Fix mint claim ownership logic

gitpoap · Jun 26, 2024 · b003cf8 · b003cf8
1 parent dc6a0b4
commit b003cf8
Show file tree

Hide file tree

Showing 3 changed files with 12,449 additions and 9,027 deletions.
diff --git a/package.json b/package.json
@@ -72,10 +72,10 @@
     "eslint-plugin-jest": "^27.1.3",
     "eslint-plugin-prettier": "^4.2.1",
     "graphql-request": "^4.3.0",
-    "husky": ">=6",
+    "husky": "^6",
     "jest": "^28.1.1",
     "jest-mock-extended": "^2.0.6",
-    "lint-staged": ">=10",
+    "lint-staged": "^10",
     "prettier": "^2.3.2",
     "prisma-dbml-generator": "^0.9.1",
     "supertest": "^6.2.4",
@@ -88,7 +88,7 @@
     "@aws-sdk/client-s3": "^3.142.0",
     "@aws-sdk/credential-provider-ini": "^3.142.0",
     "@mailchimp/mailchimp_marketing": "^3.0.75",
-    "@prisma/client": "~4.7.1",
+    "@prisma/client": "~4.10.0",
     "@sentry/node": "^7.14.0",
     "@sentry/tracing": "^7.14.0",
     "badgen": "^3.2.2",
@@ -114,7 +114,7 @@
     "multer": "^1.4.4",
     "octokit": "^2.0.10",
     "postmark": "^3.0.12",
-    "prisma": "~4.7.1",
+    "prisma": "~4.10.0",
     "prom-client": "^14.0.1",
     "redis": "^4.0.4",
     "reflect-metadata": "^0.1.13",

diff --git a/src/routes/claims.ts b/src/routes/claims.ts
@@ -1,33 +1,34 @@
-import {
-  ClaimGitPOAPSchema,
-  CreateGitPOAPClaimsSchema,
-  CreateGitPOAPBotClaimsSchema,
-} from '../schemas/claims';
-import { Router, Request } from 'express';
-import { context } from '../context';
 import { ClaimStatus, GitPOAPStatus, GitPOAPType } from '@prisma/client';
-import { gitpoapBotAuth, jwtWithAddress, jwtWithStaffAccess } from '../middleware/auth';
-import { redeemPOAP } from '../external/poap';
+import { Request, Router } from 'express';
+import { DateTime } from 'luxon';
+import { z } from 'zod';
+import { context } from '../context';
 import { getGithubUserByIdAsApp } from '../external/github';
-import { backloadGithubPullRequestData } from '../lib/pullRequests';
-import { upsertGithubUser } from '../lib/githubUsers';
+import { redeemPOAP } from '../external/poap';
+import { shortenAddress } from '../lib/addresses';
+import { BotCreateClaimsErrorType, createClaimsForIssue, createClaimsForPR } from '../lib/bot';
 import {
+  ensureRedeemCodeThreshold,
   retrieveClaimsCreatedByMention,
   retrieveClaimsCreatedByPR,
+  runClaimsPostProcessing,
   updateClaimStatusById,
 } from '../lib/claims';
-import { checkIfClaimTransferred } from '../lib/transfers';
-import { z } from 'zod';
-import { BotCreateClaimsErrorType, createClaimsForPR, createClaimsForIssue } from '../lib/bot';
+import { chooseUnusedRedeemCode, deleteRedeemCode, upsertRedeemCode } from '../lib/codes';
 import { RestrictedContribution } from '../lib/contributions';
+import { upsertGithubUser } from '../lib/githubUsers';
+import { backloadGithubPullRequestData } from '../lib/pullRequests';
 import { isAddressAStaffMember } from '../lib/staff';
+import { checkIfClaimTransferred } from '../lib/transfers';
+import { gitpoapBotAuth, jwtWithAddress, jwtWithStaffAccess } from '../middleware/auth';
+import { getRequestLogger } from '../middleware/loggingAndTiming';
+import {
+  ClaimGitPOAPSchema,
+  CreateGitPOAPBotClaimsSchema,
+  CreateGitPOAPClaimsSchema,
+} from '../schemas/claims';
 import { getAccessTokenPayloadWithAddress } from '../types/authTokens';
-import { ensureRedeemCodeThreshold, runClaimsPostProcessing } from '../lib/claims';
 import { ClaimData, FoundClaim } from '../types/claims';
-import { getRequestLogger } from '../middleware/loggingAndTiming';
-import { shortenAddress } from '../lib/addresses';
-import { chooseUnusedRedeemCode, deleteRedeemCode, upsertRedeemCode } from '../lib/codes';
-import { DateTime } from 'luxon';
 
 export const claimsRouter = Router();
 
@@ -42,6 +43,9 @@ claimsRouter.post('/', jwtWithAddress(), async function (req, res) {
     return res.status(400).send({ issues: schemaResult.error.issues });
   }
 
+  console.log('mint attempt');
+  console.log(req.user);
+
   const { address, email, github } = getAccessTokenPayloadWithAddress(req.user);
   const { claimIds } = schemaResult.data;
 
@@ -95,17 +99,40 @@ claimsRouter.post('/', jwtWithAddress(), async function (req, res) {
       continue;
     }
 
-    // Check that the user owns the claim
-    if (
-      github &&
-      claim.githubUser?.githubId !== github.githubId &&
-      claim.issuedAddressId !== address.id &&
-      email &&
-      claim.emailId !== email.id
-    ) {
+    // Check that the user is minting a GitPOAP that belongs to them
+    if (claim.githubUser?.githubId && github) {
+      // GitPOAP is issued to a github user, let's verify that it is the correct one
+      if (claim.githubUser?.githubId !== github.githubId) {
+        invalidClaims.push({
+          claimId,
+          reason: `User doesn't own github-based claim`,
+        });
+        continue;
+      }
+    } else if (claim.emailId && email) {
+      // GitPOAP is issued to an email user, let's verify that it is the correct one
+      if (claim.emailId !== email.id) {
+        invalidClaims.push({
+          claimId,
+          reason: `User doesn't own email-based claim`,
+        });
+        continue;
+      }
+    } else if (claim.issuedAddressId && address) {
+      // GitPOAP is issued to an address, let's verify that it is the correct one
+      if (claim.issuedAddressId !== address.id) {
+        invalidClaims.push({
+          claimId,
+          reason: `User doesn't own address-based claim`,
+        });
+        continue;
+      }
+    } else {
+      // Mark invalid because not issued to anyone
+      // This shouldn't happen
       invalidClaims.push({
         claimId,
-        reason: "User doesn't own Claim",
+        reason: `Mismatch of claim ownership`,
       });
       continue;
     }