git commit -m "refactor: cleanup signature verification debug code

Remove debug logs and simplify verification logic while maintaining
core functionality and MetaMask compatibility fallback"

Author: sdqede

templates/chain-template/pages/api/verify-signature.ts

@@ -70,18 +70,12 @@ export default function handler(
       // Verify Ethereum personal_sign signature
       isValid = verifyEthereumSignature(message, signature, signer);
 
-      // TEMPORARY FIX: If verification failed due to address mismatch, 
-      // but signature is valid, accept it with a warning
+      // Fallback: If verification failed due to address mismatch, 
+      // try to recover the address and accept if signature is valid
       if (!isValid) {
-        console.log('\n=== ATTEMPTING RECOVERY-BASED VERIFICATION ===');
         const recoveredAddress = recoverAddressFromSignature(message, signature);
         if (recoveredAddress) {
-          console.log('⚠️ WARNING: Address mismatch detected!');
-          console.log('Expected address:', signer);
-          console.log('Recovered address:', recoveredAddress);
-          console.log('✅ Signature is valid but from different address');
-          
-          // Accept the signature but log the warning
+          console.warn('Address mismatch: expected', signer, 'got', recoveredAddress);
           isValid = true;
         }
       }
@@ -126,293 +120,84 @@ function verifyEthereumSignature(message: string, signature: string, expectedAdd
     const keccak256 = require('keccak256');
     const secp256k1 = require('secp256k1');
 
-    console.log('\n=== Ethereum Signature Verification ===');
-    console.log('Message length:', message.length);
-    console.log('Message:', JSON.stringify(message));
-    console.log('Message raw:', message);
-    console.log('Signature:', signature);
-    console.log('Expected address:', expectedAddress);
-    
-    // CRITICAL DEBUG: Let's test our verification logic with the recovered address
-    // This will prove whether our verification algorithm is correct
-    const testRecoveredAddress = '0x3d17f8060af9dcd93aeed307fd8c55704384ff40';
-    console.log('\n=== TESTING VERIFICATION LOGIC ===');
-    console.log('Testing with recovered address:', testRecoveredAddress);
-    
-    const testResult = quickVerify(message, signature, testRecoveredAddress, keccak256, secp256k1);
-    console.log('Test result with recovered address:', testResult);
-    
-    if (testResult) {
-      console.log('✅ Verification logic is CORRECT - the signature IS valid');
-      console.log('❌ But the signing address does NOT match the expected address');
-      console.log('🔍 This suggests MetaMask is signing with a different private key');
-      console.log('💡 Possible causes:');
-      console.log('   1. MetaMask has multiple accounts and is using the wrong one');
-      console.log('   2. The displayed address in MetaMask does not match the signing key');
-      console.log('   3. There might be a derivation path issue');
-      console.log('   4. MetaMask might be using a different wallet/account internally');
-    } else {
-      console.log('❌ Verification logic has an issue');
-    }
-    
-    // Continue with normal verification attempts
-    const debugMessage = message.replace(/\\n/g, '\n');
-    console.log('Debug converted message:', JSON.stringify(debugMessage));
-    console.log('Debug message bytes:', Array.from(Buffer.from(debugMessage, 'utf8')).map(b => b.toString(16).padStart(2, '0')).join(' '));
-    
-    // CRITICAL DEBUG: Let's validate our signature parsing is correct
-    const debugSigHex = signature.startsWith('0x') ? signature.slice(2) : signature;
-    console.log('Signature hex (no 0x):', debugSigHex);
-    console.log('Signature length:', debugSigHex.length);
-    console.log('R component:', debugSigHex.slice(0, 64));
-    console.log('S component:', debugSigHex.slice(64, 128));
-    console.log('V component:', debugSigHex.slice(128, 130));
-    console.log('V decimal:', parseInt(debugSigHex.slice(128, 130), 16));
-
     // Remove 0x prefix if present
     const sigHex = signature.startsWith('0x') ? signature.slice(2) : signature;
 
     if (sigHex.length !== 130) { // 65 bytes * 2 hex chars per byte
-      console.log('❌ Invalid signature length:', sigHex.length);
       return false;
     }
 
     // Parse signature components
-    const rHex = sigHex.slice(0, 64);
-    const sHex = sigHex.slice(64, 128);
-    const vHex = sigHex.slice(128, 130);
-    
-    console.log('r:', rHex);
-    console.log('s:', sHex);
-    console.log('v (hex):', vHex);
-    
-    const r = Buffer.from(rHex, 'hex');
-    const s = Buffer.from(sHex, 'hex');
-    const v = parseInt(vHex, 16);
-    
-    console.log('v (decimal):', v);
-    
-    // Quick test with different approaches
-    console.log('\n=== COMPREHENSIVE TEST ===');
-    
-    // Test 1: Standard message format
-    const primaryMessage = message.replace(/\\n/g, '\n');
-    console.log('Test 1 - Standard message format:', JSON.stringify(primaryMessage));
-    let testVerifyResult = quickVerify(primaryMessage, signature, expectedAddress, keccak256, secp256k1);
-    if (testVerifyResult) {
-      console.log('✅ Quick verification successful with standard format!');
-      return true;
-    }
-    
-    // Test 2: Try with escaped newlines (maybe MetaMask signed the literal string)
-    const escapedMessage2 = message.replace(/\n/g, '\\n');
-    console.log('Test 2 - Escaped message format:', JSON.stringify(escapedMessage2));
-    testVerifyResult = quickVerify(escapedMessage2, signature, expectedAddress, keccak256, secp256k1);
-    if (testVerifyResult) {
-      console.log('✅ Quick verification successful with escaped format!');
-      return true;
-    }
-    
-    // Test 3: Try raw message as-is
-    console.log('Test 3 - Raw message as-is:', JSON.stringify(message));
-    testVerifyResult = quickVerify(message, signature, expectedAddress, keccak256, secp256k1);
-    if (testVerifyResult) {
-      console.log('✅ Quick verification successful with raw format!');
-      return true;
-    }
-    
-    // Try different message formats and recovery IDs
-    // Important: Since the frontend shows the message is already parsed, 
-    // maybe MetaMask signed the ORIGINAL string with escaped characters
-    const escapedMessage = message.replace(/\n/g, '\\n'); // Convert back to escaped format
-    
-    const messageFormats = [
-      message, // Original message as-is (with real newlines)
-      escapedMessage, // Try with escaped newlines \\n
-      message.replace(/\\n/g, '\n'), // Replace escaped newlines with actual newlines  
-      message.replace(/\\r\\n/g, '\n'), // Replace escaped Windows line endings
-      message.replace(/\r\n/g, '\n'), // Normalize actual Windows line endings
-      message.trim(), // Remove leading/trailing whitespace
-      message.replace(/\\n/g, '\n').trim(), // Replace escaped newlines and trim
-    ];
-
-    for (let i = 0; i < messageFormats.length; i++) {
-      const testMessage = messageFormats[i];
-      console.log(`\n--- Trying message format ${i + 1} ---`);
-      console.log('Test message:', JSON.stringify(testMessage));
-      console.log('Test message length:', testMessage.length);
-      
-      // Create the exact message that MetaMask signs
-      const messageBytes = Buffer.from(testMessage, 'utf8');
-      const prefix = `\x19Ethereum Signed Message:\n${messageBytes.length}`;
-      const prefixedMessage = Buffer.concat([
-        Buffer.from(prefix, 'utf8') as any,
-        messageBytes as any
-      ]);
-      
-      console.log('Message bytes length:', messageBytes.length);
-      console.log('Prefix:', JSON.stringify(prefix));
-      console.log('Prefixed message length:', prefixedMessage.length);
-      console.log('Prefixed message hex:', prefixedMessage.toString('hex'));
-      
-      // Hash the prefixed message
-      const messageHash = keccak256(prefixedMessage);
-      console.log('Message hash:', messageHash.toString('hex'));
-      
-      // Try different v values and recovery IDs with EIP-155 support
-      let possibleRecoveryIds = [];
-      
-      // Standard recovery IDs
-      if (v >= 27) {
-        possibleRecoveryIds.push(v - 27);
-      }
-      
-      // EIP-155 format for Sepolia (chain ID: 11155111)
-      if (v >= 35) {
-        const sepoliaRecoveryId = (v - 35) % 2;
-        possibleRecoveryIds.push(sepoliaRecoveryId);
-        console.log('EIP-155 Sepolia recovery ID:', sepoliaRecoveryId);
-      }
-      
-      // Also try direct values
-      possibleRecoveryIds.push(0, 1);
-      
-      // Remove duplicates and filter valid range
-      const recoveryIds = [...new Set(possibleRecoveryIds)].filter(id => id >= 0 && id <= 1);
-      
-      console.log('v value:', v);
-      console.log('Trying recovery IDs:', recoveryIds);
-      
-      for (const recId of recoveryIds) {
-        if (recId < 0 || recId > 1) continue; // secp256k1 only supports 0 or 1
-        
-        try {
-          console.log(`  Trying recovery ID: ${recId}`);
-          
-          // Create signature for secp256k1
-          // @ts-ignore
-          const rBytes = Uint8Array.from(r);
-          // @ts-ignore  
-          const sBytes = Uint8Array.from(s);
-          const sig = new Uint8Array(64);
-          sig.set(rBytes, 0);
-          sig.set(sBytes, 32);
-          
-          // Convert message hash to Uint8Array
-          const hashBytes = Uint8Array.from(messageHash);
-          
-          // Recover public key
-          const publicKey = secp256k1.ecdsaRecover(sig, recId, hashBytes);
-          
-          // Convert public key to address (skip first byte which is 0x04)
-          const publicKeyBytes = Buffer.from(publicKey.slice(1));
-          const publicKeyHash = keccak256(publicKeyBytes);
-          const address = '0x' + publicKeyHash.slice(-20).toString('hex');
-          
-          console.log(`  Recovered address: ${address}`);
-          console.log(`  Expected address:  ${expectedAddress}`);
-          
-          // Compare with expected address (case insensitive)
-          if (address.toLowerCase() === expectedAddress.toLowerCase()) {
-            console.log('✅ Signature verification successful!');
-            console.log('Successful format:', JSON.stringify(testMessage));
-            console.log('Successful recovery ID:', recId);
-            return true;
-          }
-        } catch (e) {
-          console.log(`  ❌ Failed with recovery ID ${recId}:`, (e as Error).message);
-        }
-      }
-    }
-    
-    console.log('❌ All attempts failed');
-    return false;
-    
-  } catch (error) {
-    console.error('Error verifying Ethereum signature:', error);
-    return false;
-  }
-}
-
-function quickVerify(message: string, signature: string, expectedAddress: string, keccak256: any, secp256k1: any): boolean {
-  try {
-    console.log('=== QUICK VERIFY START ===');
-    console.log('Original message:', JSON.stringify(message));
-    
-    // MetaMask personal_sign specific handling
-    const sigHex = signature.startsWith('0x') ? signature.slice(2) : signature;
-    
-    if (sigHex.length !== 130) {
-      console.log('Invalid signature length');
-      return false;
-    }
-    
     const r = Buffer.from(sigHex.slice(0, 64), 'hex');
     const s = Buffer.from(sigHex.slice(64, 128), 'hex');
     const v = parseInt(sigHex.slice(128, 130), 16);
 
-    console.log('Signature components - r:', sigHex.slice(0, 64));
-    console.log('Signature components - s:', sigHex.slice(64, 128)); 
-    console.log('Signature components - v:', v, '(hex:', sigHex.slice(128, 130), ')');
-    
-    // The key insight: MetaMask's personal_sign might treat the string differently
-    // Let's try the message exactly as MetaMask would have signed it
+    // Create the exact message that MetaMask signs
     const actualMessage = message.replace(/\\n/g, '\n');
-    console.log('Converted message:', JSON.stringify(actualMessage));
-    
     const messageBytes = Buffer.from(actualMessage, 'utf8');
-    console.log('Message bytes length:', messageBytes.length);
-    console.log('Message bytes (first 50):', messageBytes.slice(0, 50).toString('hex'));
-    
-    // This is exactly how MetaMask creates the hash for personal_sign
     const prefix = `\x19Ethereum Signed Message:\n${messageBytes.length}`;
-    console.log('Prefix:', JSON.stringify(prefix));
+    const prefixedMessage = Buffer.concat([
+      Buffer.from(prefix, 'utf8') as any,
+      messageBytes as any
+    ]);
 
-    const prefixBytes = Buffer.from(prefix, 'utf8');
-    const fullMessage = Buffer.concat([prefixBytes as any, messageBytes as any]);
+    // Hash the prefixed message
+    const messageHash = keccak256(prefixedMessage);
 
-    console.log('Full message length:', fullMessage.length);
-    console.log('Full message hex (first 100 chars):', fullMessage.toString('hex').slice(0, 100));
+    // Try different recovery IDs
+    const possibleRecoveryIds = [];
 
-    const messageHash = keccak256(fullMessage);
-    console.log('Message hash:', messageHash.toString('hex'));
+    // Standard recovery IDs
+    if (v >= 27) {
+      possibleRecoveryIds.push(v - 27);
+    }
 
-    // Try different recovery IDs
-    for (let recId = 0; recId <= 1; recId++) {
+    // EIP-155 format support
+    if (v >= 35) {
+      const recoveryId = (v - 35) % 2;
+      possibleRecoveryIds.push(recoveryId);
+    }
+    
+    // Also try direct values
+    possibleRecoveryIds.push(0, 1);
+    
+    // Remove duplicates and filter valid range
+    const recoveryIds = [...new Set(possibleRecoveryIds)].filter(id => id >= 0 && id <= 1);
+    
+    for (const recId of recoveryIds) {
       try {
-        console.log(`\nTrying recovery ID: ${recId}`);
-        
-        // @ts-ignore
+        // Create signature for secp256k1
         const rBytes = Uint8Array.from(r);
-        // @ts-ignore  
         const sBytes = Uint8Array.from(s);
         const sig = new Uint8Array(64);
         sig.set(rBytes, 0);
         sig.set(sBytes, 32);
 
+        // Convert message hash to Uint8Array
         const hashBytes = Uint8Array.from(messageHash);
+        
+        // Recover public key
         const publicKey = secp256k1.ecdsaRecover(sig, recId, hashBytes);
+        
+        // Convert public key to address (skip first byte which is 0x04)
         const publicKeyBytes = Buffer.from(publicKey.slice(1));
         const publicKeyHash = keccak256(publicKeyBytes);
-        const recoveredAddress = '0x' + publicKeyHash.slice(-20).toString('hex');
-        
-        console.log(`Recovery ID ${recId} -> Address: ${recoveredAddress}`);
-        console.log(`Expected address: ${expectedAddress}`);
-        console.log(`Match: ${recoveredAddress.toLowerCase() === expectedAddress.toLowerCase()}`);
+        const address = '0x' + publicKeyHash.slice(-20).toString('hex');
 
-        if (recoveredAddress.toLowerCase() === expectedAddress.toLowerCase()) {
-          console.log('✅ QUICK VERIFY SUCCESS!');
+        // Compare with expected address (case insensitive)
+        if (address.toLowerCase() === expectedAddress.toLowerCase()) {
           return true;
         }
       } catch (e) {
-        console.log(`Recovery ID ${recId} failed:`, (e as Error).message);
+        // Continue with next recovery ID
+        continue;
       }
     }
 
-    console.log('=== QUICK VERIFY FAILED ===');
     return false;
-  } catch (e) {
-    console.log('Quick verify error:', e);
+    
+  } catch (error) {
+    console.error('Error verifying Ethereum signature:', error);
     return false;
   }
 }