doma-engineering / do-auth

Fast, lean and reliable authentication server based on verifiable credentials standard

6 stars 2 forks source link

Bug?: Perhaps, invite hijacking verification is broken #19

Open cognivore opened 2 years ago

cognivore commented 2 years ago

Why?

We seemed to have a working invite system, but we patched a MASSIVE BUG in crypto.ex and all the tests started failing. To fix tests, we have inspected the output of the invite presentation credential, and hacked the test to work.

In the test we hacked, we now just compare the holder of the inner credential to its issuer. It kinda seems like a bug?..

How?

[ ] Reconstruct the logic of root invites
[ ] Reconstruct the invite fulfilling protocol
[ ] See if it's a bug
[ ] If it is, fix grant_root_invite and other invite granting facilities.

cognivore commented 1 year ago

This is low priority because we for our products, instead of the "clubhouse" invite system, we use E-Mail sign-up. We do it because our products are b2b currently.