fix(auth): reject invalid challenge signatures instead of transitioning to AuthOk

2026-03-29 23:05:38 +02:00
parent 0388fa2c8b
commit 8feda7990c
2 changed files with 74 additions and 5 deletions
--- a/server/crates/arbiter-server/src/actors/user_agent/auth/state.rs
+++ b/server/crates/arbiter-server/src/actors/user_agent/auth/state.rs
@@ -210,13 +210,16 @@ where
            }
        };

-        if valid {
-            self.transport
-                .send(Ok(Outbound::AuthSuccess))
-                .await
-                .map_err(|_| Error::Transport)?;
+        if !valid {
+            error!("Invalid challenge solution signature");
+            return Err(Error::InvalidChallengeSolution);
        }

+        self.transport
+            .send(Ok(Outbound::AuthSuccess))
+            .await
+            .map_err(|_| Error::Transport)?;
+
        Ok(key.clone())
    }
 }