fix: purge messages signed with stale delegate key#170
Merged
Conversation
When migrate_signing_key() overwrites a stale delegate key, any messages in local state that were signed with the old key have invalid signatures. The contract rejects the entire UPDATE because of these bad messages, blocking all new messages from being sent. Changes: - migrate_signing_key() now returns MigrationResult enum instead of bool, distinguishing AlreadyCurrent/StaleKeyOverwritten/Stored/Failed - New remove_unverifiable_messages() function verifies all message signatures in local state and removes invalid ones - Both callers of migrate_signing_key() call remove_unverifiable_messages() when a stale key was overwritten This is UI-only — no delegate/contract WASM changes. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Address review feedback: add mark_needs_sync after removing unverifiable messages so the cleaned state is saved to delegate storage and synced to the contract. In get_response.rs, also ensures sync happens after sanitization (not before) since both are deferred. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Follow-up to #169. After a stale delegate signing key is overwritten, messages that were already signed with the old key remain in local state. Every UPDATE to the contract includes these bad messages, and the contract rejects the entire UPDATE with
State verification failed: Invalid message signature. This blocks ALL new messages from being sent — even ones signed with the correct key.Any user who was re-invited after PR #164 and sent messages before refreshing has these poisoned messages in their local state.
Approach
Changed
migrate_signing_key()to return aMigrationResultenum instead ofbool, so callers can distinguish betweenAlreadyCurrent,StaleKeyOverwritten,Stored, andFailedAdded
remove_unverifiable_messages()which verifies all message signatures in local room state against the members list and removes any that fail verificationBoth callers of
migrate_signing_key()now callremove_unverifiable_messages()whenStaleKeyOverwrittenis returned, purging the poisoned messages before any UPDATEs are sentUI-only change — no delegate/contract WASM modifications, no migration needed.
Testing
cargo check -p river-ui --target wasm32-unknown-unknown --features no-syncpassescargo fmtcleanState verification failed: Invalid message signature: id:MessageId(FastHash(1015880761723393051))even after fix: overwrite stale delegate signing key after re-invitation #169 fix deployed[AI-assisted - Claude]