Skip to content

feat: validate incoming CredentialMessage types and formats #631

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
paullatzelsperger merged 1 commit into from
Feb 27, 2025
Merged

feat: validate incoming CredentialMessage types and formats #631

paullatzelsperger merged 1 commit into from
Feb 27, 2025

Conversation

@paullatzelsperger
Copy link
Member

@paullatzelsperger paullatzelsperger commented Feb 27, 2025
edited
Loading

What this PR changes/adds

this PR adds validation for the credential types and serialization formats of an incoming CredentialMessage.

Sending credentials, where the type(s) or serialization formats do not correspond to a previously made HolderCredentialRequest is not allowed and will result in a HTTP 403 Unauthorized.

Why it does that

prevent malicious issuers

Further notes

  • this is another thing that the CredentialWriter is doing. at some point we might consider splitting it up (which would require another aggregate service), or at least renaming it.
  • added some @DisplayNames to the Storage API e2e test

Who will sponsor this feature?

Please @-mention the committer that will sponsor your feature.

Linked Issue(s)

Closes #581

Please be sure to take a look at the contributing guidelines and our etiquette for pull requests.

@paullatzelsperger paullatzelsperger added enhancement New feature or request dcp api labels Feb 27, 2025
@paullatzelsperger paullatzelsperger merged commit d30d4ad into eclipse-edc:main Feb 27, 2025
21 checks passed
@paullatzelsperger paullatzelsperger deleted the feat/storageapi_request_validation branch February 27, 2025 14:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wolf4ood wolf4ood wolf4ood approved these changes

@jimmarino jimmarino Awaiting requested review from jimmarino

Assignees

No one assigned

Labels

api dcp enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Storage API: implement request validation

2 participants

@paullatzelsperger @wolf4ood