fix: remove doPublicKeysMatchUsername

Author: janniks

package-lock.json

@@ -44,7 +44,6 @@
     "@stacks/encryption": "^3.3.0",
     "@stacks/network": "^3.3.0",
     "@stacks/profile": "^3.3.0",
-    "c32check": "^1.1.3",
     "cross-fetch": "^3.1.4",
     "jsontokens": "^3.0.0",
     "query-string": "^6.13.1"

packages/auth/package.json

@@ -6,7 +6,6 @@ export {
   verifyAuthResponse,
   isExpirationDateValid,
   isIssuanceDateValid,
-  doPublicKeysMatchUsername,
   doPublicKeysMatchIssuer,
   doSignaturesMatchPublicKeys,
   isManifestUriValid,

packages/auth/src/index.ts

@@ -1,9 +1,7 @@
 import { decodeToken, TokenVerifier } from 'jsontokens';
 import { getAddressFromDID } from './dids';
 import { publicKeyToAddress } from '@stacks/encryption';
-import { fetchPrivate, isSameOriginAbsoluteUrl } from '@stacks/common';
 import { fetchAppManifest } from './provider';
-import { c32ToB58 } from 'c32check';
 
 /**
  * Checks if the ES256k signature on passed `token` match the claimed public key
@@ -65,70 +63,6 @@ export function doPublicKeysMatchIssuer(token: string): boolean {
   return false;
 }
 
-/**
- * Looks up the identity address that owns the claimed username
- * in `token` using the lookup endpoint provided in `nameLookupURL`
- * to determine if the username is owned by the identity address
- * that matches the claimed public key
- *
- * @param  {String} token  encoded and signed authentication token
- * @param  {String} nameLookupURL a URL to the name lookup endpoint of the Blockstack Core API
- * @return {Promise<Boolean>} returns a `Promise` that resolves to
- * `true` if the username is owned by the public key, otherwise the
- * `Promise` resolves to `false`
- * @private
- * @ignore
- */
-export async function doPublicKeysMatchUsername(
-  token: string,
-  nameLookupURL: string
-): Promise<boolean> {
-  try {
-    const payload = decodeToken(token).payload;
-    if (typeof payload === 'string') {
-      throw new Error('Unexpected token payload type of string');
-    }
-    if (!payload.username) {
-      return true;
-    }
-
-    if (payload.username === null) {
-      return true;
-    }
-
-    if (nameLookupURL === null) {
-      return false;
-    }
-
-    const username = payload.username;
-    const url = `${nameLookupURL.replace(/\/$/, '')}/${username}`;
-    const response = await fetchPrivate(url);
-    const responseText = await response.text();
-    const responseJSON = JSON.parse(responseText);
-    if (responseJSON.hasOwnProperty('address')) {
-      const nameOwningAddress = responseJSON.address;
-      let nameOwningAddressBtc = nameOwningAddress;
-      try {
-        // try converting STX to BTC
-        // if this throws, it's already a BTC address
-        nameOwningAddressBtc = c32ToB58(nameOwningAddress, 0);
-      } catch {}
-      const addressFromIssuer = getAddressFromDID(payload.iss);
-      if (nameOwningAddressBtc === addressFromIssuer) {
-        return true;
-      } else {
-        return false;
-      }
-    } else {
-      return false;
-    }
-  } catch (error) {
-    console.log(error);
-    console.log('Error checking `doPublicKeysMatchUsername`');
-    return false;
-  }
-}
-
 /**
  * Checks if the if the token issuance time and date is after the
  * current time and date.

packages/auth/src/verification.ts

@@ -8,7 +8,6 @@ import {
   isIssuanceDateValid,
   doSignaturesMatchPublicKeys,
   doPublicKeysMatchIssuer,
-  doPublicKeysMatchUsername,
   isManifestUriValid,
   isRedirectUriValid,
   verifyAuthRequestAndLoadManifest,
@@ -30,7 +29,6 @@ beforeEach(() => {
 
 const privateKey = 'a5c61c6ca7b3e7e55edee68566aeab22e4da26baa285c7bd10e8d2218aa3b229';
 const publicKey = '027d28f9951ce46538951e3697c62588a87f1f1f295de4a14fdd4c780fc52cfe69';
-const nameLookupURL = 'https://stacks-node-api.mainnet.stacks.co/v1/names/';
 
 test('makeAuthRequest && verifyAuthRequest', async () => {
   const appConfig = new AppConfig(['store_write'], 'http://localhost:3000');
@@ -191,10 +189,6 @@ test('makeAuthResponse && verifyAuthResponse', async () => {
   expect(isIssuanceDateValid(authResponse)).toBe(true);
   expect(doSignaturesMatchPublicKeys(authResponse)).toBe(true);
   expect(doPublicKeysMatchIssuer(authResponse)).toBe(true);
-
-  await doPublicKeysMatchUsername(authResponse, nameLookupURL).then(verifiedResult => {
-    expect(verifiedResult).toBe(true);
-  });
 });
 
 test('auth response with invalid or empty appPrivateKeyFromWalletSalt', async () => {
@@ -253,10 +247,6 @@ test('auth response with username', async () => {
 
   const authResponse = await makeAuthResponse(privateKey, sampleProfiles.ryan, 'ryan.id', null);
 
-  await doPublicKeysMatchUsername(authResponse, nameLookupURL).then(verified => {
-    expect(verified).toBe(true);
-  });
-
   await verifyAuthResponse(authResponse).then(verifiedResult => {
     expect(verifiedResult).toBe(true);
   });