wallet: check account ownership of name before making cancel TX

pinheadmz · pinheadmz · commit c8ae6b938221 · 2020-03-20T13:39:40.000-04:00
diff --git a/lib/wallet/wallet.js b/lib/wallet/wallet.js
@@ -2767,12 +2767,17 @@ class Wallet extends EventEmitter {
    * @returns {MTX}
    */
 
-  async makeCancel(name) {
+  async makeCancel(name, acct) {
     assert(typeof name === 'string');
 
     if (!rules.verifyName(name))
       throw new Error('Invalid name.');
 
+    if (acct != null) {
+      assert((acct >>> 0) === acct || typeof acct === 'string');
+      acct = await this.getAccountIndex(acct);
+    }
+
     const rawName = Buffer.from(name, 'ascii');
     const nameHash = rules.hashName(rawName);
     const ns = await this.getNameState(nameHash);
@@ -2795,6 +2800,9 @@ class Wallet extends EventEmitter {
     if (coin.height < ns.height)
       throw new Error(`Wallet does not own: "${name}".`);
 
+    if (acct != null && !await this.txdb.hasCoinByAccount(acct, hash, index))
+      throw new Error(`Account does not own: "${name}".`);
+
     const state = ns.state(height, network);
 
     if (state !== states.CLOSED)
@@ -2827,7 +2835,8 @@ class Wallet extends EventEmitter {
    */
 
   async _createCancel(name, options) {
-    const mtx = await this.makeCancel(name);
+    const acct = options ? options.account : null;
+    const mtx = await this.makeCancel(name, acct);
     await this.fill(mtx, options);
     return this.finalize(mtx, options);
   }
diff --git a/test/wallet-accounts-auction-test.js b/test/wallet-accounts-auction-test.js
@@ -333,4 +333,37 @@ describe('Multiple accounts participating in same auction', function() {
       assert.strictEqual(node.mempool.map.size, 0);
     });
   });
+
+  describe('CANCEL', function() {
+    it('should reject CANCEL from wrong account', async () => {
+      await assert.rejects(async () => {
+        await wallet.sendCancel(name, {account: 'bob'});
+      }, {
+        name: 'Error',
+        message: `Account does not own: "${name}".`
+      });
+    });
+
+    it('should send CANCEL from correct account', async () => {
+      const tx = await wallet.sendCancel(name, {account: 0});
+      assert(tx);
+
+      await wallet.abandon(tx.hash());
+
+      assert.strictEqual(node.mempool.map.size, 1);
+      await node.mempool.reset();
+      assert.strictEqual(node.mempool.map.size, 0);
+    });
+
+    it('should send CANCEL from correct account automatically', async () => {
+      const tx = await wallet.sendCancel(name);
+      assert(tx);
+
+      await wallet.abandon(tx.hash());
+
+      assert.strictEqual(node.mempool.map.size, 1);
+      await node.mempool.reset();
+      assert.strictEqual(node.mempool.map.size, 0);
+    });
+  });
 });
