fix(network/auth): respect handshake responders when preparing keysets and pricing

Ansonhkg · Ansonhkg · commit e06316829599 · 2025-10-06T17:43:56.000+01:00
- limit JIT keyset creation to nodes that actually returned server keys and filter price data to match, avoiding encryption attempts against missing nodes (packages/networks/src/networks/vNaga/shared/factories/BaseModuleFactory.ts)
- adjust PKP and custom auth adapters to derive node pricing only from responding nodes and fail fast if they can’t satisfy the threshold, preventing session-sign requests from targeting unreachable URLs (packages/auth/src/lib/AuthManager/authAdapters/getPkpAuthContextAdapter.ts, getCustomAuthContextAdapter.ts)
diff --git a/packages/auth/src/lib/AuthManager/authAdapters/getCustomAuthContextAdapter.ts b/packages/auth/src/lib/AuthManager/authAdapters/getCustomAuthContextAdapter.ts
@@ -56,8 +56,19 @@ export async function getCustomAuthContextAdapter(
   const threshold = handshakeResult.threshold;
 
   // TODO: ❗️THIS IS NOT TYPED - we have to fix this! (This can only be in Naga)
+  const respondingUrlSet = new Set(Object.keys(handshakeResult.serverKeys));
+  const respondingNodePrices = nodePrices.filter((item: { url: string }) =>
+    respondingUrlSet.has(item.url)
+  );
+
+  if (respondingNodePrices.length < threshold) {
+    throw new Error(
+      `Not enough handshake nodes to satisfy threshold. Threshold: ${threshold}, responding nodes: ${respondingNodePrices.length}`
+    );
+  }
+
   const nodeUrls = litClientCtx.getMaxPricesForNodeProduct({
-    nodePrices: nodePrices,
+    nodePrices: respondingNodePrices,
     userMaxPrice: litClientCtx.getUserMaxPrice({
       product: 'LIT_ACTION',
     }),
diff --git a/packages/auth/src/lib/AuthManager/authAdapters/getPkpAuthContextAdapter.ts b/packages/auth/src/lib/AuthManager/authAdapters/getPkpAuthContextAdapter.ts
@@ -133,8 +133,19 @@ export async function getPkpAuthContextAdapter(
   const threshold = handshakeResult.threshold;
 
   // TODO: ❗️THIS IS NOT TYPED - we have to fix this! (This can only be in Naga)
+  const respondingUrlSet = new Set(Object.keys(handshakeResult.serverKeys));
+  const respondingNodePrices = nodePrices.filter((item: { url: string }) =>
+    respondingUrlSet.has(item.url)
+  );
+
+  if (respondingNodePrices.length < threshold) {
+    throw new Error(
+      `Not enough handshake nodes to satisfy threshold. Threshold: ${threshold}, responding nodes: ${respondingNodePrices.length}`
+    );
+  }
+
   const nodeUrls = litClientCtx.getMaxPricesForNodeProduct({
-    nodePrices: nodePrices,
+    nodePrices: respondingNodePrices,
     userMaxPrice: litClientCtx.getUserMaxPrice({
       product: 'LIT_ACTION',
     }),
diff --git a/packages/networks/src/networks/vNaga/shared/factories/BaseModuleFactory.ts b/packages/networks/src/networks/vNaga/shared/factories/BaseModuleFactory.ts
@@ -450,17 +450,49 @@ export function createBaseModule<T, M>(config: BaseModuleConfig<T, M>) {
       ): Promise<NagaJitContext> => {
         const keySet: KeySet = {};
 
-        for (const url of connectionInfo.bootstrapUrls) {
+        const respondingUrls = Object.keys(handshakeResult.serverKeys);
+        const respondingUrlSet = new Set(respondingUrls);
+
+        if (respondingUrls.length === 0) {
+          throw new Error(
+            `Handshake response did not include any node identity keys. Received handshake result: ${JSON.stringify(
+              handshakeResult
+            )}`
+          );
+        }
+
+        for (const url of respondingUrls) {
+          const serverKey = handshakeResult.serverKeys[url];
+
+          if (!serverKey || !serverKey.nodeIdentityKey) {
+            throw new Error(
+              `Handshake response missing node identity key for node ${url}. Received handshake result: ${JSON.stringify(
+                handshakeResult
+              )}`
+            );
+          }
+
           keySet[url] = {
             publicKey: hexToBytes(
               HexPrefixedSchema.parse(
-                handshakeResult.serverKeys[url].nodeIdentityKey
+                serverKey.nodeIdentityKey
               ) as `0x${string}`
             ),
             secretKey: nacl.box.keyPair().secretKey,
           };
         }
 
+        const missingUrls = connectionInfo.bootstrapUrls.filter(
+          (url) => !keySet[url]
+        );
+
+        if (missingUrls.length > 0) {
+          _logger.warn(
+            { missingUrls },
+            'Some bootstrap URLs did not complete the handshake; proceeding with responding nodes only'
+          );
+        }
+
         // Use read-only account for viewing PKPs
         const account = privateKeyToAccount(DEV_PRIVATE_KEY);
 
@@ -473,7 +505,25 @@ export function createBaseModule<T, M>(config: BaseModuleConfig<T, M>) {
           account
         );
 
-        return { keySet, nodePrices };
+        const filteredNodePrices = nodePrices.filter((price) =>
+          respondingUrlSet.has(price.url)
+        );
+
+        if (filteredNodePrices.length === 0) {
+          throw new Error('Unable to resolve price data for responding handshake nodes');
+        }
+
+        if (filteredNodePrices.length !== nodePrices.length) {
+          const excludedByPriceFeed = nodePrices
+            .filter((price) => !respondingUrlSet.has(price.url))
+            .map((price) => price.url);
+          _logger.warn(
+            { excludedByPriceFeed },
+            'Price feed included nodes that did not complete the handshake; excluding them from pricing context'
+          );
+        }
+
+        return { keySet, nodePrices: filteredNodePrices };
       },
 
       /**
