pendingAuthTokenUpdatesBySeller should be cleared the same way. If it's not, the following can happen:
A seller calls updateSeller with some AuthToken.
The seller decides, they don't want to finalize the update with this AuthToken and would like to remove it. They call updateSeller with non-zero admin address and AuthToken of type None.
The seller cannot abuse it to have both the admin address and auth token as the method of their authentication. They can opt-in to update by either (or even both) of them, but the protocol will always use only the last method they choose.
The event SellerUpdatePending will have non zero values for both pendingSeller and pendingAuthToken which is not expected. Especially if the seller calls updateSeller without AuthToken they would expect pendingAuthToken to be zeroed.
If the seller transfers auth token to someone else, they can claim control over the seller's account, which presents a security issue.
The only way the seller can remove pendingAuthToken from the storage is to opt-in to update with that token. If they don't want to do it (or maybe even cannot do it), they cannot just use updateSeller to achieve that. The only thing they can do is update to another token, which is not likely to ever be owned by anyone.
Recommendation
Delete lookups.pendingAuthTokenUpdatesBySeller[_seller.id] before storing new values.
In
updateSeller
,pendingAddressUpdatesBySeller
gets cleared every time before pending values are stored https://github.com/bosonprotocol/boson-protocol-contracts/blob/451dc3d0866ba6694821537803ba32939de34798/contracts/protocol/facets/SellerHandlerFacet.sol#L116 This ensures thatpendingAddressUpdatesBySeller
values are the latest, submitted by the seller, so they have a chance to override or delete the entries.pendingAuthTokenUpdatesBySeller
should be cleared the same way. If it's not, the following can happen:updateSeller
with someAuthToken
.AuthToken
and would like to remove it. They callupdateSeller
with non-zero admin address andAuthToken
of typeNone
.pendingAddressUpdatesBySeller.admin
andpendingAuthTokenUpdatesBySeller
are filled with values which is not the intended behaviour https://github.com/bosonprotocol/boson-protocol-contracts/blob/451dc3d0866ba6694821537803ba32939de34798/contracts/protocol/facets/SellerHandlerFacet.sol#L123Consequences
SellerUpdatePending
will have non zero values for bothpendingSeller
andpendingAuthToken
which is not expected. Especially if the seller callsupdateSeller
withoutAuthToken
they would expectpendingAuthToken
to be zeroed.pendingAuthToken
from the storage is to opt-in to update with that token. If they don't want to do it (or maybe even cannot do it), they cannot just useupdateSeller
to achieve that. The only thing they can do is update to another token, which is not likely to ever be owned by anyone.Recommendation
Delete
lookups.pendingAuthTokenUpdatesBySeller[_seller.id]
before storing new values.