You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When we do GET /incoming-payment/:id via Open Payments APIs, we return either a "private" incoming payment (that requires an access token in the request) or a "public" incoming payment that returns less details, and that does not require an access token.
Currently, when we receive a request to this route, we always do a token introspection check and a signature verification. If those checks end up throwing an error, we suppress the error (via bypassError: true flag), and just return the public incoming payment instead:
However, this seems like a wrong behaviour: if the user of the Open Payments client is making a request to get an incoming payment with an access token, then the expected result is receiving the incoming payment with all of the details or an error notifying the client about an invalid token, instead of a public incoming payment.
If the signature is invalid however (but token is not provided), we can still return the public incoming payment, since the intention of the client is just to get the public incoming payment still.
Tasks
if an accessToken is provided with the request to get an incoming payment, and the token is invalid, we should fail with a 401 error instead of returning a public incoming payment
The text was updated successfully, but these errors were encountered:
Context
When we do GET /incoming-payment/:id via Open Payments APIs, we return either a "private" incoming payment (that requires an access token in the request) or a "public" incoming payment that returns less details, and that does not require an access token.
Currently, when we receive a request to this route, we always do a token introspection check and a signature verification. If those checks end up throwing an error, we suppress the error (via
bypassError: true
flag), and just return the public incoming payment instead:rafiki/packages/backend/src/app.ts
Lines 573 to 580 in b08a157
However, this seems like a wrong behaviour: if the user of the Open Payments client is making a request to get an incoming payment with an access token, then the expected result is receiving the incoming payment with all of the details or an error notifying the client about an invalid token, instead of a public incoming payment.
If the signature is invalid however (but token is not provided), we can still return the public incoming payment, since the intention of the client is just to get the public incoming payment still.
Tasks
accessToken
is provided with the request to get an incoming payment, and the token is invalid, we should fail with a 401 error instead of returning a public incoming paymentThe text was updated successfully, but these errors were encountered: