diff options
author | Antoine A <> | 2024-01-12 14:29:17 +0000 |
---|---|---|
committer | Antoine A <> | 2024-01-12 14:29:17 +0000 |
commit | 001e611259de8a5e234dfbdf1f4b787495a59ceb (patch) | |
tree | 6df1cba7c2282217bd8290679c001ac31d3cec59 | |
parent | b082dd8bdc4e35ac5d836bc6aff2b0ef6313b9bd (diff) | |
download | libeufin-001e611259de8a5e234dfbdf1f4b787495a59ceb.tar.gz libeufin-001e611259de8a5e234dfbdf1f4b787495a59ceb.tar.bz2 libeufin-001e611259de8a5e234dfbdf1f4b787495a59ceb.zip |
Check login when confirming a withdrawal operation
-rw-r--r-- | bank/src/main/kotlin/tech/libeufin/bank/CoreBankApi.kt | 2 | ||||
-rw-r--r-- | bank/src/main/kotlin/tech/libeufin/bank/db/WithdrawalDAO.kt | 10 | ||||
-rw-r--r-- | bank/src/test/kotlin/CoreBankApiTest.kt | 15 | ||||
-rw-r--r-- | database-versioning/libeufin-bank-procedures.sql | 10 |
4 files changed, 26 insertions, 11 deletions
diff --git a/bank/src/main/kotlin/tech/libeufin/bank/CoreBankApi.kt b/bank/src/main/kotlin/tech/libeufin/bank/CoreBankApi.kt index 48aa88f3..bf66e72e 100644 --- a/bank/src/main/kotlin/tech/libeufin/bank/CoreBankApi.kt +++ b/bank/src/main/kotlin/tech/libeufin/bank/CoreBankApi.kt @@ -469,7 +469,7 @@ private fun Routing.coreBankTransactionsApi(db: Database, ctx: BankConfig) { } suspend fun ApplicationCall.confirmWithdrawalHttp(db: Database, ctx: BankConfig, id: UUID, is2fa: Boolean) { - when (db.withdrawal.confirm(id, Instant.now(), is2fa)) { + when (db.withdrawal.confirm(username, id, Instant.now(), is2fa)) { WithdrawalConfirmationResult.UnknownOperation -> throw notFound( "Withdrawal operation $id not found", TalerErrorCode.BANK_TRANSACTION_NOT_FOUND diff --git a/bank/src/main/kotlin/tech/libeufin/bank/db/WithdrawalDAO.kt b/bank/src/main/kotlin/tech/libeufin/bank/db/WithdrawalDAO.kt index ebb2e08b..dc4522fa 100644 --- a/bank/src/main/kotlin/tech/libeufin/bank/db/WithdrawalDAO.kt +++ b/bank/src/main/kotlin/tech/libeufin/bank/db/WithdrawalDAO.kt @@ -144,6 +144,7 @@ class WithdrawalDAO(private val db: Database) { /** Confirm withdrawal operation [uuid] */ suspend fun confirm( + login: String, uuid: UUID, now: Instant, is2fa: Boolean @@ -157,12 +158,13 @@ class WithdrawalDAO(private val db: Database) { out_not_selected, out_aborted, out_tan_required - FROM confirm_taler_withdrawal(?,?,?); + FROM confirm_taler_withdrawal(?,?,?,?); """ ) - stmt.setObject(1, uuid) - stmt.setLong(2, now.toDbMicros() ?: throw faultyTimestampByBank()) - stmt.setBoolean(3, is2fa) + stmt.setString(1, login) + stmt.setObject(2, uuid) + stmt.setLong(3, now.toDbMicros() ?: throw faultyTimestampByBank()) + stmt.setBoolean(4, is2fa) stmt.executeQuery().use { when { !it.next() -> diff --git a/bank/src/test/kotlin/CoreBankApiTest.kt b/bank/src/test/kotlin/CoreBankApiTest.kt index 86987884..0507b2a6 100644 --- a/bank/src/test/kotlin/CoreBankApiTest.kt +++ b/bank/src/test/kotlin/CoreBankApiTest.kt @@ -958,7 +958,7 @@ class CoreBankWithdrawalApiTest { // POST /accounts/USERNAME/withdrawals/withdrawal_id/confirm @Test fun confirm() = bankSetup { _ -> - // TODO auth routine + authRoutine(HttpMethod.Post, "/accounts/merchant/withdrawals/42/confirm") // Check confirm created client.postA("/accounts/merchant/withdrawals") { json { "amount" to "KUDOS:1" } @@ -1012,6 +1012,18 @@ class CoreBankWithdrawalApiTest { client.postA("/taler-integration/withdrawal-operation/$uuid/abort").assertNoContent() } + // Check confirm another user's operation + client.postA("/accounts/customer/withdrawals") { + json { "amount" to "KUDOS:1" } + }.assertOkJson<BankAccountCreateWithdrawalResponse> { + val uuid = it.taler_withdraw_uri.split("/").last() + withdrawalSelect(uuid) + + // Check error + client.postA("/accounts/merchant/withdrawals/$uuid/confirm") + .assertNotFound(TalerErrorCode.BANK_TRANSACTION_NOT_FOUND) + } + // Check bad UUID client.postA("/accounts/merchant/withdrawals/chocolate/confirm").assertBadRequest() @@ -1033,7 +1045,6 @@ class CoreBankWithdrawalApiTest { assertBalance("merchant", "-KUDOS:6") }.assertNoContent() } - } } diff --git a/database-versioning/libeufin-bank-procedures.sql b/database-versioning/libeufin-bank-procedures.sql index c142e450..0daf9b1d 100644 --- a/database-versioning/libeufin-bank-procedures.sql +++ b/database-versioning/libeufin-bank-procedures.sql @@ -640,6 +640,7 @@ END $$; COMMENT ON FUNCTION abort_taler_withdrawal IS 'Abort a withdrawal operation.'; CREATE FUNCTION confirm_taler_withdrawal( + IN in_login TEXT, IN in_withdrawal_uuid uuid, IN in_confirmation_date BIGINT, IN in_is_tan BOOLEAN, @@ -662,6 +663,7 @@ DECLARE exchange_bank_account_id BIGINT; tx_row_id BIGINT; BEGIN +-- Check op exists SELECT confirmation_done, aborted, NOT selection_done, @@ -681,7 +683,7 @@ SELECT FROM taler_withdrawal_operations JOIN bank_accounts ON wallet_bank_account=bank_account_id JOIN customers ON owning_customer_id=customer_id - WHERE withdrawal_uuid=in_withdrawal_uuid; + WHERE withdrawal_uuid=in_withdrawal_uuid AND login=in_login; IF NOT FOUND THEN out_no_op=TRUE; RETURN; @@ -1038,7 +1040,7 @@ COMMENT ON FUNCTION cashin IS 'Perform a cashin operation'; CREATE FUNCTION cashout_create( - IN in_account_username TEXT, + IN in_login TEXT, IN in_request_uid BYTEA, IN in_amount_debit taler_amount, IN in_amount_credit taler_amount, @@ -1068,13 +1070,13 @@ IF out_bad_conversion THEN RETURN; END IF; --- check account exists, if has all info and if 2FA is required +-- Check account exists, has all info and if 2FA is required SELECT bank_account_id, is_taler_exchange, cashout_payto IS NULL, (NOT in_is_tan AND tan_channel IS NOT NULL) INTO account_id, out_account_is_exchange, out_no_cashout_payto, out_tan_required FROM bank_accounts JOIN customers ON bank_accounts.owning_customer_id = customers.customer_id - WHERE login=in_account_username; + WHERE login=in_login; IF NOT FOUND THEN out_account_not_found=TRUE; RETURN; |