From f2f8070390c317e8805b4181e7b0212c9afa5665 Mon Sep 17 00:00:00 2001 From: Aaron Gable Date: Wed, 29 Jan 2025 16:14:46 -0800 Subject: [PATCH 1/3] Remove duplicate check from wfe.FinalizeOrder This check is duplicated in the next stanza. --- wfe2/wfe.go | 5 ----- 1 file changed, 5 deletions(-) diff --git a/wfe2/wfe.go b/wfe2/wfe.go index 432277af6d9..961af4e0476 100644 --- a/wfe2/wfe.go +++ b/wfe2/wfe.go @@ -2517,11 +2517,6 @@ func (wfe *WebFrontEndImpl) FinalizeOrder(ctx context.Context, logEvent *web.Req return } - if order.RegistrationID != acctID { - wfe.sendError(response, logEvent, probs.NotFound(fmt.Sprintf("No order found for account ID %d", acctID)), nil) - return - } - // If the authenticated account ID doesn't match the order's registration ID // pretend it doesn't exist and abort. if acct.ID != order.RegistrationID { From 0e33bfce816b015949ecd807a61a90676b8647b5 Mon Sep 17 00:00:00 2001 From: Aaron Gable Date: Wed, 29 Jan 2025 16:21:08 -0800 Subject: [PATCH 2/3] Double-check that acctID and acct.ID are the same --- wfe2/wfe.go | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/wfe2/wfe.go b/wfe2/wfe.go index 961af4e0476..505d0827f5a 100644 --- a/wfe2/wfe.go +++ b/wfe2/wfe.go @@ -2501,6 +2501,11 @@ func (wfe *WebFrontEndImpl) FinalizeOrder(ctx context.Context, logEvent *web.Req return } + if acct.ID != acctID { + wfe.sendError(response, logEvent, probs.Malformed("Mismatched account ID"), nil) + return + } + order, err := wfe.sa.GetOrder(ctx, &sapb.OrderRequest{Id: orderID}) if err != nil { if errors.Is(err, berrors.NotFound) { From 6d8d055deae970c949850ef4ab736b75bb6b7d0b Mon Sep 17 00:00:00 2001 From: Aaron Gable Date: Wed, 29 Jan 2025 16:48:37 -0800 Subject: [PATCH 3/3] Update unit test --- wfe2/wfe_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wfe2/wfe_test.go b/wfe2/wfe_test.go index c487ac76ce7..4580bc96cba 100644 --- a/wfe2/wfe_test.go +++ b/wfe2/wfe_test.go @@ -2775,7 +2775,7 @@ func TestFinalizeOrder(t *testing.T) { // stripped by the global WFE2 handler. We need the JWS URL to match the request // URL so we fudge both such that the finalize-order prefix has been removed. Request: signAndPost(signer, "2/1", "http://localhost/2/1", "{}"), - ExpectedBody: `{"type":"` + probs.ErrorNS + `malformed","detail":"No order found for account ID 2","status":404}`, + ExpectedBody: `{"type":"` + probs.ErrorNS + `malformed","detail":"Mismatched account ID","status":400}`, }, { Name: "Order ID is invalid",