Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Claim endpoint should return an error when attempting to change userId on accepted/rejected operations #1829

Open
kopovan opened this issue Jan 14, 2025 · 1 comment
Open

Claim endpoint should return an error when attempting to change userId on accepted/rejected operations #1829

kopovan opened this issue Jan 14, 2025 · 1 comment
Assignees
@romanstrobl

Comments

@kopovan
Copy link

kopovan commented Jan 14, 2025

Affected product(s) and version(s)

No response

Environment

old dev

Steps to reproduce, current result, expected result

https://powerauth-dev.westeurope.cloudapp.azure.com/powerauth-java-server/swagger-ui/index.html#/PowerAuth%20Operations%20Controller%20(V3)/operationClaim

Scenario steps

  1. create a login operation including userId
  2. go to swagger and reject/approve the operation https://powerauth-dev.westeurope.cloudapp.azure.com/powerauth-java-server/swagger-ui/index.html#/PowerAuth%20Operations%20Controller%20(V3)/rejectOperation / https://powerauth-dev.westeurope.cloudapp.azure.com/powerauth-java-server/swagger-ui/index.html#/PowerAuth%20Operations%20Controller%20(V3)/approveOperation
{
  "requestObject": {
    "operationId": "1960d8d3-03bc-40c3-b1d1-a351ba6fa067",
    "userId": "nicole2",
    "applicationId": "dev",
    "additionalData": {
      "additionalProp1": {},
      "additionalProp2": {},
      "additionalProp3": {}
    }
  }
}
  1. go to claim endpoint https://powerauth-dev.westeurope.cloudapp.azure.com/powerauth-java-server/swagger-ui/index.html#/PowerAuth%20Operations%20Controller%20(V3)/operationClaim and send the request to claim the operation with different userId
{
  "requestObject": {
    "operationId": "1960d8d3-03bc-40c3-b1d1-a351ba6fa067",
    "userId": "nicole"
  }
}

The API currently allows the operation to be claimed, and the following response is returned:

{
  "status": "OK",
  "responseObject": {
    "id": "1960d8d3-03bc-40c3-b1d1-a351ba6fa067",
    "userId": "nicole2",
    "applications": [
      "WAU-Prod",
      "dev"
    ],
    "externalId": "test",
    "activationFlag": null,
    "operationType": "login",
    "templateName": "login",
    "data": "A2",
    "parameters": {},
    "additionalData": {
      "additionalProp3": {},
      "additionalProp2": {},
      "additionalProp1": {}
    },
    "status": "REJECTED",
    "statusReason": null,
    "signatureType": [
      "POSSESSION_KNOWLEDGE",
      "POSSESSION_BIOMETRY"
    ],
    "failureCount": 0,
    "maxFailureCount": 5,
    "timestampCreated": "2025-01-14T10:21:35.345+00:00",
    "timestampExpires": "2025-01-14T10:26:35.345+00:00",
    "timestampFinalized": "2025-01-14T10:21:52.696+00:00",
    "riskFlags": null,
    "proximityOtp": null,
    "activationId": null
  }
}

As discussed with @romanstrobl the API should return an error instead of allowing the operation to be claimed. This applies only for accepted/rejected operations.

Log output

No response

JIRA issue code

No response
@romanstrobl
Copy link
Member

The claim request is ignored in case the operation is not in PENDING state, so the claim is not allowed, just ignored. The request validity should be checked instead.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@romanstrobl romanstrobl

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@romanstrobl @kopovan