allocation_middleware does not extract allocation from V2 receipts, causing attestation verification failures

[MoonBoi9001]

Summary

The allocation_middleware in crates/service/src/middleware/allocation.rs only handles V1 receipts (SignedReceipt), not V2 receipts (TapReceipt::V2). This causes attestation verification failures on the gateway when deployments have multiple allocations (active + recently closed).

Problem

When processing a V2 receipt, the middleware does not extract the allocation from the receipt's collection_id. Instead, it falls back to looking up an allocation by deployment_id using the deployment_to_allocation map. For deployments with multiple allocations, this may return a different allocation than the one specified in the receipt.

Current code (crates/service/src/middleware/allocation.rs:42-54):

pub async fn allocation_middleware(
    State(my_state): State<AllocationState>,
    mut request: Request,
    next: Next,
) -> Response {
    if let Some(receipt) = request.extensions().get::<SignedReceipt>() {
        // Only handles V1 receipts
        let allocation = receipt.message.allocation_id;
        request.extensions_mut().insert(Allocation(allocation));
    } else if let Some(deployment_id) = request.extensions().get::<DeploymentId>() {
        // Falls through here for V2 receipts
        if let Some(allocation) = my_state.deployment_to_allocation.borrow().get(deployment_id) {
            request.extensions_mut().insert(Allocation(*allocation));
        }
    }
    next.run(request).await
}

Result:

1. Gateway sends V2 receipt with allocation 0xABC in collection_id
2. Indexer-service looks up allocation by deployment, gets 0xDEF
3. Indexer signs attestation with 0xDEF's key
4. Gateway verifies against 0xABC (from the receipt it sent)
5. Verification fails: BadResponse(bad attestation: recovered signer is not expected - recovered signer is not expected)

[MoonBoi9001]

@suchapalaver wonder if you can take a look at this and see if you're in agreement with this. Happy to provide some example data from BigQuery if useful but I think its reasonably well described here.

[suchapalaver]

Thanks for the detailed report — confirmed. In this repo the allocation middleware already reads the V2 TapReceipt and derives the allocation from collection_id, only falling back to the deployment map when there’s no receipt present. The current file is crates/service/src/middleware/allocation.rs, and it includes tests that verify the V2 conversion and fallback behavior.

So the bug you’re seeing matches the older middleware that only handled V1 receipts. If you’re running a release prior to this change, upgrading to the commit that includes PR #929 should fix it. If you can’t upgrade, backport just the allocation middleware change so TAP V2 always sets allocation from collection_id, and ensure this middleware runs after the TapReceipt extension is added.

[MoonBoi9001]

Got it! Thank you for confirming. FWIW I think you meant #919 (rather than #929) which I see is included in the v1.9.0 build planned for release with #934