Check external nullifier on server side

proofcarryingdata · Jul 5, 2024 · 59d698c · 59d698c
1 parent 8ec1fa7
commit 59d698c
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/packages/lib/zuauth/src/server.ts b/packages/lib/zuauth/src/server.ts
@@ -56,7 +56,7 @@ const revealedFields: Record<
  */
 export async function authenticate(
   pcdStr: string,
-  { watermark, config, fieldsToReveal }: ZuAuthArgs
+  { watermark, config, fieldsToReveal, externalNullifier }: ZuAuthArgs
 ): Promise<ZKEdDSAEventTicketPCD> {
   const serializedPCD = JSON.parse(pcdStr);
   if (serializedPCD.type !== ZKEdDSAEventTicketPCDTypeName) {
@@ -73,6 +73,10 @@ export async function authenticate(
     throw new ZuAuthAuthenticationError("PCD watermark does not match");
   }
 
+  if (pcd.claim.externalNullifier?.toString() !== externalNullifier) {
+    throw new ZuAuthAuthenticationError("External nullfier does not match");
+  }
+
   // For each of the fields configured to be revealed, check that the claim
   // contains values.
   for (const [revealedField, fieldName] of Object.entries(revealedFields)) {