From d8ce2a5b1656b42ac01e088819689cf1e6e58f54 Mon Sep 17 00:00:00 2001
From: Jake Urban <jake@stellar.org>
Date: Tue, 24 Jan 2023 12:59:29 -0800
Subject: [PATCH] reject requests with memo & muxed account

---
 exp/services/webauth/internal/serve/challenge.go | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/exp/services/webauth/internal/serve/challenge.go b/exp/services/webauth/internal/serve/challenge.go
index 20e1635c61..b7d1a22def 100644
--- a/exp/services/webauth/internal/serve/challenge.go
+++ b/exp/services/webauth/internal/serve/challenge.go
@@ -34,7 +34,9 @@ func (h challengeHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	queryValues := r.URL.Query()
 
 	account := queryValues.Get("account")
-	if !strkey.IsValidEd25519PublicKey(account) {
+	isStellarAccount := strkey.IsValidEd25519PublicKey(account)
+	isMuxedAccount := strkey.IsValidMuxedAccountEd25519PublicKey(account)
+	if !isStellarAccount && !isMuxedAccount {
 		badRequest.Render(w)
 		return
 	}
@@ -60,6 +62,10 @@ func (h challengeHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 
 	var memo txnbuild.MemoID
 	if queryValues.Get("memo") != "" {
+		if isMuxedAccount {
+			badRequest.Render(w)
+			return
+		}
 		memoInt, err := strconv.ParseUint(queryValues.Get("memo"), 10, 64)
 		if err != nil {
 			badRequest.Render(w)