Closed twinsant closed 2 years ago
Thanks for raising this issue, @twinsant!
I think adding a VALID_FIELDS
list to check against would be nice to have here. Instead of logging and returning false, we should instead just raise a ValueError with a short description of the invalid field. This will then match how we fail parsing of string inputs: https://github.com/spruceid/siwe-py/blob/main/siwe/parsed.py#L14 and https://github.com/spruceid/siwe-py/blob/main/siwe/parsed.py#L39.
The intent I had with adding this dictionary input option was for a scenario where the dev had well-defined input. However, you raise a valid point because this may not always be the case depending upon the user. Adding some light guard rails like this sound good to me!
Feel free to open a PR for this! Otherwise, I can get one up at some point tomorrow. Thanks again for all of your questions and interest in the project.
In this code:
the library didn't check the fields name, so this may be a exploit here when the caller didn't verify user's input.
My question is should the lib check the fields or just leave this to the application developers?
I did it in my app code: