Skip to content

Dev #175

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
HardlyDifficult merged 7 commits into from
Jun 13, 2025
Merged

Dev #175

HardlyDifficult merged 7 commits into from
Jun 13, 2025

Conversation

@HardlyDifficult
Copy link
Collaborator

@HardlyDifficult HardlyDifficult commented Jun 13, 2025

What?

Please describe what you're trying to accomplish in this PR.

Why?

What problem does this solve? Why is this important? What's the context?

Screenshots (optional)

@HardlyDifficult HardlyDifficult merged commit c9d8ffc into main Jun 13, 2025
3 checks passed
cursor[bot]
cursor bot reviewed Jun 13, 2025
View reviewed changes
Copy link

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: OAuth Credentials Logged to Plaintext Files

The logRequestResponse function writes every HTTP request and response to plaintext files (logs/request-*.json). This includes sensitive OAuth credentials: the client_secret from authentication requests and the access_token from authentication responses. This exposes high-privilege secrets on the container filesystem, risking credential leakage and unauthorized service impersonation.

src/chain-operations/canton/lib/client.js#L21-L41

open-captable-protocol/src/chain-operations/canton/lib/client.js

Lines 21 to 41 in 39901b7

async logRequestResponse(url, request, response) {
const timestamp = new Date().toISOString().replace(/[:.]/g, '-');
const logFile = path.join(this.logDir, `request-${timestamp}.json`);
const logData = {
timestamp,
url,
request,
response
};
fs.writeFileSync(logFile, JSON.stringify(logData, null, 2));
}
async makePostRequest(url, data, headers) {
try {
const response = await this.axiosInstance.post(url, data, { headers });
await this.logRequestResponse(url, data, response.data);
return response.data;
} catch (error) {

Fix in Cursor

Bug: API Method Sends Incorrect Request Type

The getParties() method incorrectly sends a POST request with an empty body to ${ledgerUrl}/parties. The Canton Ledger API requires a GET for listing parties, while POST is used for creating new parties and expects a payload. This misconfiguration causes getParties() to fail, preventing the createParty() method's fallback mechanism from successfully looking up and reusing existing parties when a "Party already exists" error occurs.

src/chain-operations/canton/lib/client.js#L243-L250

open-captable-protocol/src/chain-operations/canton/lib/client.js

Lines 243 to 250 in 39901b7

async getParties() {
const headers = await this.getHeaders();
return await this.makePostRequest(
`${this.config.ledgerUrl}/parties`,
{},
headers
);

Fix in Cursor

Was this report helpful? Give feedback by reacting with 👍 or 👎

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@HardlyDifficult @thibauld