-org/shared-utils/version'),
remove the duplicate copies from other services or update their imports to the
shared package, run installs/build and update any tests or type imports to
ensure the new package compiles and all services reference the single shared
implementation.

1 change: 1 addition & 0 deletions platforms/eVoting/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,7 @@
"lucide-react": "^0.453.0",
"next": "15.4.2",
"next-qrcode": "^2.5.1",
"next.js": "^1.0.3",
Copy link
Contributor

@coderabbitai coderabbitai bot Nov 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

Remove incorrect dependency - wrong package name.

The dependency "next.js" is NOT the official Next.js package. The official package is "next" (which is already present on line 47). The "next.js" package on npm is an outdated, unofficial package that was last published 10 years ago.

Apply this diff to remove the incorrect dependency:

     "next": "15.4.2",
     "next-qrcode": "^2.5.1",
-    "next.js": "^1.0.3",
     "qrcode.react": "^4.2.0",
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
"next.js": "^1.0.3",
"next": "15.4.2",
"next-qrcode": "^2.5.1",
"qrcode.react": "^4.2.0",
🤖 Prompt for AI Agents 
In platforms/eVoting/package.json around line 49, remove the incorrect
dependency "next.js": "^1.0.3" because the official Next.js package is "next"
(already present on line 47); update package.json by deleting the "next.js"
entry from the dependencies block and run a quick npm/yarn install to ensure
lockfile and node_modules are consistent.

"qrcode.react": "^4.2.0",
"react": "19.1.0",
"react-day-picker": "^9.11.1",
Expand Down
16 changes: 16 additions & 0 deletions platforms/eVoting/src/components/auth/login-screen.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ export function LoginScreen() {
const [qrCode, setQrCode] = useState<string>("");
const [sessionId, setSessionId] = useState<string>("");
const [isConnecting, setIsConnecting] = useState(false);
const [errorMessage, setErrorMessage] = useState<string | null>(null);

useEffect(() => {
const getAuthOffer = async () => {
Expand All @@ -35,6 +36,15 @@ export function LoginScreen() {
eventSource.onmessage = (event) => {
try {
const data = JSON.parse(event.data);

// Check for error messages (version mismatch)
if (data.error && data.type === 'version_mismatch') {
setErrorMessage(data.message || 'Your eID Wallet app version is outdated. Please update to continue.');
eventSource.close();
return;
}

// Handle successful authentication
if (data.user && data.token) {
setIsConnecting(true);
// Store the token and user ID directly
Expand Down Expand Up @@ -71,6 +81,12 @@ export function LoginScreen() {
</div>
<div className="bg-white py-8 px-4 shadow sm:rounded-lg sm:px-10">
<div className="flex flex-col items-center space-y-6">
{errorMessage && (
<div className="w-full mb-4 p-4 bg-red-100 border border-red-400 text-red-700 rounded-lg">
<p className="font-semibold">Authentication Error</p>
<p className="text-sm">{errorMessage}</p>
</div>
)}
{qrCode ? (
<div className="p-4 bg-white border-2 border-gray-200 rounded-lg">
<QRCodeSVG
Expand Down
23 changes: 22 additions & 1 deletion platforms/evoting-api/src/controllers/AuthController.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,9 @@ import { v4 as uuidv4 } from "uuid";
import { UserService } from "../services/UserService";
import { EventEmitter } from "events";
import { signToken } from "../utils/jwt";
import { isVersionValid } from "../utils/version";

const MIN_REQUIRED_VERSION = "0.4.0";

export class AuthController {
private userService: UserService;
Expand Down Expand Up @@ -53,12 +56,30 @@ export class AuthController {

login = async (req: Request, res: Response) => {
try {
const { ename, session } = req.body;
const { ename, session, appVersion } = req.body;

if (!ename) {
return res.status(400).json({ error: "ename is required" });
}

if (!session) {
return res.status(400).json({ error: "session is required" });
}

// Check app version - missing version is treated as old version
if (!appVersion || !isVersionValid(appVersion, MIN_REQUIRED_VERSION)) {
const errorMessage = {
error: true,
message: `Your eID Wallet app version is outdated. Please update to version ${MIN_REQUIRED_VERSION} or later.`,
type: "version_mismatch"
};
this.eventEmitter.emit(session, errorMessage);
return res.status(400).json({
error: "App version too old",
message: errorMessage.message
});
}

// Find user by ename (handles @ symbol variations)
const user = await this.userService.findByEname(ename);

Expand Down
Loading