Ability for NFT Owners to Alter Token URIs

[Ben-Rey]

Describe the bug

The Massa Labs NFT implementation allows NFT owners to change the token URI of their NFTs using the nft1_setTokenURI function.

To Reproduce

Steps to reproduce the behavior:

1. Deploy the NFT contract using the provided code from NFT.ts.
2. Mint two different NFTs to two different addresses (e.g., Alice and Bob).
3. Use the nft1_setTokenURI function as Alice to set a new URI for Alice's NFT.
4. Observe that Alice can change the URI to mimic Bob's NFT, leading to potential spoofing.

Expected behavior

The expected behavior in standard ERC-721 implementations is that the token URI, once set during the minting process, should not be alterable by the NFT owner. This immutability ensures the authenticity and integrity of the NFT's metadata, preventing any possibility of spoofing or misrepresentation.

Screenshots

Not applicable in this case as the issue is related to smart contract functionality.

Version

The issue is present in the NFT implementation as seen in the NFT.ts file in the Massa Labs repository.

Additional context

This issue is particularly significant considering developers familiar with the ERC721 standard might not expect the token URI to be changeable by the NFT owner. It is recommended to either disallow NFT owners from changing their token URIs or make this capability private, aligning with practices seen in implementations like OpenZeppelin's ERC721URIStorage.sol.