From ea46601ea38c310f2101c9bad65c17afd41f382c Mon Sep 17 00:00:00 2001
From: reinkrul <info@reinkrul.nl>
Date: Mon, 11 Dec 2023 11:46:10 +0100
Subject: [PATCH] Auth: create session and validate signatures perform the same
 checks (#2664)

---
 auth/api/auth/v1/api.go                 |  1 +
 auth/services/selfsigned/signer.go      | 19 +++++-----
 auth/services/selfsigned/signer_test.go | 46 +++++++++++++++++++++++++
 3 files changed, 56 insertions(+), 10 deletions(-)

diff --git a/auth/api/auth/v1/api.go b/auth/api/auth/v1/api.go
index 1d7acb9105..bf5e27611c 100644
--- a/auth/api/auth/v1/api.go
+++ b/auth/api/auth/v1/api.go
@@ -124,6 +124,7 @@ func (w Wrapper) VerifySignature(_ context.Context, request VerifySignatureReque
 		vpType := validationResult.VPType()
 		response.VpType = &vpType
 	} else {
+		log.Logger().Warnf("Signature verification failed, reason: %s", validationResult.Reason())
 		response.Validity = false
 	}
 	return VerifySignature200JSONResponse(response), nil
diff --git a/auth/services/selfsigned/signer.go b/auth/services/selfsigned/signer.go
index 8d80ab1e73..550f163fff 100644
--- a/auth/services/selfsigned/signer.go
+++ b/auth/services/selfsigned/signer.go
@@ -226,20 +226,19 @@ func checkSessionParams(params map[string]interface{}) error {
 	if !ok {
 		return fmt.Errorf("employee should be an object")
 	}
-	_, ok = employeeMap["identifier"]
-	if !ok {
-		return fmt.Errorf("missing employee identifier")
+	identifier, _ := employeeMap["identifier"].(string)
+	if len(identifier) == 0 {
+		return fmt.Errorf("missing/invalid employee identifier")
 	}
-	_, ok = employeeMap["initials"]
-	if !ok {
-		return fmt.Errorf("missing employee initials")
+	initials, _ := employeeMap["initials"].(string)
+	if len(initials) == 0 {
+		return fmt.Errorf("missing/invalid employee initials")
 	}
-	_, ok = employeeMap["familyName"]
-	if !ok {
-		return fmt.Errorf("missing employee familyName")
+	familyName, _ := employeeMap["familyName"].(string)
+	if len(familyName) == 0 {
+		return fmt.Errorf("missing/invalid employee familyName")
 	}
 	return nil
-
 }
 
 func (v *signer) Routes(router core.EchoRouter) {
diff --git a/auth/services/selfsigned/signer_test.go b/auth/services/selfsigned/signer_test.go
index 1b205e15cc..919b93971e 100644
--- a/auth/services/selfsigned/signer_test.go
+++ b/auth/services/selfsigned/signer_test.go
@@ -109,6 +109,52 @@ func TestSessionStore_StartSigningSession(t *testing.T) {
 
 		require.Error(t, err)
 	})
+
+	t.Run("empty employee familyName", func(t *testing.T) {
+		params := map[string]interface{}{
+			"employer": employer.String(),
+			"employee": map[string]interface{}{
+				"identifier": identifier,
+				"roleName":   roleName,
+				"initials":   initials,
+				"familyName": "",
+			},
+		}
+
+		ss := NewSigner(nil, "").(*signer)
+		_, err := ss.StartSigningSession(contract.Contract{RawContractText: testContract}, params)
+		require.ErrorContains(t, err, "missing/invalid employee familyName")
+	})
+	t.Run("empty employee initials", func(t *testing.T) {
+		params := map[string]interface{}{
+			"employer": employer.String(),
+			"employee": map[string]interface{}{
+				"identifier": identifier,
+				"roleName":   roleName,
+				"initials":   "",
+				"familyName": familyName,
+			},
+		}
+
+		ss := NewSigner(nil, "").(*signer)
+		_, err := ss.StartSigningSession(contract.Contract{RawContractText: testContract}, params)
+		require.ErrorContains(t, err, "missing/invalid employee initials")
+	})
+	t.Run("empty employee identifier", func(t *testing.T) {
+		params := map[string]interface{}{
+			"employer": employer.String(),
+			"employee": map[string]interface{}{
+				"identifier": "",
+				"roleName":   roleName,
+				"initials":   initials,
+				"familyName": familyName,
+			},
+		}
+
+		ss := NewSigner(nil, "").(*signer)
+		_, err := ss.StartSigningSession(contract.Contract{RawContractText: testContract}, params)
+		require.ErrorContains(t, err, "missing/invalid employee identifier")
+	})
 }
 
 func TestSessionStore_SigningSessionStatus(t *testing.T) {