Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

txnbuild: ignore txhash (preauth) and xhash signers in sep-10 #2215

Merged
merged 8 commits into from
Feb 3, 2020
Merged

txnbuild: ignore txhash (preauth) and xhash signers in sep-10 #2215

merged 8 commits into from
Feb 3, 2020

Conversation

leighmcculloch
Copy link
Member

@leighmcculloch leighmcculloch commented Feb 1, 2020
edited
Loading

PR Checklist

PR Structure

  • This PR has reasonably narrow scope (if not, break it down into smaller PRs).
  • This PR avoids mixing refactoring changes with feature changes (split into two PRs
    otherwise).
  • This PR's title starts with name of package that is most changed in the PR, ex.
    services/friendbot, or all or doc if the changes are broad or impact many
    packages.

Thoroughness

  • This PR adds tests for the most critical parts of the new functionality or fixes.
  • I've updated any docs (developer docs, .md
    files, etc... affected by this change). Take a look in the docs folder for a given service,
    like this one.

Release planning

  • I've updated the relevant CHANGELOG (here for Horizon) if
    needed with deprecations, added features, breaking changes, and DB schema changes.
  • I've decided if this PR requires a new major/minor version according to
    semver, or if it's mainly a patch change. The PR is targeted at the next
    release branch if it's not a patch change.

What

Ignore txhash (T...) signers, used for preauth transactions, xhash (X...)
signers, and other future types of signers the server might not know
about, during SEP-10 verification.

Why

Developers will likely pass through to the verification functions the
signers on accounts as provided by Horizon. Accounts can have other
non-ed25519 signers and they're likely going to be passed through
verbatim. The verification logic's goal is to confirm the transaction
has been signed by the signers and so ignoring unsupported types like
txhash and xhash seems like a safe thing to do given that the
verification function will also ignore ed25519 signers that don't match
a signature.

Without this in a typical SEP-10 implementation any account with a
txhash or xhash signer will likely fail SEP-10 verification.

Issues that might be caused by this new behavior is if a user passes in
an account seed (S...) or some other string they won't see an error.
I think that's unlikely and hopefully a smaller impact than is worth
making this solution more complex.

This issue was first identified by @overcat in lightsail-network/java-stellar-sdk#264,
but solved in a way that depends on data from Horizon. This solution
does not depend on data from Horizon and should be portable to all our
SDKs. This was previously discussed at:
lightsail-network/java-stellar-sdk#264 (comment).

Known limitations

N/A

CC

@overcat @tamirms @ire-and-curses

@leighmcculloch
txnbuild: ignore txhash (preauth) and xhash signers in sep-10
670a6f5 
### What
Ignore txhash (T...) signers, used for preauth transactions, and xhash (X...)
signers during SEP-10 verification.

### Why
Developers will likely pass through to the verification functions the
signers on accounts as provided by Horizon. Accounts can have other
non-ed25519 signers and they're likely going to be passed through
verbatim. The verification logic's goal is to confirm the transaction
has been signed by the signers and so ignoring unsupported types like
txhash and xhash seems like a safe thing to do given that the
verification function will also ignore ed25519 signers that don't match
a signature.

Without this in a typical SEP-10 implementation any account with a
txhash or xhash signer will likely fail SEP-10 verification.

Issues that might be caused by this new behavior is if a user passes in
an account seed (S...) or some other string they won't see an error
unless it just happens to start with G and does not parse as an address.
I think that's unlikely and hopefully a smaller impact than is worth
making this solution more complex.
@leighmcculloch leighmcculloch self-assigned this Feb 1, 2020
@cla-bot cla-bot bot added the cla: yes label Feb 1, 2020
@leighmcculloch leighmcculloch mentioned this pull request Feb 1, 2020
Merged
@leighmcculloch leighmcculloch requested review from howardtw and removed request for ire-and-curses February 1, 2020 01:03
@leighmcculloch leighmcculloch merged commit a29b5ca into stellar:master Feb 3, 2020
@leighmcculloch leighmcculloch deleted the sep10ignorehashsigners branch February 3, 2020 23:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ire-and-curses ire-and-curses ire-and-curses approved these changes

@howardtw howardtw Awaiting requested review from howardtw

Assignees

@leighmcculloch leighmcculloch

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@leighmcculloch @ire-and-curses