Merge pull request #14 from gitcoinco/validate-eligibility-updates

nijoe1 · web-flow · commit 4286bece6c9a · 2025-02-11T12:41:01.000+02:00
feat: add signature validation on update round voters
diff --git a/src/controllers/poolController.ts b/src/controllers/poolController.ts
@@ -36,13 +36,13 @@ interface CreatePoolRequest extends PoolIdChainId {
 }
 
 interface EligibilityCriteriaRequest extends PoolIdChainId {
+  signature: Hex;
   eligibilityType: EligibilityType;
   data: object;
 }
 
 interface SetCustomDistributionRequest extends PoolIdChainId {
   signature: Hex;
-  sender: Hex;
   distribution: Distribution[];
 }
 
@@ -222,14 +222,26 @@ export const calculateDistribution = async (req, res): Promise<void> => {
 };
 
 export const updateEligibilityCriteria = async (req, res): Promise<void> => {
-  const { eligibilityType, alloPoolId, chainId, data } =
+  const { signature, eligibilityType, alloPoolId, chainId, data } =
     req.body as EligibilityCriteriaRequest;
 
   // Log the receipt of the update request
   logger.info(
     `Received update eligibility criteria request for chainId: ${chainId}, alloPoolId: ${alloPoolId}`
   );
 
+  if (
+    !(await isPoolManager(
+      { alloPoolId, chainId },
+      signature,
+      chainId,
+      alloPoolId
+    ))
+  ) {
+    res.status(401).json({ message: 'Not Authorzied' });
+    throw new BadRequestError('Not Authorzied');
+  }
+
   const [error] = await catchError(
     eligibilityCriteriaService.saveEligibilityCriteria({
       chainId,
diff --git a/src/routes/poolRoutes.ts b/src/routes/poolRoutes.ts
@@ -163,6 +163,10 @@ router.post('/calculate', calculateDistribution);
  *           schema:
  *             type: object
  *             properties:
+ *               signature:
+ *                 type: string
+ *                 description: Signature of the sender which should be a manager of the pool
+ *                 example: "0xdeadbeef"
  *               alloPoolId:
  *                 type: string
  *                 description: The ID of the pool
