From 202a5e280d12259793bb6c847091e755088ce436 Mon Sep 17 00:00:00 2001
From: Steven Oderayi <oderayi@gmail.com>
Date: Tue, 3 Mar 2020 14:57:27 +0100
Subject: [PATCH] #1178: Bug fixes for POST /quotes with unknown destination
 FSP (#160)

* Validate that FSP Ids in headers and payload match for both payerfsp and payeefsp
---
 package-lock.json   |  2 +-
 package.json        |  2 +-
 src/model/quotes.js | 10 ++++++++++
 3 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 4082a1a4..8b68a091 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,6 +1,6 @@
 {
   "name": "quoting-service",
-  "version": "9.3.2-snapshot",
+  "version": "9.3.3-snapshot",
   "lockfileVersion": 1,
   "requires": true,
   "dependencies": {
diff --git a/package.json b/package.json
index 97a1355d..4bd86dea 100644
--- a/package.json
+++ b/package.json
@@ -2,7 +2,7 @@
   "name": "quoting-service",
   "description": "Quoting Service hosted by a scheme",
   "license": "Apache-2.0",
-  "version": "9.3.2-snapshot",
+  "version": "9.3.3-snapshot",
   "author": "Modusbox",
   "contributors": [
     "James Bush <james.bush@modusbox.com>",
diff --git a/src/model/quotes.js b/src/model/quotes.js
index 61b7924a..88606a73 100644
--- a/src/model/quotes.js
+++ b/src/model/quotes.js
@@ -162,6 +162,16 @@ class QuotesModel {
       // internal-error
       throw ErrorHandler.CreateInternalServerFSPIOPError('Missing quoteRequest', null, fspiopSource)
     }
+
+    // We need to validate that the FSP Ids in the headers and payload match
+    if (fspiopSource !== quoteRequest.payer.partyIdInfo.fspId) {
+      throw ErrorHandler.CreateFSPIOPError(ErrorHandler.Enums.FSPIOPErrorCodes.VALIDATION_ERROR, '"fspiop-source" header does not match the payer FSP ID', null, fspiopSource)
+    }
+
+    if (fspiopDestination !== quoteRequest.payee.partyIdInfo.fspId) {
+      throw ErrorHandler.CreateFSPIOPError(ErrorHandler.Enums.FSPIOPErrorCodes.VALIDATION_ERROR, '"fspiop-destination" header does not match the payee FSP ID', null, fspiopSource)
+    }
+
     await this.db.getParticipant(fspiopSource, LOCAL_ENUM.PAYER_DFSP)
     await this.db.getParticipant(fspiopDestination, LOCAL_ENUM.PAYEE_DFSP)
   }