search

PayString / paystring

Reference implementation of the PayString Protocol.
Apache License 2.0
286 stars 87 forks source link

Validate that PayID domain matches server domain on creation #669

Open nkramer44 opened 4 years ago

nkramer44 commented 4 years ago

Currently in the admin API, you can create a PayID which has a different domain than the domain of the PayID server without the server complaining. However, that PayID is now useless because any PayID query with the configured account will return a 404.

Detailed Description

Let's say I want to create a PayID nkramer$example.com on the PayID server locally. I could do that by hitting http://localhost8081/users with this payload:

{
    "payId": "nkramer44$example.com",
    "addresses": [
        {
            "paymentNetwork": "XRPL",
            "environment": "TESTNET",
            "details": {
                "address": "rE2L8SciZFHP4UX8ZWJxobeuaPTe7EShBq"
            }
        }
    ]
}

The PayID server will store the PayID nkramer44$example.com. If I then take my username nkramer44 and do a PayID lookup like GET http://localhost:8080/nkramer44, I will get a 404 because the server will look for a PayID like nkramer44$localhost.

Context

This isn't a huge deal, because someone playing around with the server locally or in the sandbox could just delete the incorrect PayID, but in the interest of making this thing as fool proof as possible, I think new users would benefit from some error feedback in this case.

Possible Implementation

In the users.ts middleware, we could just do a simple check on the payload PayID to compare it to the server domain.

Alternatives Considered

Additional Context

Bonus

Are you willing to submit a pull request to implement this change?

dangell7 commented 3 years ago

Yes, when you work in dev env, EVERYTHING must be "localhost".

I'm learning this as well.

The thought here is "What is the domain"?

If you are creating a payID, on a localhost, the domain is in fact, "localhost". lol