wallet: check account ownership of name before making cancel TX

Author: pinheadmz

lib/wallet/wallet.js

@@ -2768,15 +2768,21 @@ class Wallet extends EventEmitter {
    * Make a transfer-cancelling MTX.
    * @private
    * @param {String} name
+   * @param {String|Number} acct
    * @returns {MTX}
    */
 
-  async makeCancel(name) {
+  async makeCancel(name, acct) {
     assert(typeof name === 'string');
 
     if (!rules.verifyName(name))
       throw new Error('Invalid name.');
 
+    if (acct != null) {
+      assert((acct >>> 0) === acct || typeof acct === 'string');
+      acct = await this.getAccountIndex(acct);
+    }
+
     const rawName = Buffer.from(name, 'ascii');
     const nameHash = rules.hashName(rawName);
     const ns = await this.getNameState(nameHash);
@@ -2799,6 +2805,9 @@ class Wallet extends EventEmitter {
     if (coin.height < ns.height)
       throw new Error(`Wallet does not own: "${name}".`);
 
+    if (acct != null && !await this.txdb.hasCoinByAccount(acct, hash, index))
+      throw new Error(`Account does not own: "${name}".`);
+
     const state = ns.state(height, network);
 
     if (state !== states.CLOSED)
@@ -2831,7 +2840,8 @@ class Wallet extends EventEmitter {
    */
 
   async _createCancel(name, options) {
-    const mtx = await this.makeCancel(name);
+    const acct = options ? options.account : null;
+    const mtx = await this.makeCancel(name, acct);
     await this.fill(mtx, options);
     return this.finalize(mtx, options);
   }

test/wallet-accounts-auction-test.js

@@ -333,4 +333,37 @@ describe('Multiple accounts participating in same auction', function() {
       assert.strictEqual(node.mempool.map.size, 0);
     });
   });
+
+  describe('CANCEL', function() {
+    it('should reject CANCEL from wrong account', async () => {
+      await assert.rejects(async () => {
+        await wallet.sendCancel(name, {account: 'bob'});
+      }, {
+        name: 'Error',
+        message: `Account does not own: "${name}".`
+      });
+    });
+
+    it('should send CANCEL from correct account', async () => {
+      const tx = await wallet.sendCancel(name, {account: 0});
+      assert(tx);
+
+      await wallet.abandon(tx.hash());
+
+      assert.strictEqual(node.mempool.map.size, 1);
+      await node.mempool.reset();
+      assert.strictEqual(node.mempool.map.size, 0);
+    });
+
+    it('should send CANCEL from correct account automatically', async () => {
+      const tx = await wallet.sendCancel(name);
+      assert(tx);
+
+      await wallet.abandon(tx.hash());
+
+      assert.strictEqual(node.mempool.map.size, 1);
+      await node.mempool.reset();
+      assert.strictEqual(node.mempool.map.size, 0);
+    });
+  });
 });