JakeUrban
commented
1 year ago When calling the SEP-12 PUT /customer endpoint, I noticed that if I use a SEP-10 token without a custodial memo to authenticate the request, it let's me use memo as one of the fields in the payload.
This is the intended behavior, because SEP-31 senders don't include a memo in their SEP-10 challenge, since they're authenticating as themselves instead of as one of their users. Instead they have to specify the memos in their PUT /customer requests to identify their sending & receiving customers.
The downside is that this makes it possible for a SEP-6 wallet to omit their customer's memo in SEP-10. In reality though, this has minimal impact since anchors and custodial / omnibus wallets almost always have agreements and the wallet's public key is whitelisted on the anchor's backend.
Also, apparently I also have to set memo_type=id in the payload, otherwise Polaris will raise an error saying the memo does not match memo_type. memo_type should default to id in SEP-12 calls, right?
This sounds like a bug, thanks for finding.
yuriescl
This might be a bug, or maybe it's intended behavior. When calling the SEP-12
PUT /customerendpoint, I noticed that if I use a SEP-10 token without a custodial memo to authenticate the request, it let's me usememoas one of the fields in the payload. Shouldn't the authenticated SEP-10 account/memo be required to match thePUT /customeraccount/memo?How to reproduce:
PUT /customer, and putmemo=1in the payload fieldsmemo=value in the payloadAlso, apparently I also have to set
memo_type=idin the payload, otherwise Polaris will raise an error saying thememodoes not matchmemo_type.memo_typeshould default toidin SEP-12 calls, right?How to reproduce:
PUT /customerwith amemo=1in the payload, but withoutmemo_typememodoesn't match thememo_type