stellar-protocol icon indicating copy to clipboard operation
stellar-protocol copied to clipboard
verified publisher icon stellar

SEP-45: Handle `require_auth` in `__check_auth`

Open philipliu opened this issue 11 months ago • 2 comments

A recording simulation will not generate authorization entries required by a client contract's __check_auth implementation if it has nested require_auths. However, the client must provide these entries in the token request for the enforcing simulation to succeed. These entries do not follow the same format as the auth entries generated by the recording simulation and cannot not be verified by the server when receiving a token request.

An example of such auth entry looks like:

{
  "credentials": {
    "address": {
      "address": "GB36W6FIDEPLAH2XNM3CKJR4QRCKWVIKQANKOGWJN6NC6J3X5SVMUCPR",
      "nonce": 5990244105667177314,
      "signature_expiration_ledger": 1070813,
      "signature": {
        "vec": [
          {
            "map": [
              {
                "key": {
                  "symbol": "public_key"
                },
                "val": {
                  "bytes": "77eb78a8191eb01f576b3625263c8444ab550a801aa71ac96f9a2f2777ecaaca"
                }
              },
              {
                "key": {
                  "symbol": "signature"
                },
                "val": {
                  "bytes": "5a4147e292b3019fceb86833948642865bdb12ec71e0cf24f3238090461f6f73c2896a132b089a3c642b0b46f1500fa28cffdc4831a73e4cde52e557b9ba9c06"
                }
              }
            ]
          }
        ]
      }
    }
  },
  "root_invocation": {
    "function": {
      "contract_fn": {
        "contract_address": "CAASCQKVVBSLREPEUGPOTQZ4BC2NDBY2MW7B2LGIGFUPIY4Z3XUZRVTX",
        "function_name": "__check_auth",
        "args": [
          {
            "bytes": "ad31a086eeb53572dd5ac8c06f272c3dd86eb556ee765b9ad1c75b7691c1e6e6"
          }
        ]
      }
    },
    "sub_invocations": []
  }
}

GB36W6FIDEPLAH2XNM3CKJR4QRCKWVIKQANKOGWJN6NC6J3X5SVMUCPR auth is required for a client contract CAASCQKVVBSLREPEUGPOTQZ4BC2NDBY2MW7B2LGIGFUPIY4Z3XUZRVTX's __check_auth.

This PR relaxes the authorization entry verification performed by the server so that arbitrary authorization entries can be included in the token request.

philipliu avatar Feb 10 '25 20:02 philipliu

This pull request is stale because it has been open for 30 days with no activity. It will be closed in 30 days unless the stale label is removed.

github-actions[bot] avatar Mar 13 '25 18:03 github-actions[bot]

I apologise, I got mixed up between this PR and #1639 and clicked "Update" on this PR that merged main into it. Feel free to rewrite the PRs history to remove it.

leighmcculloch avatar Mar 13 '25 21:03 leighmcculloch

This pull request is stale because it has been open for 30 days with no activity. It will be closed in 30 days unless the stale label is removed.

github-actions[bot] avatar Apr 13 '25 18:04 github-actions[bot]

This pull request is stale because it has been open for 30 days with no activity. It will be closed in 30 days unless the stale label is removed.

github-actions[bot] avatar May 14 '25 18:05 github-actions[bot]

This pull request is stale because it has been open for 30 days with no activity. It will be closed in 30 days unless the stale label is removed.

github-actions[bot] avatar Sep 04 '25 18:09 github-actions[bot]

Was this PR waiting on a review?

leighmcculloch avatar Oct 06 '25 10:10 leighmcculloch

@leighmcculloch We can close this for now. This will need to be updated post CAP-71 anyway so I'll just create a new PR then.

philipliu avatar Oct 08 '25 16:10 philipliu