Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| for name, fetcher in providers.items(): | ||
| price, eta = fetcher(route) | ||
| signature = _hash_integrity(f"{name}:{price}:{eta}", secret_key) | ||
| offers.append(TripOffer(provider=name, price=price, eta_minutes=eta, signature=signature)) |
There was a problem hiding this comment.
Provider offers are signed with hmac(secret_key, f"{name}:{price}:{eta}"), so the signature does not cover which trip the quote was generated for. Because return_best_price_to_user only verifies that signature, a client can replay any previously issued cheap offer (from a different origin/destination) and it will still validate and be returned as the best price. The integrity check should include the trip request identifier (e.g., the request nonce or encrypted payload) to prevent cross-trip reuse of offers.
Useful? React with 👍 / 👎.
1 participant
Summary
Testing
Codex Task