-
Notifications
You must be signed in to change notification settings - Fork 59
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add auth for getters, instead of using msg.sender #767
Conversation
function _checkUserAuthorization(userAuth calldata _userAuth) internal view{ | ||
bytes memory prefix = "\x19Ethereum Signed Message:\n32"; | ||
bytes32 message = keccak256( | ||
abi.encodePacked(prefix, | ||
keccak256( | ||
abi.encodePacked( | ||
_userAuth.userAddress, | ||
_userAuth.validUntil | ||
) | ||
) | ||
) | ||
); | ||
address signer = ecrecover(message, _userAuth.v, _userAuth.r, _userAuth.s); | ||
require(signer == _userAuth.userAddress, "Invalid auth"); | ||
require(_userAuth.validUntil > block.timestamp,'Expired'); | ||
} |
Check notice
Code scanning / Slither
Block timestamp Low
Dangerous comparisons:
- require(bool,string)(_userAuth.validUntil > block.timestamp,Expired)
@@ -968,14 +977,16 @@ | |||
|
|||
function getPrediction( | |||
uint256 blocknum, | |||
address predictoor | |||
address predictoor, | |||
userAuth calldata _userAuth |
Check warning
Code scanning / Slither
Conformance to Solidity naming conventions Warning
struct userAuth{ | ||
address userAddress; | ||
uint8 v; // v of provider signed message | ||
bytes32 r; // r of provider signed message | ||
bytes32 s; // s of provider signed message | ||
uint256 validUntil; | ||
} |
Check warning
Code scanning / Slither
Conformance to Solidity naming conventions Warning
function getAggPredval( | ||
uint256 blocknum | ||
uint256 blocknum, | ||
userAuth calldata _userAuth |
Check warning
Code scanning / Slither
Conformance to Solidity naming conventions Warning
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm! Great that the user is able to query all predictoor contracts using the same signature. At first I thought about adding the contract address into the signature but that's not necessary, we're already checking if the user has a valid subscription + current implementation makes things simpler on the frontend side. 🙌
Changes proposed in this PR: