Skip to content

Fix /sign-tx to allow source account credentials only for contract deployment#458

Merged
JiahuiWho merged 2 commits intomasterfrom
add-global-cors-middleware
Apr 7, 2026
Merged

Fix /sign-tx to allow source account credentials only for contract deployment#458
JiahuiWho merged 2 commits intomasterfrom
add-global-cors-middleware

Conversation

@JiahuiWho
Copy link
Copy Markdown
Contributor

@JiahuiWho JiahuiWho commented Apr 6, 2026
edited
Loading

What's Changed

  • #455 rejected all sorobanCredentialsSourceAccount auth entries, which blocked both the exploit and legitimate contract deployments. This PR refines the fix to inspect the authorized function: source account credentials are now only permitted for contract deployment (createContractV2HostFn) and rejected for everything else.
  • Replaced per-route Access-Control-Allow-Origin headers with a global Express middleware, ensuring all responses (including errors and preflight OPTIONS) include CORS headers.

Context

Error responses were missing CORS headers, causing browsers to mask server errors s CORS failures.

Copilot AI review requested due to automatic review settings April 6, 2026 22:12
Copilot AI reviewed Apr 6, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR aims to fix missing CORS headers on error responses by replacing per-route CORS header setting with a global Express middleware intended to cover all responses (including errors) and handle OPTIONS preflight requests.

Changes:

  • Added a global CORS middleware and OPTIONS preflight handling.
  • Removed per-route CORS header setting from several routes.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@stellar-jenkins-ci
Copy link
Copy Markdown

stellar-jenkins-ci bot commented Apr 6, 2026

Preview is available here:
http://stellar-demo-wallet-client-pr458.previews.kube001.services.stellar-ops.com/

@JiahuiWho JiahuiWho force-pushed the add-global-cors-middleware branch from 3458834 to f0f4ca1 Compare April 6, 2026 22:22
@stellar-jenkins-ci
Copy link
Copy Markdown

stellar-jenkins-ci bot commented Apr 6, 2026

Preview is available here:
http://stellar-demo-wallet-client-pr458.previews.kube001.services.stellar-ops.com/

1 similar comment
@stellar-jenkins-ci
Copy link
Copy Markdown

stellar-jenkins-ci bot commented Apr 6, 2026

Preview is available here:
http://stellar-demo-wallet-client-pr458.previews.kube001.services.stellar-ops.com/

@JiahuiWho JiahuiWho force-pushed the add-global-cors-middleware branch from 64cbb69 to d03861c Compare April 6, 2026 23:36
@stellar-jenkins-ci
Copy link
Copy Markdown

stellar-jenkins-ci bot commented Apr 6, 2026

Preview is available here:
http://stellar-demo-wallet-client-pr458.previews.kube001.services.stellar-ops.com/

@JiahuiWho JiahuiWho force-pushed the add-global-cors-middleware branch from d03861c to 760b1de Compare April 6, 2026 23:45
@JiahuiWho JiahuiWho changed the title Fix CORS headers missing on error responses Fix /sign-tx to allow source account credentials only for contract deployment Apr 6, 2026
@JiahuiWho JiahuiWho changed the title Fix /sign-tx to allow source account credentials only for contract deployment [ANCHOR-1184] Fix /sign-tx to allow source account credentials only for contract deployment Apr 6, 2026
@JiahuiWho JiahuiWho changed the title [ANCHOR-1184] Fix /sign-tx to allow source account credentials only for contract deployment Fix /sign-tx to allow source account credentials only for contract deployment Apr 6, 2026
@stellar-jenkins-ci
Copy link
Copy Markdown

stellar-jenkins-ci bot commented Apr 6, 2026

Preview is available here:
http://stellar-demo-wallet-client-pr458.previews.kube001.services.stellar-ops.com/

@JiahuiWho JiahuiWho force-pushed the add-global-cors-middleware branch from 760b1de to 70bc1f9 Compare April 6, 2026 23:57
@stellar-jenkins-ci
Copy link
Copy Markdown

stellar-jenkins-ci bot commented Apr 7, 2026

Preview is available here:
http://stellar-demo-wallet-client-pr458.previews.kube001.services.stellar-ops.com/

marwen-abid
marwen-abid approved these changes Apr 7, 2026
View reviewed changes
Copy link
Copy Markdown

@marwen-abid marwen-abid left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Thank you for fixing this.

@JiahuiWho JiahuiWho merged commit 3516cdc into master Apr 7, 2026
8 checks passed
@JiahuiWho JiahuiWho deleted the add-global-cors-middleware branch April 7, 2026 14:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@marwen-abid marwen-abid marwen-abid approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@JiahuiWho @marwen-abid