rust-payjoin icon indicating copy to clipboard operation
rust-payjoin copied to clipboard

Published 20 hours ago verified publisher icon payjoin

Verify v2 client requesting directory hosted with intermediate path elements sets subdirectory ID correctly

Open nothingmuch opened this issue 1 year ago • 2 comments

If the directory is deployed behind e.g. a reverse proxy and requests are rewritten exposing the public URI with a path, the current behavior of the pj_url derivation is to replace the path in its entirety.

In some places in the code .join is used, appending the subdirectory ID but the sender uses set_path as well.

nothingmuch avatar Nov 28 '24 01:11 nothingmuch

Fixed by #448

DanGould avatar Dec 29 '24 17:12 DanGould

Because of our tangled arch this was difficult to verify even though it was probably resolved. Leaving this open until we have a proper test that a directory hosted with additional path elements beyond the host is verified as functional in the v2 flow.

DanGould avatar Dec 29 '24 19:12 DanGould

cc @nothingmuch please provide closing rationale

arminsabouri avatar Sep 15 '25 17:09 arminsabouri

This issue is no longer relevant because since RFC 9540 support the directory's gateway must be /.well-known/ohttp-gateway and it doesn't make much sense to allow the directory target resource to have additional path components.

nothingmuch avatar Sep 15 '25 17:09 nothingmuch