Skip to content

fix(permits/store): validate permit exists before setting as active in setActivePermitHash#241

Open
amathxbt wants to merge 2 commits intoFhenixProtocol:masterfrom
amathxbt:fix/validate-active-permit-hash-exists
Open

fix(permits/store): validate permit exists before setting as active in setActivePermitHash#241
amathxbt wants to merge 2 commits intoFhenixProtocol:masterfrom
amathxbt:fix/validate-active-permit-hash-exists

Conversation

@amathxbt
Copy link
Copy Markdown

@amathxbt amathxbt commented May 3, 2026

Summary

setActivePermitHash in packages/sdk/permits/store.ts unconditionally sets the given hash as the active permit for an account without verifying that a permit with that hash actually exists in the store.

Bug

// Before
export const setActivePermitHash = (chainId: number, account: string, hash: string) => {
  _permitStore.setState(produce((state) => {
    if (state.activePermitHash[chainId] == null) state.activePermitHash[chainId] = {};
    state.activePermitHash[chainId][account] = hash;  // ← no existence check!
  }));
};

If a caller passes a non-existent or stale hash, the store ends up in an inconsistent state:

Call Returns
getActivePermitHash(chainId, account) stale hash string (non-null)
getActivePermit(chainId, account) undefined (permit not found)

Code that gates permit generation on getActivePermitHash() != null will never generate a new permit because getActivePermitHash keeps returning the stale value. This silently breaks any UI flow that relies on the active permit hash to detect whether a valid permit exists.

Fix

Throw synchronously if the referenced permit does not exist in the store, making the invalid call surface immediately rather than corrupting state silently.

@amathxbt
fix: validate permit exists before setting it as active in setActiveP…
3b7673a 
…ermitHash

Previously setActivePermitHash would accept any string as the active hash
without verifying that a corresponding permit entry exists in the store.
This caused getActivePermitHash to return a non-null value while
getActivePermit returned undefined, creating inconsistent state that
tricked callers into believing an active permit was configured when none
was available. The fix throws if the referenced permit does not exist.
@changeset-bot
Copy link
Copy Markdown

changeset-bot Bot commented May 3, 2026
edited
Loading

🦋 Changeset detected

Latest commit: 7d22ae1

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 9 packages
Name Type
@cofhe/sdk Patch
@cofhe/abi Patch
@cofhe/hardhat-3-plugin Patch
@cofhe/hardhat-plugin Patch
@cofhe/mock-contracts Patch
@cofhe/react Patch
@cofhe/site Patch
@cofhe/example-react Patch
@cofhe/foundry-plugin Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@vercel
Copy link
Copy Markdown

vercel Bot commented May 3, 2026

@amathxbt is attempting to deploy a commit to the Fhenix Team on Vercel.

A member of the Team first needs to authorize it.

@amathxbt
Fix permit validation in setActivePermitHash
7d22ae1 
Validate that a permit exists before setting it as active in the setActivePermitHash function.
architect-dev
architect-dev reviewed May 5, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@architect-dev architect-dev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We're having trouble with our CI pipeline requiring secrets from within this PR, thats why the Test CI is failing for you. We're investigating if we can fix this issue.

The PR looks good, thanks very much

Comment thread packages/sdk/permits/store.ts
Comment on lines +123 to +126
// Validate the permit exists before marking it as active.
// Setting a stale or non-existent hash causes getActivePermit to silently
// return undefined while getActivePermitHash returns a non-null value,
// misleading callers into thinking an active permit is still configured.
Copy link
Copy Markdown
Collaborator

@architect-dev architect-dev May 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please remove commented annotation

Copy link
Copy Markdown
Author

@amathxbt amathxbt May 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please remove commented annotation

Working on both sides

@amathxbt
Copy link
Copy Markdown
Author

amathxbt commented May 5, 2026

We're having trouble with our CI pipeline requiring secrets from within this PR, thats why the Test CI is failing for you. We're investigating if we can fix this issue.

The PR looks good, thanks very much

Well deserved I love the amazing way your telling feedback to your contributors gonna work on you guys harder thanks again

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@architect-dev architect-dev architect-dev left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@amathxbt @architect-dev