Wp 5782/fix near token enablement validation #6958
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
SimonVutovB
force-pushed
the
WP-5782/fix-near-token-enablement-validation
branch
3 times, most recently
from
3371efc to
b81a0d0
Compare
There was a problem hiding this comment.
A few changes requested but you got a general first idea, good job! let me know if you need further clarification on any of the mentioned points @SimonVutovB
Thanks!
SimonVutovB
force-pushed
the
WP-5782/fix-near-token-enablement-validation
branch
from
8d0fb13 to
fa835c7
Compare
|
@SimonVutovB for this issue that you're getting on the CI/CD steps, just rebase master since your dep versions are out of date: 
|
SimonVutovB
force-pushed
the
WP-5782/fix-near-token-enablement-validation
branch
from
fa835c7 to
cf059f2
Compare
SimonVutovB
force-pushed
the
WP-5782/fix-near-token-enablement-validation
branch
from
cf059f2 to
6141074
Compare
SimonVutovB
force-pushed
the
WP-5782/fix-near-token-enablement-validation
branch
from
e9cbf28 to
10c27f8
Compare
SimonVutovB
force-pushed
the
WP-5782/fix-near-token-enablement-validation
branch
from
f4a41a4 to
3be12f4
Compare
modules/sdk-coin-near/src/near.ts
Outdated
| const explainedTx = transaction.explainTransaction(); | ||
|
|
||
| // users do not input recipients for consolidation requests as they are generated by the server | ||
| if (txParams.type === 'enabletoken') { |
There was a problem hiding this comment.
| if (txParams.type === 'enabletoken') { | |
| if (txParams.type === 'enabletoken' && verification.verifyTokenEnablement) { |
modules/sdk-coin-near/src/near.ts
Outdated
|
|
||
| if (!_.isEqual(filteredOutputs, filteredRecipients)) { | ||
| // For enabletoken, provide more specific error messages for address mismatches | ||
| if (txParams.type === 'enabletoken') { |
There was a problem hiding this comment.
| if (txParams.type === 'enabletoken') { | |
| if (txParams.type === 'enabletoken' && params.verification?.verifyTokenEnablement) { |
Not sure if we always want to throw this new error or only if the param is passed?
There was a problem hiding this comment.
Yeah you're right, good catch. Just pushed change to add the check for the verifyTokenEnablement flag.
SimonVutovB
dismissed stale reviews from FloBitGo, mohammadalfaiyazbitgo, and mtexeira-simtlix
via
8f353e7
NEAR token enablement blind signing validation TICKET: WP-5782
SimonVutovB
force-pushed
the
WP-5782/fix-near-token-enablement-validation
branch
from
8f353e7 to
d84bba2
Compare
|
PR has merge conflicts |
SimonVutovB
dismissed stale reviews from mukeshsp and mohammadalfaiyazbitgo
via
307041c
SimonVutovB
force-pushed
the
WP-5782/fix-near-token-enablement-validation
branch
from
57d600d to
3e49289
Compare
mohammadalfaiyazbitgo
requested review from
FloBitGo,
mohammadalfaiyazbitgo and
mtexeira-simtlix
lerna.json
Outdated
| { | ||
| "version": "independent", | ||
| "npmClient": "yarn", | ||
| "packages": ["modules/*"], |
There was a problem hiding this comment.
is this needed?
There was a problem hiding this comment.
I deleted it and all checks pass, so I guess it was not needed.
| // The result should contain failures due to the spoofed transaction hex | ||
| result.success.should.have.length(0); | ||
| result.failure.should.have.length(1); | ||
| result.failure[0].message.should.containEql('unable to build transaction from raw'); |
There was a problem hiding this comment.
I'm not sure how this is testing that the spoofed transaction does not match the intended transaction?
There was a problem hiding this comment.
Yeah I agree with @mohammadalfaiyazbitgo , I don't remember how the internal flow goes exactly but if you mock the build results then you're basically shutting down the internal verifies somewhere.
@SimonVutovB mind trying an approach similar to what I did in this other tests? It's also a little shorter and you may throw an error msg that should be the same as one of your token enablement error msg's on the current PR:
For ref, this is on modules/sdk-coin-xlm/test/unit/xlm.ts , look for the test name on that file please.
| const output = explainedTx.outputs[0]; | ||
| const recipient = txParams.recipients?.[0]; | ||
|
|
||
| if (!recipient?.address) { |
There was a problem hiding this comment.
Could you confirm if near token enablements supports a single recipient? because if that's the case then you may need to check for outputs.length === 1 and if it isn't then you may need to iterate over the outputs or recipients and match one with the other (also you can preliminary compare outputs.length with recipients.length and they should match).
| // The result should contain failures due to the spoofed transaction hex | ||
| result.success.should.have.length(0); | ||
| result.failure.should.have.length(1); | ||
| result.failure[0].message.should.containEql('unable to build transaction from raw'); |
There was a problem hiding this comment.
Yeah I agree with @mohammadalfaiyazbitgo , I don't remember how the internal flow goes exactly but if you mock the build results then you're basically shutting down the internal verifies somewhere.
@SimonVutovB mind trying an approach similar to what I did in this other tests? It's also a little shorter and you may throw an error msg that should be the same as one of your token enablement error msg's on the current PR:
For ref, this is on modules/sdk-coin-xlm/test/unit/xlm.ts , look for the test name on that file please.
Unit tests for tokenEnablementValidation changes and Making sure there is 1 user in the txParams.recipients TICKET: WP-5782
8 participants
Summary
Added token enablement validation and tests
Changes
verifyTransactionin near.ts of sdk-coin-near, validate the txHex is a valid token enablement transaction for the specified token and does not have additional transactions embedded.TICKET: WP-5782