feat(connector)_: do not allow override clientId for http connection

friofry · friofry · commit afae65ca12dd · 2025-10-06T19:21:45.000+04:00
diff --git a/services/connector/api.go b/services/connector/api.go
@@ -10,7 +10,8 @@ import (
 )
 
 var (
-	ErrInvalidResponseFromForwardedRpc = errors.New("invalid response from forwarded RPC")
+	ErrInvalidResponseFromForwardedRpc         = errors.New("invalid response from forwarded RPC")
+	ErrCannotOverrideClientIDForHttpConnection = errors.New("cannot override clientId for HTTP connection")
 )
 
 type API struct {
@@ -96,6 +97,11 @@ func (api *API) CallRPC(ctx context.Context, inputJSON string) (interface{}, err
 		return "", err
 	}
 
+	// This prevents external clients from spoofing ClientID to impersonate trusted clients
+	if IsUntrustedConnection(ctx) && request.ClientID != "" {
+		return "", ErrCannotOverrideClientIDForHttpConnection
+	}
+
 	if command, exists := api.r.GetCommand(request.Method); exists {
 		return command.Execute(ctx, request)
 	}
diff --git a/services/connector/api_test.go b/services/connector/api_test.go
@@ -37,9 +37,20 @@ func TestCallRPC(t *testing.T) {
 			request:     "{\"method\": \"wallet_switchEthereumChain\", \"params\": []}",
 			expectError: commands.ErrRequestMissingDAppData,
 		},
+		{
+			request: `{
+				"method": "eth_chainId",
+				"params": [],
+				"url": "https://example.com",
+				"name": "Example DApp",
+				"iconUrl": "https://example.com/icon.png",
+				"clientId": "wallet-connect"
+			}`,
+			expectError: ErrCannotOverrideClientIDForHttpConnection,
+		},
 	}
 
-	ctx := context.Background()
+	ctx := WithConnectionType(context.Background(), ConnectionTypeHTTP)
 	for _, tt := range tests {
 		t.Run(tt.request, func(t *testing.T) {
 			_, err := state.api.CallRPC(ctx, tt.request)
diff --git a/services/connector/commands/client_handler.go b/services/connector/commands/client_handler.go
@@ -126,11 +126,6 @@ func (c *ClientSideHandler) RecallDAppPermissions(args RecallDAppPermissionsArgs
 		return ErrEmptyUrl
 	}
 
-	// For backward compatibility with old clients(browser extension) that don't provide clientId
-	if args.ClientID == "" {
-		args.ClientID = DefaultClientID
-	}
-
 	dApp, err := persistence.SelectDApp(c.Db, args.URL, args.ClientID)
 	if err != nil {
 		return err
diff --git a/services/connector/commands/rpc_traits.go b/services/connector/commands/rpc_traits.go
@@ -113,9 +113,5 @@ func (r *RPCRequest) Validate() error {
 		return ErrRequestMissingDAppData
 	}
 
-	// Browser extension doesn't send ClientID
-	if r.ClientID == "" {
-		r.ClientID = DefaultClientID
-	}
 	return nil
 }

Original file line number	Diff line number	Diff line change
`@@ -10,7 +10,8 @@ import (`
`10`	`10`	`)`
`11`	`11`
`12`	`12`	`var (`
`13`		`- ErrInvalidResponseFromForwardedRpc = errors.New("invalid response from forwarded RPC")`
	`13`	`+ ErrInvalidResponseFromForwardedRpc = errors.New("invalid response from forwarded RPC")`
	`14`	`+ ErrCannotOverrideClientIDForHttpConnection = errors.New("cannot override clientId for HTTP connection")`
`14`	`15`	`)`
`15`	`16`
`16`	`17`	`type API struct {`
`@@ -96,6 +97,11 @@ func (api *API) CallRPC(ctx context.Context, inputJSON string) (interface{}, err`
`96`	`97`	`return "", err`
`97`	`98`	`}`
`98`	`99`
	`100`	`+ // This prevents external clients from spoofing ClientID to impersonate trusted clients`
	`101`	`+ if IsUntrustedConnection(ctx) && request.ClientID != "" {`
	`102`	`+ return "", ErrCannotOverrideClientIDForHttpConnection`
	`103`	`+ }`
	`104`	`+`
`99`	`105`	`if command, exists := api.r.GetCommand(request.Method); exists {`
`100`	`106`	`return command.Execute(ctx, request)`
`101`	`107`	`}`
Original file line number	Diff line number	Diff line change
`@@ -113,9 +113,5 @@ func (r *RPCRequest) Validate() error {`
`113`	`113`	`return ErrRequestMissingDAppData`
`114`	`114`	`}`
`115`	`115`
`116`		`- // Browser extension doesn't send ClientID`
`117`		`- if r.ClientID == "" {`
`118`		`- r.ClientID = DefaultClientID`
`119`		`- }`
`120`	`116`	`return nil`
`121`	`117`	`}`