Open yuriescl opened 1 year ago
When calling the SEP-12 PUT /customer endpoint, I noticed that if I use a SEP-10 token without a custodial memo to authenticate the request, it let's me use memo as one of the fields in the payload.
This is the intended behavior, because SEP-31 senders don't include a memo in their SEP-10 challenge, since they're authenticating as themselves instead of as one of their users. Instead they have to specify the memos in their PUT /customer
requests to identify their sending & receiving customers.
The downside is that this makes it possible for a SEP-6 wallet to omit their customer's memo in SEP-10. In reality though, this has minimal impact since anchors and custodial / omnibus wallets almost always have agreements and the wallet's public key is whitelisted on the anchor's backend.
Also, apparently I also have to set memo_type=id in the payload, otherwise Polaris will raise an error saying the memo does not match memo_type. memo_type should default to id in SEP-12 calls, right?
This sounds like a bug, thanks for finding.
This is the intended behavior
Got it, makes sense
This sounds like a bug, thanks for finding
Sure
This might be a bug, or maybe it's intended behavior. When calling the SEP-12
PUT /customer
endpoint, I noticed that if I use a SEP-10 token without a custodial memo to authenticate the request, it let's me usememo
as one of the fields in the payload. Shouldn't the authenticated SEP-10 account/memo be required to match thePUT /customer
account/memo?How to reproduce:
PUT /customer
, and putmemo=1
in the payload fieldsmemo=
value in the payloadAlso, apparently I also have to set
memo_type=id
in the payload, otherwise Polaris will raise an error saying thememo
does not matchmemo_type
.memo_type
should default toid
in SEP-12 calls, right?How to reproduce:
PUT /customer
with amemo=1
in the payload, but withoutmemo_type
memo
doesn't match thememo_type