Page MenuHomePhabricator
Differential D13436

[keyserver] Avoid trusting FIDs passed from client in updateRelationships
ClosedPublic
Actions

Authored by ashoat on Sep 23 2024, 10:34 PM.
Tags
None
Referenced Files
Unknown Object (File)
Fri, Nov 8, 7:02 PM
Unknown Object (File)
Fri, Nov 8, 7:02 PM
Unknown Object (File)
Fri, Nov 8, 7:02 PM
Unknown Object (File)
Fri, Nov 8, 7:02 PM
Unknown Object (File)
Fri, Nov 8, 2:08 AM
Unknown Object (File)
Thu, Nov 7, 10:38 PM
Unknown Object (File)
Thu, Nov 7, 9:41 PM
Unknown Object (File)
Thu, Nov 7, 9:18 PM
View All 38 Files
Subscribers
tomek

Details

Reviewers
varun
Commits
rCOMM2dba9fb9b5ed: [keyserver] Avoid trusting FIDs passed from client in updateRelationships
Summary

We first implemented this code in the Hackathon, and forgot to reconsider it later.

We should avoid trusting the user's claims about FIDs. Instead, we should query the identity service.

This diff avoids changing the API, but updates the implementation to ignore the FIDs passed by the client.

Depends on D13435

Test Plan

I haven't done this yet, but I need to confirm that the Farcaster mutual logic still works correctly

Diff Detail

Repository
rCOMM Comm
Lint
No Lint Coverage
Unit
No Test Coverage

Event Timeline

ashoat created this revision.Sep 23 2024, 10:34 PM
Herald added a subscriber: tomek. · View Herald TranscriptSep 23 2024, 10:34 PM
ashoat added a child revision: D13437: [keyserver][lib][native] Rename RelationshipRequest to LegacyRelationshipRequest.Sep 23 2024, 10:34 PM
Harbormaster returned this revision to the author for changes because remote builds failed.Sep 23 2024, 10:48 PM
Harbormaster failed remote builds in B31793: Diff 44459!
ashoat updated this revision to Diff 44470.Sep 23 2024, 10:56 PM

Rebase

Harbormaster completed remote builds in B31804: Diff 44470.Sep 23 2024, 11:43 PM
ashoat requested review of this revision.Sep 23 2024, 11:43 PM
ashoat mentioned this in D13438: [keyserver] Rework updateRelationships on keyserver to use new API.Sep 24 2024, 10:13 AM
ashoat mentioned this in D13441: [lib][native][web] Introduce useUpdateRelationships.
varun accepted this revision.Sep 24 2024, 10:58 AM
This revision is now accepted and ready to land.Sep 24 2024, 10:58 AM
Closed by commit rCOMM2dba9fb9b5ed: [keyserver] Avoid trusting FIDs passed from client in updateRelationships (authored by ashoat). · Explain WhySep 24 2024, 3:04 PM
This revision was automatically updated to reflect the committed changes.
ashoat added a commit: rCOMM2dba9fb9b5ed: [keyserver] Avoid trusting FIDs passed from client in updateRelationships.

Revision Contents
Changeset List

PathSize
keyserver/
src/
updaters/
54 lines

Diff 44470

View Options

keyserver/src/updaters/relationship-updaters.js

Loading...