search

stellar / django-polaris

An extendable Django app for building modular Stellar services
https://django-polaris.readthedocs.io
Apache License 2.0
94 stars 66 forks source link

Wrong callback signature calculation #710

Closed nikita-gorodeckij closed 8 months ago

nikita-gorodeckij commented 8 months ago

Looks like signatures for callbacks are calculated incorrectly

Here you get string to compute signature

https://github.com/stellar/django-polaris/blob/a60fe69f656fe9745efad6da9d83b796ef871c63/polaris/utils.py#L278C5-L278C85

and result is something like this:

"1697116276.domain.com.{'transaction': {'id': '123123123', 'kind': 'deposit', 'status': 'completed', 'status_eta': None, 'amount_in': '20.0000000', 'amount_out': '20.0000000', 'amount_fee': '0E-7', 'started_at': '2023-10-12T12:17:27.749569Z', 'completed_at': '2023-10-12T12:20:18.536572Z', 'stellar_transaction_id': 'asdfasdfasdf', 'external_transaction_id': 'adsfasdfasdf', 'more_info_url': 'https://anchor.com/sep24/transaction/more_info?id=123123123', 'refunded': False, 'message': 'complete', 'claimable_balance_id': None, 'to': 'GAKFBRS24U3PEN6XDMEX4JEV5NGBARS2ZFF5O4CF3JL464SQSD4MDCPF', 'from': None, 'deposit_memo_type': 'hash', 'deposit_memo': None}}"

But in request to anchor body will be converted to json and will be completely different so anchor compute different signature

JakeUrban commented 8 months ago

Hey @nikita-gorodeckij, thanks for catching this. Seems like the fix is to convert the transaction python dict to a json string and ensure that string is used in both the callback request body and the signature payload. I'll get started on a patch.