fix: validate that fid on username add message matches fid on ens proof

.changeset/warm-cheetahs-drive.md

@@ -0,0 +1,5 @@
+---
+"@farcaster/hubble": patch
+---
+
+fix: validate that fid on username add message matches fid on ens proof

apps/hubble/src/storage/engine/index.test.ts

@@ -983,6 +983,43 @@ describe("mergeMessage", () => {
         expect(result._unsafeUnwrapErr().message).toMatch("failed to resolve ens");
       });
 
+      test("fails when fid on message doesn't match fid on ens name proof", async () => {
+        const fid2 = Factories.Fid.build();
+        const signer2 = Factories.Ed25519Signer.build();
+        const custodySigner2 = Factories.Eip712Signer.build();
+        const signerKey2 = (await signer2.getSignerKey())._unsafeUnwrap();
+        const custodySignerKey2 = (await custodySigner2.getSignerKey())._unsafeUnwrap();
+        const custodyEvent2 = Factories.IdRegistryOnChainEvent.build(
+          { fid: fid2 },
+          { transient: { to: custodySignerKey2 } },
+        );
+        const signerAddEvent2 = Factories.SignerOnChainEvent.build(
+          { fid: fid2 },
+          { transient: { signer: signerKey2 } },
+        );
+        const storageEvent2 = Factories.StorageRentOnChainEvent.build({ fid: fid2 });
+        await engine.mergeOnChainEvent(custodyEvent2);
+        await engine.mergeOnChainEvent(signerAddEvent2);
+        await engine.mergeOnChainEvent(storageEvent2);
+
+        const spoofedUserDataAdd = await Factories.UserDataAddMessage.create(
+          {
+            data: {
+              fid: fid2,
+              userDataBody: {
+                type: UserDataType.USERNAME,
+                value: "test123.eth",
+              },
+            },
+          },
+          { transient: { signer: signer2 } },
+        );
+
+        const result = await engine.mergeMessage(spoofedUserDataAdd);
+        expect(result).toMatchObject(err({ errCode: "bad_request.validation_failure" }));
+        expect(result._unsafeUnwrapErr().message).toMatch(`fid ${fid} does not match message fid ${fid2}`);
+      });
+
       test("revokes the user data add when the username proof is revoked", async () => {
         const result = await engine.mergeMessage(userDataAdd);
         expect(result.isOk()).toBeTruthy();

apps/hubble/src/storage/engine/index.ts

@@ -1279,23 +1279,28 @@
           return err(nameProof.error);
         }
 
-        if (nameProof.value.type === UserNameType.USERNAME_TYPE_FNAME) {
-          // Check that the fid for the fname and message are the same
-          if (nameProof.value.fid !== message.data.fid) {
-            return err(
-              new HubError(
-                "bad_request.validation_failure",
-                `fname fid ${nameProof.value.fid} does not match message fid ${message.data.fid}`,
-              ),
-            );
-          }
-        } else if (nameProof.value.type === UserNameType.USERNAME_TYPE_ENS_L1) {
+        if (
+          nameProof.value.type !== UserNameType.USERNAME_TYPE_FNAME &&
+          nameProof.value.type !== UserNameType.USERNAME_TYPE_ENS_L1
+        ) {
+          return err(new HubError("bad_request.validation_failure", "invalid username type"));
+        }
+
+        // Check that the fid for the fname/ens name and message are the same
+        if (nameProof.value.fid !== message.data.fid) {
+          return err(
+            new HubError(
+              "bad_request.validation_failure",
+              `fid ${nameProof.value.fid} does not match message fid ${message.data.fid}`,
+            ),
+          );
+        }
+
+        if (nameProof.value.type === UserNameType.USERNAME_TYPE_ENS_L1) {
           const result = await this.validateEnsUsernameProof(nameProof.value, custodyAddress);
           if (result.isErr()) {
             return err(result.error);
           }
-        } else {
-          return err(new HubError("bad_request.validation_failure", "invalid username type"));
         }
       }
     }