add auth for getters, instead of using msg.sender #767
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| function _checkUserAuthorization(userAuth calldata _userAuth) internal view{ | ||
| bytes memory prefix = "\x19Ethereum Signed Message:\n32"; | ||
| bytes32 message = keccak256( | ||
| abi.encodePacked(prefix, | ||
| keccak256( | ||
| abi.encodePacked( | ||
| _userAuth.userAddress, | ||
| _userAuth.validUntil | ||
| ) | ||
| ) | ||
| ) | ||
| ); | ||
| address signer = ecrecover(message, _userAuth.v, _userAuth.r, _userAuth.s); | ||
| require(signer == _userAuth.userAddress, "Invalid auth"); | ||
| require(_userAuth.validUntil > block.timestamp,'Expired'); | ||
| } |
Check notice
Code scanning / Slither
Block timestamp Low
| @@ -968,14 +977,16 @@ | |||
|
|
|||
| function getPrediction( | |||
| uint256 blocknum, | |||
| address predictoor | |||
| address predictoor, | |||
| userAuth calldata _userAuth | |||
Check warning
Code scanning / Slither
Conformance to Solidity naming conventions Warning
| struct userAuth{ | ||
| address userAddress; | ||
| uint8 v; // v of provider signed message | ||
| bytes32 r; // r of provider signed message | ||
| bytes32 s; // s of provider signed message | ||
| uint256 validUntil; | ||
| } |
Check warning
Code scanning / Slither
Conformance to Solidity naming conventions Warning
| function getAggPredval( | ||
| uint256 blocknum | ||
| uint256 blocknum, | ||
| userAuth calldata _userAuth |
Check warning
Code scanning / Slither
Conformance to Solidity naming conventions Warning
There was a problem hiding this comment.
lgtm! Great that the user is able to query all predictoor contracts using the same signature. At first I thought about adding the contract address into the signature but that's not necessary, we're already checking if the user has a valid subscription + current implementation makes things simpler on the frontend side. 🙌
Changes proposed in this PR: