클라이언트가 Decryption Oracle로 사용될 수 있는 취약점 수정

2026-02-04 08:06:56 +00:00 · 2025-07-04 23:26:58 +09:00
parent 13bac59824
commit c9331ae5b7
12 changed files with 58 additions and 38 deletions
--- a/src/routes/api/client/register/verify/+server.ts
+++ b/src/routes/api/client/register/verify/+server.ts
@@ -9,8 +9,8 @@ export const POST: RequestHandler = async ({ locals, request }) => {

  const zodRes = clientRegisterVerifyRequest.safeParse(await request.json());
  if (!zodRes.success) error(400, "Invalid request body");
-  const { answer, answerSig } = zodRes.data;
+  const { id, answerSig } = zodRes.data;

-  await verifyUserClient(userId, locals.ip, answer, answerSig);
+  await verifyUserClient(userId, locals.ip, id, answerSig);
  return text("Client verified", { headers: { "Content-Type": "text/plain" } });
 };