webapi.go vulnerability and helpers.go 422 response suggestions

georgeartem

POST /invoice/:foreignID/pay
line 59 adminMux.POST("/account/:foreignID/pay", t.payToAddress) seems to be a pretty serious security vulnerability. You would want to make sure to authenticate a call such as this one.

helpers.go lives in /pkg/webapi online 13 httpCodeForError could use a 422 response in addition to 400 bad request to identify malformed requests in addition to bad ones (BAD JSON vs. NOT JSON)

I am pretty sure this would look something close to string(giga.UnproccessableEntity): 422but have no way of testing it at the moment 😢

tjstebbing

georgeartem Hey George, everything on the adminMux is considered 'admin' and should not be exposed to the internet (which is why it's a separate port to the public API). From gigawallet.dogecoin.org:

It is expected that you are a comfortable with managing server infrastructure and integrating with REST APIs. GigaWallet is a service that must be deployed behind a firewall that protects it's sensitive APIs from the public internet, to which you will integrate your public-facing systems.

Regarding the 422 idea, nice 👍