Open jussiry opened 3 years ago
You're correct that the frontend's asset code and scale cannot be trusted. (Receipts themselves solve the issue of the monetizationprogress
event's amount
not being trustworthy.)
There is an assumption that the asset code and scale for a given spspEndpoint
will be consistent over time. However, there isn't currently an easy way to discovery a payment pointer / SPSP endpoint's asset code and scale without initiating a payment.
The proposed Open Payments would allow easier payment pointer asset details discovery.
In the meantime, I think a service that tells you a payment pointer's asset code and scale (by initiating a payment) would be helpful.
Since
/verify
endpoint only returnsamount
andspspEndpoint
, doesn't this result into a security issue relating toassetScale
(orassetCode
)?If the backend has to rely on scale and code sent by the frontend, it could be faked and the backend ends up interpreting the amount with orders of magnitude bigger sums.
At the moment XRP and 9 seem to be the defaults, but to keep the system future proof it might be useful to add these.