1.7 KiB
title, type, date
| title | type | date |
|---|---|---|
| TokenPocket direct login requires signature verification — Quick Fix | quick-fix | 2026-06-04 |
TokenPocket direct login requires signature verification — Quick Fix
Bug
Mobile TokenPocket deeplink opened the site inside the wallet browser and completed login immediately after reading the injected wallet address. It did not trigger a password/signature verification step, so users did not get an explicit address verification prompt.
Root Cause
AutoInjectedLogin used connectInjectedWallet() and then wrote a local frontend wallet token. The injected deeplink path in useWalletConnectLogin used the same address-only flow. Both paths skipped the existing backend nonce + personal_sign verification flow.
Fix
Changed injected wallet direct login to use signInWithInjectedWallet(), which requests a backend nonce, asks the wallet to sign it, verifies the signature with the backend, and stores the verified backend JWT. If injected verification fails, the direct injected path now stops with an error instead of falling back to an unverified WalletConnect/local-token login.
Files Modified
src/wallet/AutoInjectedLogin.tsx— TP/imToken?autoLogin=deeplink now requires wallet signature verification before completing login.src/wallet/useWalletConnectLogin.ts— injected deeplink path now uses verified sign-in and does not bypass verification after a signature failure.
Verification
npx tsc --noEmitnpm run format:checknpm test
Notes
WalletConnect QR fallback still uses the existing local-session behavior; this fix targets the TokenPocket/injected direct-login flow described in the bug report.