From 7ca39103b2c53a387baca78fca0253c73ce3d516 Mon Sep 17 00:00:00 2001 From: Daniel Lugo Date: Sat, 25 Jul 2020 10:16:18 -0400 Subject: [PATCH] comments/messages --- .../gunDB/contact-api/jobs/onAcceptedRequests.js | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/services/gunDB/contact-api/jobs/onAcceptedRequests.js b/services/gunDB/contact-api/jobs/onAcceptedRequests.js index dbbd6215..5408b469 100644 --- a/services/gunDB/contact-api/jobs/onAcceptedRequests.js +++ b/services/gunDB/contact-api/jobs/onAcceptedRequests.js @@ -51,14 +51,20 @@ const onAcceptedRequests = (user, SEA) => { ' this can be due to nulling out an old request (if null) or something else happened (please look at the output)' ) } + // get the recipient pub from the stored request to avoid an attacker + // overwriting the handshake request in the root graph const recipientPub = await SEA.decrypt(storedReq.recipientPub, mySecret) if (typeof recipientPub !== 'string') { - throw new TypeError() + throw new TypeError( + `Expected storedReq.recipientPub to be an string, instead got: ${recipientPub}` + ) } + if (await Utils.successfulHandshakeAlreadyExists(recipientPub)) { return } + const requestAddress = await SEA.decrypt( storedReq.handshakeAddress, mySecret @@ -101,9 +107,9 @@ const onAcceptedRequests = (user, SEA) => { return } - // The response can be decrypted with the same secret regardless of who - // wrote to it last (see HandshakeRequest definition). - // This could be our feed ID for the recipient, or the recipient's feed + // The response can be decrypted with the same secret regardless + // of who wrote to it last (see HandshakeRequest definition). This + // could be our feed ID for the recipient, or the recipient's feed // id if he accepted the request. const feedID = await SEA.decrypt(sentReq.response, ourSecret)