From 1ae184713bd78798f02c21d136ddb1e62a2a96c7 Mon Sep 17 00:00:00 2001 From: Aaron Gable Date: Thu, 30 Jan 2025 11:57:05 -0800 Subject: [PATCH] Remove duplicate check from wfe.FinalizeOrder (#7987) This check is duplicated in the next stanza. Instead, replace it with a check that the acctID encoded in the URL and the acctID corresponding to the JWS used to sign the request match. --- wfe2/wfe.go | 10 +++++----- wfe2/wfe_test.go | 2 +- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/wfe2/wfe.go b/wfe2/wfe.go index 432277af6d9..505d0827f5a 100644 --- a/wfe2/wfe.go +++ b/wfe2/wfe.go @@ -2501,6 +2501,11 @@ func (wfe *WebFrontEndImpl) FinalizeOrder(ctx context.Context, logEvent *web.Req return } + if acct.ID != acctID { + wfe.sendError(response, logEvent, probs.Malformed("Mismatched account ID"), nil) + return + } + order, err := wfe.sa.GetOrder(ctx, &sapb.OrderRequest{Id: orderID}) if err != nil { if errors.Is(err, berrors.NotFound) { @@ -2517,11 +2522,6 @@ func (wfe *WebFrontEndImpl) FinalizeOrder(ctx context.Context, logEvent *web.Req return } - if order.RegistrationID != acctID { - wfe.sendError(response, logEvent, probs.NotFound(fmt.Sprintf("No order found for account ID %d", acctID)), nil) - return - } - // If the authenticated account ID doesn't match the order's registration ID // pretend it doesn't exist and abort. if acct.ID != order.RegistrationID { diff --git a/wfe2/wfe_test.go b/wfe2/wfe_test.go index c487ac76ce7..4580bc96cba 100644 --- a/wfe2/wfe_test.go +++ b/wfe2/wfe_test.go @@ -2775,7 +2775,7 @@ func TestFinalizeOrder(t *testing.T) { // stripped by the global WFE2 handler. We need the JWS URL to match the request // URL so we fudge both such that the finalize-order prefix has been removed. Request: signAndPost(signer, "2/1", "http://localhost/2/1", "{}"), - ExpectedBody: `{"type":"` + probs.ErrorNS + `malformed","detail":"No order found for account ID 2","status":404}`, + ExpectedBody: `{"type":"` + probs.ErrorNS + `malformed","detail":"Mismatched account ID","status":400}`, }, { Name: "Order ID is invalid",