In the Connection protocol, we confirm that we haven't been spoofed into joining the wrong team: Once we've joined and gotten the full team history, we look for an invitation matching the secret invitation code we were given.
|
joinedTheRightTeam: (context, event) => { |
|
// Make sure my invitation exists on the signature chain of the team I'm about to join. |
|
// This check prevents an attack in which a fake team pretends to accept my invitation. |
|
const { payload } = event as AcceptInvitationMessage |
|
const { serializedGraph, teamKeyring } = payload |
|
const state = getTeamState(serializedGraph, teamKeyring) |
|
const { id } = this.myProofOfInvitation(context) |
|
return select.hasInvitation(state, id) |
|
}, |
This looks right but there are currently no tests covering this scenario.
In the Connection protocol, we confirm that we haven't been spoofed into joining the wrong team: Once we've joined and gotten the full team history, we look for an invitation matching the secret invitation code we were given.
auth/packages/auth/src/connection/Connection.ts
Lines 605 to 613 in 34c4059
This looks right but there are currently no tests covering this scenario.