Open
Description
Recently jsonrpsee added support for RPC middleware for the clients which can modify the request ID which could make break the verification of each response.
For example:
- user makes a rpc call (jsonrpsee assigns id==1)
- middleware modifies id==2
- jsonrpsee response check fails because it expects id==1
Similar applies to batch requesst as well but it's even a bit worse that if any additional calls are added that will break verification as well (which sounds more likely to happen in real-world usage)
We could technically restrict users to modify the request ID via Request type but nothing that prevents one to create a new request in middleware, so I would claim that it doesn't makes a difference the footgun is still there...
Metadata
Metadata
Assignees
Labels
No labels