Merge pull request #125 from OdyseeTeam/validate-requester-channel

validate requestor channel signature for protected comments
OdyseeTeam · Sep 19, 2022 · b4b755c · b4b755c
2 parents c91d521 + bc40447
commit b4b755c
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 6 deletions.
diff --git a/server/services/v1/comments/create.go b/server/services/v1/comments/create.go
@@ -187,7 +187,7 @@ func checkAllowedAndValidate(args *commentapi.CreateArgs) error {
 			return err
 		}
 		if !hasAccess {
-			return errors.Err("channel does not have permissions to comment on this claim")
+			return api.StatusError{Err: errors.Err("channel does not have permissions to comment on this claim"), Status: http.StatusForbidden}
 		}
 	}
 

diff --git a/server/services/v1/comments/list.go b/server/services/v1/comments/list.go
@@ -37,15 +37,15 @@ func list(_ *http.Request, args *commentapi.ListArgs, reply *commentapi.ListResp
 			return err
 		}
 		if actualIsProtected != args.IsProtected {
-			return errors.Err("mismatch in is_protected")
+			return api.StatusError{Err: errors.Err("mismatch in is_protected"), Status: http.StatusBadRequest}
 		}
 	} else {
 		if args.RequestorChannelID == nil {
-			return errors.Err("requestor channel id is required to list own comments")
+			return api.StatusError{Err: errors.Err("requestor channel id is required to list own comments"), Status: http.StatusBadRequest}
 		}
 		ownerChannel, err := helper.FindOrCreateChannel(*args.RequestorChannelID, args.RequestorChannelName)
 		if err != nil {
-			return errors.Err(err)
+			return err
 		}
 		err = lbry.ValidateSignatureAndTS(ownerChannel.ClaimID, args.Signature, args.SigningTS, args.RequestorChannelName)
 		if err != nil {
@@ -157,15 +157,27 @@ func getCachedList(r *http.Request, args *commentapi.ListArgs, reply *commentapi
 	listingOwnComments := args.AuthorClaimID != nil
 
 	if args.IsProtected && args.RequestorChannelID == nil {
-		return errors.Err("requestor channel id is required to list protected comments")
+		return api.StatusError{Err: errors.Err("requestor channel id is required to list protected comments"), Status: http.StatusBadRequest}
 	}
 	if args.IsProtected && args.ClaimID != nil && args.RequestorChannelID != nil {
 		hasAccess, err := HasAccessToProtectedContent(*args.ClaimID, *args.RequestorChannelID)
 		if err != nil {
 			return err
 		}
 		if !hasAccess {
-			return errors.Err("channel does not have permissions to comment on this claim")
+			return api.StatusError{Err: errors.Err("channel does not have permissions to comment on this claim"), Status: http.StatusForbidden}
+		}
+		commenterChannel, err := helper.FindOrCreateChannel(*args.RequestorChannelID, args.RequestorChannelName)
+		if err != nil {
+			return err
+		}
+
+		err = lbry.ValidateSignatureAndTS(commenterChannel.ClaimID, args.Signature, args.SigningTS, args.RequestorChannelName)
+		if err != nil {
+			return err
+		}
+		if commenterChannel.ClaimID != *args.RequestorChannelID {
+			return api.StatusError{Err: errors.Err("channel mismatch, someone trying to spoof"), Status: http.StatusForbidden}
 		}
 	}