R4R: validate sign tx request's body #3179
Conversation
alessio
requested review from
cwgoes,
ebuchman and
rigelrozanski
as code owners
Codecov Report
@@ Coverage Diff @@
## develop #3179 +/- ##
===========================================
+ Coverage 54.72% 54.73% +<.01%
===========================================
Files 132 132
Lines 9425 9427 +2
===========================================
+ Hits 5158 5160 +2
Misses 3949 3949
Partials 318 318 |
Codecov Report
@@ Coverage Diff @@
## develop #3179 +/- ##
===========================================
+ Coverage 54.83% 54.84% +0.01%
===========================================
Files 133 133
Lines 9559 9557 -2
===========================================
Hits 5242 5242
+ Misses 3996 3994 -2
Partials 321 321 |
client/lcd/lcd_test.go
Outdated
| BaseReq: utils.BaseReq{ | ||
| Name: name1, | ||
| Password: pw, | ||
| ChainID: viper.GetString(client.FlagChainID), |
There was a problem hiding this comment.
why are we using a flag on the REST tests ?
There was a problem hiding this comment.
You may find the answer in InitializeTestLCD()
client/utils/rest.go
Outdated
| @@ -189,7 +189,7 @@ func ReadRESTReq(w http.ResponseWriter, r *http.Request, cdc *codec.Codec, req i | |||
|
|
|||
| err = cdc.UnmarshalJSON(body, req) | |||
| if err != nil { | |||
| WriteErrorResponse(w, http.StatusBadRequest, err.Error()) | |||
| WriteErrorResponse(w, http.StatusBadRequest, "failed to decode JSON payload: "+err.Error()) | |||
There was a problem hiding this comment.
@alexanderbez your request was only for signing or for all of the unmarshal errors ?
x/auth/client/rest/sign.go
Outdated
| AppendSig bool `json:"append_sig"` | ||
| Tx auth.StdTx `json:"tx"` | ||
| AppendSig bool `json:"append_sig"` | ||
| utils.BaseReq |
There was a problem hiding this comment.
add BaseReq and json:"base_req"
There was a problem hiding this comment.
why? that would break the interface. Do we really need a nested object?
There was a problem hiding this comment.
were using it like that everywhere on the POST requests. But maybe we need to consider removing it. Thoughts @alexanderbez @jackzampolin @faboweb ?
There was a problem hiding this comment.
In that case, I'm fine with either
There was a problem hiding this comment.
Hmm, yes. So, me personally, I'd rather avoid having to use base_req. These are all primary/first-class-citizen fields of the request and not some inner resource, so I don't think it should be nested.
tl;dr I think we should leave this as-is and update the other REST requests (breaking, sorry I know).
There was a problem hiding this comment.
hmmm, currently the standard is to have base_req. I vote to keep this here to the standard and open an issue about changing this in all request to first class citizens. This should then probably also be discussed with others.
side note: I actually think this structure makes sense as it decouples the content and the meta information.
There was a problem hiding this comment.
I'd also have the base_req for consistency, but I don't have a strong opinion on it since we weren't using it before on this request
|
I think this requires a |
| Sequence: sequence, | ||
| Tx: msg, | ||
| BaseReq: utils.NewBaseReq( | ||
| name1, pw, "", viper.GetString(client.FlagChainID), "", "", accnum, sequence, nil, false, false, |
x/auth/client/rest/sign.go
Outdated
| } | ||
|
|
||
| // validate tx | ||
| // discard error if it's CodeUnauthorized as the tx comes with no signatures |
There was a problem hiding this comment.
I'm a little bit confused as to why CodeUnautherized implies that there tx comes with no signatures... maybe we should have CodeNoSignatures? Don't deal with this code a lot just an outsider's perspective
There was a problem hiding this comment.
CodeNoSignatures sounds good and self-explanatory to me 👍
There was a problem hiding this comment.
Amended, please review again
rigelrozanski
changed the title
alessio
force-pushed
the
alessio/3176-validate-sign-body-req
branch
from
e342a32
to
1ebe184
Compare
|
@jackzampolin changed applied, please review |
Co-Authored-By: alessio <quadrispro@ubuntu.com>
alessio
changed the title
Closes: #3176
docs/)PENDING.mdwith issue #Files changedin the github PR explorerFor Admin Use: