Closed geekbrother closed 1 month ago
I think the revoke endpoint should be idempotent
I missed that we need to check the request signature later, we need to get the verifying key for that. If the PCI not exists we can't verify/authorize the request.
I missed that we need to check the request signature later, we need to get the verifying key for that. If the PCI not exists we can't verify/authorize the request.
You only need to verify it if you are going to perform an action. If the action is already performed then you are good.
I missed that we need to check the request signature later, we need to get the verifying key for that. If the PCI not exists we can't verify/authorize the request.
You only need to verify it if you are going to perform an action. If the action is already performed then you are good.
Changed it. We are returning OK and warn on it now.
Description
This PR implements the permission context revoking endpoint
/v1/sessions/{address}/revoke
according to the API SPEC draft.For the request authentication, the signature (signed message) is used. As a signing message, the permission controller unique identifier is used (PCI) and signed by the signing key (created during the session creation request). Then the signature is verified at the server by the verification key which is stored during the session creation in the permission session object.
How Has This Been Tested?
Due Diligence