Skip to content

fix(session): open a new channel when the authorizedSigner changes#632

Open
saneGuy wants to merge 1 commit into
wevm:mainfrom
saneGuy:fix/session-channel-authorized-signer
Open

fix(session): open a new channel when the authorizedSigner changes#632
saneGuy wants to merge 1 commit into
wevm:mainfrom
saneGuy:fix/session-channel-authorized-signer

Conversation

@saneGuy

@saneGuy saneGuy commented Jul 12, 2026

Copy link
Copy Markdown

Fixes #471

Bug

In auto-managed legacy sessions, session() reuses an existing channel after the client account's authorizedSigner changes. The next credential is emitted as a voucher for the old channel — signed by the new signer, which the escrow rejects — instead of opening a new channel.

Root cause

The legacy session client caches channels keyed by payee:currency:escrow only, and ChannelEntry does not record the voucher authority the channel was opened with. autoManageCredential therefore has no way to notice that the resolved signer can no longer produce valid vouchers for the cached channel. (The TIP-1034 precompile client already guards this via canSignDescriptor in planCredential; this brings the legacy client to parity.)

Fix

  • Track authorizedSigner on the legacy ChannelEntry: createOpenPayload records the authority it opens with, and tryRecoverChannel records the on-chain authority (normalizing the zero address to the payer, since that is what the escrow verifies vouchers against in that case).
  • In autoManageCredential, skip reuse of a cached or recovered entry whose authority no longer matches the resolved voucher signer, falling through to the existing open path.

Tests

  • reuses the cached channel while the voucher signer is unchanged (guards the reuse path)
  • opens a new channel instead of reusing when the authorizedSigner changes (fails before this change with the exact reported symptom: voucher for the old channel)
  • tryRecoverChannel assertions for zero-address → payer normalization and for preserving a non-zero on-chain authorizedSigner
  • Full suite green against a Tempo localnet; check:types and check:ci clean

Legacy session auto-management cached channels by payee, currency, and
escrow only, so a cached entry kept being reused after the account's
authorizedSigner changed. The next credential was emitted as a voucher
for the old channel — signed by the new signer — which the escrow
rejects, instead of opening a new channel.

Track the voucher authority on each cached channel entry and skip reuse
when it no longer matches the resolved signer, falling through to the
existing open path. Recovered channels record their on-chain
authorizedSigner (normalizing the zero address to the payer, which is
what the escrow verifies vouchers against in that case).

Fixes wevm#471
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Session auto-management reuses channel after authorizedSigner changes

1 participant