fix: Fix order of operations when handling "vc-request-with-auth" (#6850)

2026-05-03 21:36:29 +03:00 · 2025-05-12 16:52:10 +02:00
parent 8fb3a7514e
commit a981573e48
2 changed files with 40 additions and 9 deletions
--- a/src/securejoin.rs
+++ b/src/securejoin.rs
@@ -374,14 +374,6 @@ pub(crate) async fn handle_securejoin_handshake(
                );
                return Ok(HandshakeMessage::Ignore);
            }
-            if !verify_sender_by_fingerprint(context, &fingerprint, contact_id).await? {
-                warn!(
-                    context,
-                    "Ignoring {step} message because of fingerprint mismatch."
-                );
-                return Ok(HandshakeMessage::Ignore);
-            }
-            info!(context, "Fingerprint verified.",);
            // verify that the `Secure-Join-Auth:`-header matches the secret written to the QR code
            let Some(auth) = mime_message.get_header(HeaderDef::SecureJoinAuth) else {
                warn!(
@@ -408,6 +400,14 @@ pub(crate) async fn handle_securejoin_handshake(
                }
            };

+            if !verify_sender_by_fingerprint(context, &fingerprint, contact_id).await? {
+                warn!(
+                    context,
+                    "Ignoring {step} message because of fingerprint mismatch."
+                );
+                return Ok(HandshakeMessage::Ignore);
+            }
+
            let contact_addr = Contact::get_by_id(context, contact_id)
                .await?
                .get_addr()
@@ -427,6 +427,7 @@ pub(crate) async fn handle_securejoin_handshake(
                );
                return Ok(HandshakeMessage::Ignore);
            }
+            info!(context, "Fingerprint verified via Auth code.",);
            contact_id.regossip_keys(context).await?;
            ContactId::scaleup_origin(context, &[contact_id], Origin::SecurejoinInvited).await?;
            // for setup-contact, make Alice's one-to-one chat with Bob visible
@@ -434,7 +435,6 @@ pub(crate) async fn handle_securejoin_handshake(
            if !join_vg {
                ChatId::create_for_contact(context, contact_id).await?;
            }
-            info!(context, "Auth verified.",);
            context.emit_event(EventType::ContactsChanged(Some(contact_id)));
            inviter_progress(context, contact_id, 600);
            if let Some(group_chat_id) = group_chat_id {
--- a/src/securejoin/securejoin_tests.rs
+++ b/src/securejoin/securejoin_tests.rs
@@ -951,3 +951,34 @@ async fn test_parallel_setup_contact() -> Result<()> {

    Ok(())
 }
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn test_wrong_auth_token() -> Result<()> {
+    let mut tcm = TestContextManager::new();
+    let alice = &tcm.alice().await;
+    let bob = &tcm.bob().await;
+
+    // Bob should already have Alice's key
+    // so that he can directly send vc-request-with-auth
+    tcm.send_recv(alice, bob, "hi").await;
+
+    let alice_qr = get_securejoin_qr(alice, None).await?;
+    println!("{}", &alice_qr);
+    let invalid_alice_qr = alice_qr.replace("&s=", "&s=INVALIDAUTHTOKEN&someotherkey=");
+
+    join_securejoin(bob, &invalid_alice_qr).await?;
+    let sent = bob.pop_sent_msg().await;
+
+    let msg = alice.parse_msg(&sent).await;
+    assert_eq!(
+        msg.get_header(HeaderDef::SecureJoin).unwrap(),
+        "vc-request-with-auth"
+    );
+
+    alice.recv_msg_trash(&sent).await;
+
+    let alice_bob_contact = alice.add_or_lookup_contact(bob).await;
+    assert!(!alice_bob_contact.is_forward_verified(alice).await?);
+
+    Ok(())
+}