From 441d390be651265abbce3a7412769ed49680479f Mon Sep 17 00:00:00 2001 From: Martin Raszyk Date: Sat, 28 Sep 2024 19:44:18 +0200 Subject: [PATCH] feat: allow anonymous requests with invalid ingress_expiry --- spec/index.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/spec/index.md b/spec/index.md index ee37e789..02c27487 100644 --- a/spec/index.md +++ b/spec/index.md @@ -959,7 +959,7 @@ All requests coming in via the HTTPS interface need to be either *anonymous* or - `nonce` (`blob`, optional): Arbitrary user-provided data of length at most 32 bytes, typically randomly generated. This can be used to create distinct requests with otherwise identical fields. -- `ingress_expiry` (`nat`, required): An upper limit on the validity of the request, expressed in nanoseconds since 1970-01-01 (like [ic0.time()](#system-api-time)). This avoids replay attacks: The IC will not accept requests, or transition requests from status `received` to status `processing`, if their expiry date is in the past. The IC may refuse to accept requests with an ingress expiry date too far in the future. This applies not only to update calls, but all requests alike (and could have been called `request_expiry`). +- `ingress_expiry` (`nat`, required): An upper limit on the validity of the request, expressed in nanoseconds since 1970-01-01 (like [ic0.time()](#system-api-time)). This avoids replay attacks: The IC will not accept requests, or transition requests from status `received` to status `processing`, if their expiry date is in the past. The IC may refuse to accept requests with an ingress expiry date too far in the future. This applies not only to update calls, but all requests alike except for anonymous `read_state` requests (and could have been called `request_expiry`). - `sender` (`Principal`, required): The user who issued the request. @@ -6344,7 +6344,7 @@ Conditions E.content = ReadState RS TS = verify_envelope(E, RS.sender, S.system_time) |E.content.nonce| <= 32 -S.system_time <= RS.ingress_expiry +S.system_time <= RS.ingress_expiry or RS.sender = anonymous_id ∀ path ∈ RS.paths. may_read_path_for_canister(S, R.sender, path) ∀ (["request_status", Rid] · _) ∈ RS.paths. ∀ R ∈ dom(S.requests). hash_of_map(R) = Rid => R.canister_id ∈ TS