[ANCHOR-1154] Validate SEP-38 quote expiration#1893
Open
[ANCHOR-1154] Validate SEP-38 quote expiration#1893
Conversation
philipliu
changed the title
philipliu
force-pushed
the
philip/anchor-1154-validate-sep38-quote-expiry
branch
from
03f75b1 to
7e5bdf9
Compare
There was a problem hiding this comment.
Pull request overview
Adds server-side hardening to reject expired SEP-38 quotes during request handling for SEP-6/24/31 flows by introducing consistent, injectable time sources and enforcing expires_at checks where quotes are validated/consumed.
Changes:
- Introduce a shared UTC
Clockbean and inject it into SEP wiring and time-dependent components. - Enforce quote-expiration validation in
ExchangeAmountsCalculator(affecting SEP-6/24 quote usage) and inSep31Servicequote pre-validation. - Update and extend unit tests to cover expired-quote scenarios and constructor signature changes.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| platform/src/main/java/org/stellar/anchor/platform/component/sep/SepBeans.java | Adds a UTC Clock bean and wires it into NonceManager, ExchangeAmountsCalculator, and Sep31Service. |
| core/src/main/java/org/stellar/anchor/util/ExchangeAmountsCalculator.java | Validates quote.expiresAt against an injected Clock when validating quotes for SEP-6/24. |
| core/src/main/java/org/stellar/anchor/sep31/Sep31Service.java | Rejects expired quotes during SEP-31 postTransaction pre-validation using an injected Clock. |
| core/src/test/kotlin/org/stellar/anchor/util/ExchangeAmountsCalculatorTest.kt | Updates constructor usage and adds a test to ensure expired quotes are rejected. |
| core/src/test/kotlin/org/stellar/anchor/sep31/Sep31ServiceTest.kt | Updates constructor usage and adds coverage for expired quote_id. |
| core/src/test/kotlin/org/stellar/anchor/sep24/Sep24ServiceTest.kt | Updates ExchangeAmountsCalculator construction to include Clock. |
| core/src/test/kotlin/org/stellar/anchor/util/ClientFinderTest.kt | Removes cross-test coupling by using the local token reference. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
JiahuiWho
approved these changes
Mar 1, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Validate that the SEP-38 quote expires in SEP-6/24/31 request handlers.
Context
The endpoints should not accept expired quotes by default but validating the expiration at this stage is not enough because the quote can expire when the funds arrive. This is more of a hardening fix.
Testing
./gradlew testDocumentation
N/A
Known limitations
N/A