Merge pull request #73 from Dnreikronos/fix/verify-delegation-instruction

Dnreikronos · web-flow · commit a999de6ba80e · 2026-04-06T21:44:23.000-03:00
fix: verify approve_delegate discriminator and PDA in delegation check
diff --git a/backend/src/controllers/subscribe.controller.ts b/backend/src/controllers/subscribe.controller.ts
@@ -113,6 +113,7 @@ export const subscribe = async (
     const verification = await verifyDelegationTransaction({
       txSignature: validatedData.delegateTxSignature,
       expectedPayerWallet: validatedData.payer.walletAddress,
+      subscriptionId: validatedData.subscriptionId,
     });
 
     if (!verification.valid) {
diff --git a/backend/src/controllers/subscription.controller.ts b/backend/src/controllers/subscription.controller.ts
@@ -72,6 +72,7 @@ export const createSubscription = async (
     const verification = await verifyDelegationTransaction({
       txSignature: validatedData.delegateTxSignature,
       expectedPayerWallet: payer.walletAddress,
+      subscriptionId: validatedData.subscriptionId,
     });
 
     if (!verification.valid) {
diff --git a/backend/src/routes/subscribe.routes.ts b/backend/src/routes/subscribe.routes.ts
@@ -27,6 +27,7 @@ export async function subscribeRoutes(fastify: FastifyInstance) {
         required: [
           "payer",
           "planId",
+          "subscriptionId",
           "tokenMint",
           "delegateTxSignature",
           "delegateAuthority",
@@ -62,6 +63,12 @@ export async function subscribeRoutes(fastify: FastifyInstance) {
             format: "uuid",
             description: "ID of the recurring payment plan to subscribe to",
           },
+          subscriptionId: {
+            type: "string",
+            format: "uuid",
+            description:
+              "UUID generated client-side and used as the on-chain PDA seed for approve_delegate",
+          },
           tokenMint: {
             type: "string",
             description:
diff --git a/backend/src/schemas/subscribe.schema.ts b/backend/src/schemas/subscribe.schema.ts
@@ -21,6 +21,7 @@ export const subscribeSchema = z.object({
   }),
 
   planId: z.uuid("Invalid plan ID"),
+  subscriptionId: z.uuid("Invalid subscription ID"),
   tokenMint: z
     .string()
     .regex(
diff --git a/backend/src/schemas/subscription.schema.ts b/backend/src/schemas/subscription.schema.ts
@@ -27,6 +27,7 @@ import z from "zod";
 export const createSubscriptionSchema = z.object({
   planId: z.string().uuid("Invalid plan ID"),
   payerId: z.string().uuid("Invalid payer ID"),
+  subscriptionId: z.string().uuid("Invalid subscription ID"),
   tokenMint: z
     .string()
     .regex(
diff --git a/backend/src/services/solana.service.ts b/backend/src/services/solana.service.ts
@@ -225,9 +225,14 @@ export const verifyOneTimePayment = async (params: {
   };
 };
 
+const APPROVE_DELEGATE_DISCRIMINATOR = Buffer.from([
+  68, 6, 248, 64, 195, 222, 182, 223,
+]);
+
 export const verifyDelegationTransaction = async (params: {
   txSignature: string;
   expectedPayerWallet: string;
+  subscriptionId: string;
 }): Promise<{ valid: boolean; reason?: string }> => {
   const { connection } = initializeSolana();
 
@@ -242,14 +247,20 @@ export const verifyDelegationTransaction = async (params: {
   const programIdStr = PROGRAM_ID.toBase58();
   const instructions = tx.transaction.message.instructions;
 
-  const programInvoked = instructions.some(
-    (ix) => ix.programId.toBase58() === programIdStr,
-  );
+  const approveDelegateInvoked = instructions.some((ix) => {
+    if (ix.programId.toBase58() !== programIdStr) return false;
+    if (!("data" in ix)) return false;
+    const decoded = Buffer.from(anchor.utils.bytes.bs58.decode(ix.data as string));
+    return decoded
+      .subarray(0, 8)
+      .equals(APPROVE_DELEGATE_DISCRIMINATOR);
+  });
 
-  if (!programInvoked) {
+  if (!approveDelegateInvoked) {
     return {
       valid: false,
-      reason: "Transaction did not invoke the PattPay program",
+      reason:
+        "Transaction did not invoke the approve_delegate instruction on the PattPay program",
     };
   }
 
@@ -264,6 +275,21 @@ export const verifyDelegationTransaction = async (params: {
     };
   }
 
+  const payerPubkey = new PublicKey(params.expectedPayerWallet);
+  const { delegateApprovalPDA } = derivePDAs(
+    params.subscriptionId,
+    payerPubkey,
+  );
+  const accountInfo = await connection.getAccountInfo(delegateApprovalPDA);
+
+  if (accountInfo === null) {
+    return {
+      valid: false,
+      reason:
+        "DelegateApproval PDA does not exist on-chain, delegation not confirmed",
+    };
+  }
+
   return { valid: true };
 };
 
diff --git a/frontend/lib/hooks/usePaymentMutations.ts b/frontend/lib/hooks/usePaymentMutations.ts
@@ -65,6 +65,7 @@ export function useSubscribe() {
           email: data.email,
         },
         planId: data.planId,
+        subscriptionId: data.subscriptionId,
         tokenMint: data.tokenMint,
         delegateTxSignature: approvalResult.txSignature,
         delegateAuthority: approvalResult.delegateAuthority,
diff --git a/frontend/lib/types/subscription.ts b/frontend/lib/types/subscription.ts
@@ -12,6 +12,7 @@ export interface SubscribeRequest {
 
   // Subscription details
   planId: string;
+  subscriptionId: string;
   tokenMint: string;
 
   // On-chain delegation proof
