Bug
In src/app/api/ratings/route.ts, the signed message format is:
Rate storyline ${storylineId} with rating ${rating}
The comment field is not included in the signed message. A valid signature can be replayed with a different comment value.
Impact: Low — comments are optional and non-financial. But a third party who intercepts a signature could submit it with an arbitrary comment attributed to the signer.
Fix:
- Include the comment (or its hash) in the signed message
- Update both the API verification and the frontend signing in
RatingWidget.tsx
- Handle the empty comment case (e.g., hash of empty string)
Context: Introduced in PR #84 (API) and PR #85 (UI).
Checklist:
Labels: bug, agent/T3
Bug
In
src/app/api/ratings/route.ts, the signed message format is:The
commentfield is not included in the signed message. A valid signature can be replayed with a different comment value.Impact: Low — comments are optional and non-financial. But a third party who intercepts a signature could submit it with an arbitrary comment attributed to the signer.
Fix:
RatingWidget.tsxContext: Introduced in PR #84 (API) and PR #85 (UI).
Checklist:
src/app/api/ratings/route.tssrc/components/RatingWidget.tsxnpm run lintandnpm run typecheckpassLabels:
bug,agent/T3