feat: validate Stellar addresses (strkey) at startup#57
Merged
Manuel1234477 merged 1 commit intoJun 23, 2026
Merged
Conversation
STELLAR_GATEWAY_PUBLIC and asset issuers were accepted as raw strings, so a typo in the gateway key silently produced unpayable intents and was never rejected. Add a small, dependency-free strkey validator (src/strkey.rs) that checks the `G` account version byte, the 56-character length, the base32 alphabet and the CRC16-XModem checksum. Config::from_env now validates the gateway key (when configured) and every accepted-asset issuer, so an invalid address fails fast at boot with a clear error instead of booting into a broken state. Unit tests cover valid keys and corrupted ones (bad checksum, wrong version, bad length, non-base32, secret-seed prefix). The current API exposes no user-supplied Stellar address field (destination is the gateway's own address; merchant_id is an opaque label), so validation is applied where addresses actually enter — config ingestion — and the validator is exported for future API use. closes StellarGateLabs#6
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
STELLAR_GATEWAY_PUBLICand asset issuer addresses were accepted as raw strings. A typo in the gateway key silently produced unpayable intents (the destination address never matches a real account), and invalid input was never rejected.Change
src/strkey.rs— a small, dependency-free Stellar strkey validator. It checks theGaccount version byte, the 56-character length, the base32 (A-Z2-7) alphabet, and the CRC16-XModem checksum. Exposed asis_valid_account_id/validate_account_idfor reuse.Config::from_envnow validates the gateway key (when configured) and every accepted-asset issuer, returning a clear error so an invalid address aborts startup instead of booting into a broken state:UNCONFIGURED) is skipped, preserving the "poller idle until configured" behaviour.On the "API boundary" task
The current API exposes no user-supplied Stellar address field —
destination_addressis the gateway's own address (output), andmerchant_idis an opaque label, not an address. So validation is applied where addresses actually enter the system (config ingestion), and the validator is exported (pub mod strkey) ready for any future address-bearing endpoint.Tests
src/strkey.rs: accepts a real account address (which also proves the base32 + CRC16 implementation), and rejects corrupted checksum, wrong version byte, bad length, non-base32 characters, and a secret-seed (S...) prefix.src/config.rs:validate_addressesaccepts a real gateway key + default issuer, and rejects a corrupted gateway key and an invalid issuer.Acceptance criteria
Closes #6