From 354f9b59dbe24e1c9fd835f7f2fd83f7fdaccf52 Mon Sep 17 00:00:00 2001
From: Zaptoss <zaptosgg@gmail.com>
Date: Fri, 2 Aug 2024 13:32:09 +0300
Subject: [PATCH] Fix auth in fulfill poll event

---
 internal/service/handlers/fulfill_poll_event.go | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

diff --git a/internal/service/handlers/fulfill_poll_event.go b/internal/service/handlers/fulfill_poll_event.go
index 12d049e..b2177fb 100644
--- a/internal/service/handlers/fulfill_poll_event.go
+++ b/internal/service/handlers/fulfill_poll_event.go
@@ -6,8 +6,8 @@ import (
 	"fmt"
 	"math/big"
 	"net/http"
-	"strings"
 
+	"github.com/ethereum/go-ethereum/common/hexutil"
 	validation "github.com/go-ozzo/ozzo-validation/v4"
 	"github.com/rarimo/geo-auth-svc/pkg/auth"
 	"github.com/rarimo/geo-points-svc/internal/config"
@@ -28,17 +28,16 @@ func FulfillPollEvent(w http.ResponseWriter, r *http.Request) {
 
 	proof := req.Data.Attributes.Proof
 
-	nullifierDec, _ := new(big.Int).SetString(proof.PubSignals[config.PollChallengedNullifier], 10)
-	nullifier := "0x" + strings.ToLower(nullifierDec.Text(16))
-
-	proposalID, _ := new(big.Int).SetString(req.Data.Attributes.ProposalId, 10)
-	proposalEventID, _ := new(big.Int).SetString(proof.PubSignals[config.PollParticipationEventID], 10)
-
-	if !auth.Authenticates(UserClaims(r), auth.UserGrant(nullifier)) {
+	nullifier := UserClaims(r)[0].Nullifier
+	if !auth.Authenticates(UserClaims(r), auth.VerifiedGrant(nullifier)) ||
+		new(big.Int).SetBytes(hexutil.MustDecode(nullifier)).String() != proof.PubSignals[config.PollChallengedNullifier] {
 		ape.RenderErr(w, problems.Unauthorized())
 		return
 	}
 
+	proposalID, _ := new(big.Int).SetString(req.Data.Attributes.ProposalId, 10)
+	proposalEventID, _ := new(big.Int).SetString(proof.PubSignals[config.PollParticipationEventID], 10)
+
 	log := Log(r).WithFields(map[string]any{
 		"nullifier":         nullifier,
 		"proof":             proof,