txnbuild: add a method for verifying SEP-10 challenge transactions #1530
Comments
|
@poliha Is the following checking that the transaction was signed by the client?
If that's the case, are we sure this should be part of this checks? the way I understand it is, as a client, I want to check that the challenge is valid before signing it and send it back to the server. Maybe we could add a flag to check bot the signature on the operation source account.
|
|
@abuiles The verification steps above are done by the server before responding with a JWT for the client to access other services. We have been approaching the building and verification of the challenge from the perspective of the server. The SEP doesn't mention a validation step for the client, @TomQ is this by design? |
|
@poliha makes sense. My reasoning was that as a client I want to do some checks before signing it, at least I want to make sure the sequenceNumber is 0 -- but that's such a simple check that it can be left to the client to implement it. |
|
I think this was fixe dby @leighmcculloch |
The
txnbuildpackage has a method(BuildChallenge) that builds a SEP 10 challenge transaction. There should be a corresponding method(VerifyChallenge) that verifies a SEP-10 challenge transaction.This method should do the following
decode the received input as a base64-urlencoded XDR representation of Stellar transaction envelope;
verify that transaction source account is equal to the server's signing key;
verify that transaction has time bounds set, and that current time is between the minimum and maximum bounds;
verify that transaction contains a single Manage Data operation and its source account is not null;
verify that transaction envelope has a correct signature by server's signing key;
verify that transaction envelope has a correct signature by the operation's source account;
The text was updated successfully, but these errors were encountered: