Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Throw error when failing to introspect token instead of returning public incoming payment #2889

Open
1 task
mkurapov opened this issue Aug 23, 2024 · 0 comments
Assignees
Labels
good first issue Good for newcomers hacktoberfest pkg: backend Changes in the backend package.

Comments

@mkurapov
Copy link
Contributor

mkurapov commented Aug 23, 2024

Context

When we do GET /incoming-payment/:id via Open Payments APIs, we return either a "private" incoming payment (that requires an access token in the request) or a "public" incoming payment that returns less details, and that does not require an access token.

Currently, when we receive a request to this route, we always do a token introspection check and a signature verification. If those checks end up throwing an error, we suppress the error (via bypassError: true flag), and just return the public incoming payment instead:

createTokenIntrospectionMiddleware({
requestType: AccessType.IncomingPayment,
requestAction: RequestAction.Read,
bypassError: true
}),
authenticatedStatusMiddleware,
getWalletAddressForSubresource,
incomingPaymentRoutes.get

However, this seems like a wrong behaviour: if the user of the Open Payments client is making a request to get an incoming payment with an access token, then the expected result is receiving the incoming payment with all of the details or an error notifying the client about an invalid token, instead of a public incoming payment.

If the signature is invalid however (but token is not provided), we can still return the public incoming payment, since the intention of the client is just to get the public incoming payment still.

Tasks

  • if an accessToken is provided with the request to get an incoming payment, and the token is invalid, we should fail with a 401 error instead of returning a public incoming payment
@mkurapov mkurapov added the pkg: backend Changes in the backend package. label Aug 23, 2024
@DarianM DarianM self-assigned this Oct 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
good first issue Good for newcomers hacktoberfest pkg: backend Changes in the backend package.
Projects
Status: In Progress
Development

No branches or pull requests

2 participants