From 4fa46488c806828c97e88691ccee0449939395c3 Mon Sep 17 00:00:00 2001
From: Thomas Heck <t@b128.net>
Date: Sun, 6 Jul 2025 18:37:12 +0200
Subject: [PATCH] fix(shared): make wire.verifyAndDeserializeData verify
 message correctly

---
 pkgs/shared/src/utils.ts | 13 +++++++++++++
 pkgs/shared/src/wire.ts  |  3 ++-
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/pkgs/shared/src/utils.ts b/pkgs/shared/src/utils.ts
index 6495e81..e768bb7 100644
--- a/pkgs/shared/src/utils.ts
+++ b/pkgs/shared/src/utils.ts
@@ -4,3 +4,16 @@ export function createArray<T>(
 ): Array<T> {
 	return Array.from({ length }, (_, index) => f(index));
 }
+
+export function byteArraysEqual(arr1: Uint8Array, arr2: Uint8Array): boolean {
+	const len = arr1.length;
+	if (len !== arr2.length) {
+		return false;
+	}
+	for (let i = 0; i < len; i += 1) {
+		if (arr1[i] !== arr2[i]) {
+			return false;
+		}
+	}
+	return true;
+}
diff --git a/pkgs/shared/src/wire.ts b/pkgs/shared/src/wire.ts
index fcbe412..265d8b5 100644
--- a/pkgs/shared/src/wire.ts
+++ b/pkgs/shared/src/wire.ts
@@ -3,6 +3,7 @@ import {
 	fromByteArray as serializeArray,
 	toByteArray as deserializeArray,
 } from "base64-js";
+import { byteArraysEqual } from "./utils";
 
 export { serializeArray, deserializeArray };
 
@@ -56,7 +57,7 @@ export async function verifyAndDeserializeData<T>(
 ): Promise<T> {
 	const arr = utf16StringToArrayBuffer(`${signedData.data}:${secret}`);
 	const hash = new Uint8Array(await crypto.subtle.digest("SHA-256", arr));
-	if (hash !== deserializeArray(signedData.hash)) {
+	if (!byteArraysEqual(hash, deserializeArray(signedData.hash))) {
 		throw new Error(`Signed data verification failed, hash mismatch`);
 	}
 	const data = JSON.parse(signedData.data);