Check login when confirming a withdrawal operation

4 files changed, 26 insertions, 11 deletions

diff --git a/bank/src/main/kotlin/tech/libeufin/bank/CoreBankApi.kt b/bank/src/main/kotlin/tech/libeufin/bank/CoreBankApi.kt
index 48aa88f3..bf66e72e 100644
--- a/bank/src/main/kotlin/tech/libeufin/bank/CoreBankApi.kt
+++ b/bank/src/main/kotlin/tech/libeufin/bank/CoreBankApi.kt
@@ -469,7 +469,7 @@ private fun Routing.coreBankTransactionsApi(db: Database, ctx: BankConfig) {
 }
 
 suspend fun ApplicationCall.confirmWithdrawalHttp(db: Database, ctx: BankConfig, id: UUID, is2fa: Boolean) {
-    when (db.withdrawal.confirm(id, Instant.now(), is2fa)) {
+    when (db.withdrawal.confirm(username, id, Instant.now(), is2fa)) {
         WithdrawalConfirmationResult.UnknownOperation -> throw notFound(
             "Withdrawal operation $id not found",
             TalerErrorCode.BANK_TRANSACTION_NOT_FOUND
diff --git a/bank/src/main/kotlin/tech/libeufin/bank/db/WithdrawalDAO.kt b/bank/src/main/kotlin/tech/libeufin/bank/db/WithdrawalDAO.kt
index ebb2e08b..dc4522fa 100644
--- a/bank/src/main/kotlin/tech/libeufin/bank/db/WithdrawalDAO.kt
+++ b/bank/src/main/kotlin/tech/libeufin/bank/db/WithdrawalDAO.kt
@@ -144,6 +144,7 @@ class WithdrawalDAO(private val db: Database) {
 
     /** Confirm withdrawal operation [uuid] */
     suspend fun confirm(
+        login: String,
         uuid: UUID,
         now: Instant,
         is2fa: Boolean
@@ -157,12 +158,13 @@ class WithdrawalDAO(private val db: Database) {
               out_not_selected,
               out_aborted,
               out_tan_required
-            FROM confirm_taler_withdrawal(?,?,?);
+            FROM confirm_taler_withdrawal(?,?,?,?);
         """
         )
-        stmt.setObject(1, uuid)
-        stmt.setLong(2, now.toDbMicros() ?: throw faultyTimestampByBank())
-        stmt.setBoolean(3, is2fa)
+        stmt.setString(1, login)
+        stmt.setObject(2, uuid)
+        stmt.setLong(3, now.toDbMicros() ?: throw faultyTimestampByBank())
+        stmt.setBoolean(4, is2fa)
         stmt.executeQuery().use {
             when {
                 !it.next() ->
diff --git a/bank/src/test/kotlin/CoreBankApiTest.kt b/bank/src/test/kotlin/CoreBankApiTest.kt
index 86987884..0507b2a6 100644
--- a/bank/src/test/kotlin/CoreBankApiTest.kt
+++ b/bank/src/test/kotlin/CoreBankApiTest.kt
@@ -958,7 +958,7 @@ class CoreBankWithdrawalApiTest {
     // POST /accounts/USERNAME/withdrawals/withdrawal_id/confirm
     @Test
     fun confirm() = bankSetup { _ -> 
-        // TODO auth routine
+        authRoutine(HttpMethod.Post, "/accounts/merchant/withdrawals/42/confirm")
         // Check confirm created
         client.postA("/accounts/merchant/withdrawals") {
             json { "amount" to "KUDOS:1" } 
@@ -1012,6 +1012,18 @@ class CoreBankWithdrawalApiTest {
             client.postA("/taler-integration/withdrawal-operation/$uuid/abort").assertNoContent()
         }
 
+        // Check confirm another user's operation
+        client.postA("/accounts/customer/withdrawals") {
+            json { "amount" to "KUDOS:1" } 
+        }.assertOkJson<BankAccountCreateWithdrawalResponse> {
+            val uuid = it.taler_withdraw_uri.split("/").last()
+            withdrawalSelect(uuid)
+
+            // Check error
+            client.postA("/accounts/merchant/withdrawals/$uuid/confirm")
+                .assertNotFound(TalerErrorCode.BANK_TRANSACTION_NOT_FOUND)
+        }
+
         // Check bad UUID
         client.postA("/accounts/merchant/withdrawals/chocolate/confirm").assertBadRequest()
 
@@ -1033,7 +1045,6 @@ class CoreBankWithdrawalApiTest {
                 assertBalance("merchant", "-KUDOS:6")
             }.assertNoContent()
         }
-        
     }
 }
 
diff --git a/database-versioning/libeufin-bank-procedures.sql b/database-versioning/libeufin-bank-procedures.sql
index c142e450..0daf9b1d 100644
--- a/database-versioning/libeufin-bank-procedures.sql
+++ b/database-versioning/libeufin-bank-procedures.sql
@@ -640,6 +640,7 @@ END $$;
 COMMENT ON FUNCTION abort_taler_withdrawal IS 'Abort a withdrawal operation.';
 
 CREATE FUNCTION confirm_taler_withdrawal(
+  IN in_login TEXT,
   IN in_withdrawal_uuid uuid,
   IN in_confirmation_date BIGINT,
   IN in_is_tan BOOLEAN,
@@ -662,6 +663,7 @@ DECLARE
   exchange_bank_account_id BIGINT;
   tx_row_id BIGINT;
 BEGIN
+-- Check op exists
 SELECT
   confirmation_done,
   aborted, NOT selection_done,
@@ -681,7 +683,7 @@ SELECT
   FROM taler_withdrawal_operations
     JOIN bank_accounts ON wallet_bank_account=bank_account_id
     JOIN customers ON owning_customer_id=customer_id
-  WHERE withdrawal_uuid=in_withdrawal_uuid;
+  WHERE withdrawal_uuid=in_withdrawal_uuid AND login=in_login;
 IF NOT FOUND THEN
   out_no_op=TRUE;
   RETURN;
@@ -1038,7 +1040,7 @@ COMMENT ON FUNCTION cashin IS 'Perform a cashin operation';
 
 
 CREATE FUNCTION cashout_create(
-  IN in_account_username TEXT,
+  IN in_login TEXT,
   IN in_request_uid BYTEA,
   IN in_amount_debit taler_amount,
   IN in_amount_credit taler_amount,
@@ -1068,13 +1070,13 @@ IF out_bad_conversion THEN
   RETURN;
 END IF;
 
--- check account exists, if has all info and if 2FA is required
+-- Check account exists, has all info and if 2FA is required
 SELECT 
     bank_account_id, is_taler_exchange, cashout_payto IS NULL, (NOT in_is_tan AND tan_channel IS NOT NULL) 
   INTO account_id, out_account_is_exchange, out_no_cashout_payto, out_tan_required
   FROM bank_accounts
   JOIN customers ON bank_accounts.owning_customer_id = customers.customer_id
-  WHERE login=in_account_username;
+  WHERE login=in_login;
 IF NOT FOUND THEN
   out_account_not_found=TRUE;
   RETURN;