-
Notifications
You must be signed in to change notification settings - Fork 34
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[ANCHOR-328] Add homeDomain and webAuthDomain length validation #942
[ANCHOR-328] Add homeDomain and webAuthDomain length validation #942
Conversation
try { | ||
new ManageDataOperation.Builder(String.format("%s %s", homeDomain, "auth"), nonce).build(); | ||
} catch (IllegalArgumentException iaex) { | ||
errors.rejectValue( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we have a special error for when domains are too long? Current error message is hard to debug for outside developer.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey Gleb, thanks for commenting. Just a reminder that this is still a draft.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I will modify the error messages.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah sorry about that, I thought it wasn't a draft. Sounds good, thank you
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No problem. 💯
Reference Server Preview is available here: |
Reference Server Preview is available here: |
1 similar comment
Reference Server Preview is available here: |
Reference Server Preview is available here: |
700de57
to
73989f1
Compare
Reference Server Preview is available here: |
@@ -87,6 +87,18 @@ void validateConfig(Errors errors) { | |||
errors.rejectValue( | |||
"homeDomain", "home-domain-empty", "The sep10.home_domain is not defined."); | |||
} else { | |||
try { | |||
new ManageDataOperation.Builder(String.format("%s %s", homeDomain, "auth"), new byte[64]) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we make the length check more explicit? Something like:
byte[] bytes = homeDomain.getBytes(StandardCharsets.US_ASCII);
if (bytes.length > 64) {
errors.reject( ... )
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's a good alternative. However, the size check (<=64) happens in the ManageDataOperation
constructor. It would be more robust if we call the ManageDataOperation
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure if I'm convinced that is more robust. For example, if there are new validations added to the ManageDataOperation
constructor, we will fail with a message complaining about the size. Or if the allowed since increases from 64, we will need to update the message here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is actually intended if there is a new validation added to ManageDataOperation
, the validation should fail because AP uses ManageDataOperation
to create SEP-10 challenge.
If the size is changed in ManageDataOperation
is changed, we should change the message as well. One option is to remove the size 64. But this seems to cause more harm than benefits because the ManageDataOperation
change requires XDR change which is not very likely.
If there is no strong reason, I think we can stay with the current approach and change it in the future PR if necessary.
PR Checklist
PR Structure
otherwise).
paymentservice.stellar
, orall
ordoc
if the changes are broad or impact manypackages.
Thoroughness
What
Add validation that calls
ManageDataOperation.Builder
to validate thehomeDomain
andwebAuthDomain
.Why
Cath the errors early.