Validate shared session network (#25)

guibvieira · web-flow · commit 5585efacb6bd · 2026-06-23T09:32:57.000+01:00
diff --git a/src/lib/l1signing.ts b/src/lib/l1signing.ts
@@ -121,14 +121,15 @@ export function buildL1SigningContext(params: {
   phantomAgent: { source: string; connectionId: `0x${string}` }
   typedData: ReturnType<typeof buildL1SignTypedDataParams>
 } {
+  const isMainnet = networkToL1Source(params.network) === 'a'
   const envelope = [
     params.multisigAddress.toLowerCase(),
     params.outerSigner.toLowerCase(),
     params.action,
   ]
 
   const connectionIdBytes = actionHash(envelope, params.vaultAddress, params.nonce)
-  const phantomAgent = constructPhantomAgent(connectionIdBytes, params.network === 'Mainnet')
+  const phantomAgent = constructPhantomAgent(connectionIdBytes, isMainnet)
   const typedData = {
     domain: L1_DOMAIN,
     types: L1_TYPES,
@@ -144,6 +145,12 @@ export function buildL1SigningContext(params: {
   }
 }
 
+function networkToL1Source(network: Network): 'a' | 'b' {
+  if (network === 'Mainnet') return 'a'
+  if (network === 'Testnet') return 'b'
+  throw new Error(`Invalid network for L1 signing: ${String(network)}`)
+}
+
 // ============================================================================
 // Helpers
 // ============================================================================
diff --git a/src/lib/session.ts b/src/lib/session.ts
@@ -1,5 +1,13 @@
 import { resolve } from '$app/paths';
-import type { Session, FormValues } from './types';
+import type { Session, FormValues, Network } from './types';
+
+const NETWORK_ALIASES: Record<string, Network> = {
+	mainnet: 'Mainnet',
+	main: 'Mainnet',
+	mainet: 'Mainnet',
+	testnet: 'Testnet',
+	test: 'Testnet',
+};
 
 // Encode session to URL-safe base64 for sharing
 export function encodeSession(session: Session): string {
@@ -13,7 +21,11 @@ export function decodeSession(encoded: string): Session | null {
   try {
     const bytes = Uint8Array.from(atob(encoded), (c) => c.charCodeAt(0));
     const json = new TextDecoder().decode(bytes);
-    return JSON.parse(json) as Session;
+    const session = JSON.parse(json) as Session;
+    return {
+      ...session,
+      network: parseNetwork(session.network),
+    };
   } catch {
     return null;
   }
@@ -52,8 +64,20 @@ export function sessionToFormValues(session: Session): FormValues {
   return {
     actionType: session.actionType,
     multisigAddress: session.multisigAddress,
-    network: session.network,
+    network: parseNetwork(session.network),
     vaultAddress: session.vaultAddress,
     fields,
   };
 }
+
+function parseNetwork(value: unknown): Network {
+  if (typeof value !== 'string') {
+    throw new Error(`Invalid network in shared session: ${String(value)}`);
+  }
+
+  const network = NETWORK_ALIASES[value.trim().toLowerCase()];
+  if (!network) {
+    throw new Error(`Invalid network in shared session: ${value}`);
+  }
+  return network;
+}
