Fixed NEAR verifyMessage accessing undefined ed25519Key property

[SergeyG-Solicy]

Summary by CodeRabbit

• Refactor
  • Simplified and optimized public key decoding logic in blockchain message verification to improve performance and reduce code complexity.

[qodo-code-review]

Review Summary by Qodo

Fix NEAR verifyMessage ed25519Key property access error

🐞 Bug fix

Walkthroughs

Description

• Fixed incorrect property access in NEAR verifyMessage method
• Removed unnecessary nested property access to ed25519Key
• Simplified publicKey decoding logic for correct verification

Diagram

flowchart LR
  A["publicKeyObject.ed25519Key.data<br/>(incorrect)"] -->|"simplify"| B["publicKeyObject.data<br/>(correct)"]
  B -->|"create Uint8Array"| C["publicKeyDecoded"]
  C -->|"use in verification"| D["nacl.sign.detached.verify"]

Loading

File Changes

1. src/multichain/core/near.ts 🐞 Bug fix +1/-2

Simplify NEAR publicKey decoding logic

• Removed incorrect nested property access publicKeyObject.ed25519Key.data
• Changed to direct property access publicKeyObject.data
• Eliminated unnecessary intermediate variable publicKeyRaw
• Simplified Uint8Array creation from publicKey object

src/multichain/core/near.ts

---

[qodo-code-review]

Code Review by Qodo

🐞 Bugs (0) 📘 Rule violations (1) 📎 Requirement gaps (0)

1. Missing .beads/issues.jsonl update 📘 Rule violation ⛯ Reliability

Description

This PR changes code but does not include the corresponding updated .beads/issues.jsonl (or
related .beads/ sync output) in the provided change set. This can cause br issue state to drift
from the code state.

Code

src/multichain/core/near.ts[270]

+        const publicKeyDecoded = new Uint8Array(publicKeyObject.data);

Evidence

PR Compliance ID 3 requires committing updated .beads/issues.jsonl alongside code changes for
br-tracked work; the provided PR diff shows code changes in src/multichain/core/near.ts but does
not show any .beads/ sync output being committed.

AGENTS.md
src/multichain/core/near.ts[270-270]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
This PR changes code but does not include the updated `.beads/issues.jsonl` (and related `.beads/` sync output), which can leave br issue state out of sync with the repository.

## Issue Context
Compliance requires committing the br issue export alongside code changes for br-tracked work.

## Fix Focus Areas
- src/multichain/core/near.ts[270-270]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

ⓘ The new review experience is currently in Beta. Learn more

[coderabbitai]

Walkthrough

Modified the public key decoding logic in the verifyMessage function within the NEAR module. Changed from extracting and reconstructing the public key via Object.values() on a nested property to directly instantiating a Uint8Array from the data property. No functional behavior alterations.

Changes

Cohort / File(s)	Summary
NEAR Public Key Decoding src/multichain/core/near.ts	Simplified public key decoding in verifyMessage by replacing Object.values(publicKeyObject.ed25519Key.data) with direct Uint8Array instantiation from publicKeyObject.data.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 A simpler path for keys so bright,
No nested values in the night,
Uint8Array takes the lead,
Hopping swift to fill the need! 🥕✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main fix: addressing an undefined ed25519Key property access issue in NEAR's verifyMessage function.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/near-verify-message

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

src/multichain/core/near.ts (1)

269-276: ⚠️ Potential issue | 🟡 Minor

Add explicit validation for Ed25519 key curve before verification.

The verifyMessage function at line 270 directly passes the public key to nacl.sign.detached.verify(), which only supports Ed25519 signatures. While NEAR supports both ed25519 and secp256k1 key curves (as evidenced by the createAccount method allowing both), this function will silently fail or throw an opaque error if a secp256k1 key is provided. Add an explicit check to reject unsupported key curves upfront with a clear error message.

Suggested fix

     const signatureDecoded = utils.serialize.base_decode(signature);
     const publicKeyObject = utils.key_pair.PublicKey.from(publicKey);
+    if (!publicKey.startsWith("ed25519:")) {
+        throw new Error(
+            `Unsupported NEAR public key curve for verifyMessage: expected ed25519, got ${publicKey.split(":")[0] || "unknown"}`,
+        )
+    }
     const publicKeyDecoded = new Uint8Array(publicKeyObject.data);
     const messageBytes = decodeUTF8(message);

This aligns with the coding guideline "Provide clear, actionable error messages" and prevents silent failures when non-Ed25519 keys are used.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/multichain/core/near.ts` around lines 269 - 276, In verifyMessage, ensure
you explicitly validate the public key curve before attempting signature
verification: inspect the utils.key_pair.PublicKey (or its string/enum form) to
confirm the key curve is "ed25519" and throw a clear, descriptive error (e.g.,
"unsupported key curve: expected ed25519") if it's not; only then decode the
PublicKey into publicKeyDecoded and call nacl.sign.detached.verify with
messageBytes, signatureDecoded, publicKeyDecoded. This prevents passing
secp256k1 keys (or others) into nacl.sign.detached.verify and yields an
actionable error instead of an opaque failure.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@src/multichain/core/near.ts`:
- Around line 269-276: In verifyMessage, ensure you explicitly validate the
public key curve before attempting signature verification: inspect the
utils.key_pair.PublicKey (or its string/enum form) to confirm the key curve is
"ed25519" and throw a clear, descriptive error (e.g., "unsupported key curve:
expected ed25519") if it's not; only then decode the PublicKey into
publicKeyDecoded and call nacl.sign.detached.verify with messageBytes,
signatureDecoded, publicKeyDecoded. This prevents passing secp256k1 keys (or
others) into nacl.sign.detached.verify and yields an actionable error instead of
an opaque failure.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 3f3635e6-b4f8-4b77-a4f7-cb55e758695a

📥 Commits

Reviewing files that changed from the base of the PR and between 81811d7 and 96a97ba.

📒 Files selected for processing (1)

• src/multichain/core/near.ts