From 8e221c3ffed58f483098afa2ebd9dc6d5a663d80 Mon Sep 17 00:00:00 2001
From: Shadow <shadow@example.com>
Date: Fri, 6 Feb 2026 04:59:22 +0100
Subject: [PATCH] fix: implement cryptographic signature verification for
 wallet linking

- Replace mocked isValidSignature = true with real viem verification
- Use verifyMessage to validate wallet ownership
- Add proper error handling for invalid signatures
- Return 403 for verification failures

Fixes #70
---
 app/api/reputation/link-wallet/route.ts | 26 ++++++++++++++++---------
 1 file changed, 17 insertions(+), 9 deletions(-)

diff --git a/app/api/reputation/link-wallet/route.ts b/app/api/reputation/link-wallet/route.ts
index 7006387..16249fc 100644
--- a/app/api/reputation/link-wallet/route.ts
+++ b/app/api/reputation/link-wallet/route.ts
@@ -1,6 +1,7 @@
 import { NextRequest, NextResponse } from "next/server";
 import { ReputationService } from "@/lib/services/reputation";
 import { getCurrentUser } from "@/lib/server-auth";
+import { verifyMessage } from "viem";
 
 export async function POST(request: NextRequest) {
     try {
@@ -16,17 +17,24 @@ export async function POST(request: NextRequest) {
             return NextResponse.json({ error: "Unauthorized" }, { status: 403 });
         }
 
-        // 2. Signature Verification
-        // Note: Real implementation would use ethers.verifyMessage or similar
-        // const recoveredAddress = verifyMessage(`Link wallet ${address} to user ${userId}`, signature);
-        const isValidSignature = true; // Mocked for now
-
-        if (!isValidSignature) {
-            // if (recoveredAddress !== address)
-            return NextResponse.json({ error: "Invalid signature" }, { status: 403 });
+        // 2. Signature Verification using viem
+        const message = `Link wallet ${address} to user ${userId}`;
+        
+        try {
+            const isValidSignature = await verifyMessage({
+                address: address as `0x${string}`,
+                message: message,
+                signature: signature as `0x${string}`,
+            });
+
+            if (!isValidSignature) {
+                return NextResponse.json({ error: "Invalid signature" }, { status: 403 });
+            }
+        } catch (verifyError) {
+            console.error("Signature verification failed:", verifyError);
+            return NextResponse.json({ error: "Invalid signature format" }, { status: 403 });
         }
 
-        // 3. Service Call
         // 3. Service Call
         const result = await ReputationService.linkWallet(userId, address);