fix(streams): enforce sender ownership on createStream (#809)#967
Open
jadonamite wants to merge 1 commit into
Open
fix(streams): enforce sender ownership on createStream (#809)#967jadonamite wants to merge 1 commit into
jadonamite wants to merge 1 commit into
Conversation
createStream never read req.user, so any authenticated wallet could POST an arbitrary sender or flip another owner's cancelled stream back to active via the upsert update branch (keyed only on client-supplied streamId). - 401 when unauthenticated; 403 when JWT subject != body sender - validate sender/recipient/tokenAddress before any DB write - reject (403) upsert against a streamId already owned by another wallet, so the update branch can never reactivate someone else's stream - add controller tests covering non-owner reactivation and field validation
jadonamite
force-pushed
the
feat/issue-809-createstream-ownership
branch
from
f647c82 to
f67e5da
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #809
Problem
createStreamwiredrequireAuthbut never readreq.user. It calledprisma.stream.upsertkeyed only on the client-suppliedstreamId, whose update branch set{ isActive: true }. So any logged-in wallet could:{ streamId: <someone else's cancelled stream>, ... }and flipisActiveback totrue(the body's sender/recipient are ignored on update), andsenderit does not own.Fix
401when unauthenticated and403when the JWT subject (req.user.publicKey) is not the bodysender.sender/recipient/tokenAddressbefore any DB write.403if it is owned by another wallet, so the update branch can never reactivate or overwrite someone else's stream.Tests
Added controller tests covering: unauthenticated (401), caller≠sender (403), missing sender (400), and a non-owner attempting to reactivate a victim's cancelled stream (403, no DB write). All
stream.controller.test.tstests pass.Acceptance criteria
createStreamrejects (403) whenreq.user.publicKeyis not the body senderisActive:truefor an existing stream owned by someone elsePOST /v1/streamssender/recipient/tokenAddressvalidated before any DB write