Page MenuHomePhabricator

[keyserver] Avoid trusting FIDs passed from client in updateRelationships
ClosedPublic

Authored by ashoat on Sep 23 2024, 10:34 PM.
Tags
None
Referenced Files
Unknown Object (File)
Fri, Nov 8, 7:02 PM
Unknown Object (File)
Fri, Nov 8, 7:02 PM
Unknown Object (File)
Fri, Nov 8, 7:02 PM
Unknown Object (File)
Fri, Nov 8, 7:02 PM
Unknown Object (File)
Fri, Nov 8, 2:08 AM
Unknown Object (File)
Thu, Nov 7, 10:38 PM
Unknown Object (File)
Thu, Nov 7, 9:41 PM
Unknown Object (File)
Thu, Nov 7, 9:18 PM
Subscribers

Details

Summary

We first implemented this code in the Hackathon, and forgot to reconsider it later.

We should avoid trusting the user's claims about FIDs. Instead, we should query the identity service.

This diff avoids changing the API, but updates the implementation to ignore the FIDs passed by the client.

Depends on D13435

Test Plan

I haven't done this yet, but I need to confirm that the Farcaster mutual logic still works correctly

Diff Detail

Repository
rCOMM Comm
Lint
No Lint Coverage
Unit
No Test Coverage

Event Timeline

Harbormaster returned this revision to the author for changes because remote builds failed.Sep 23 2024, 10:48 PM
Harbormaster failed remote builds in B31793: Diff 44459!
This revision is now accepted and ready to land.Sep 24 2024, 10:58 AM