#1178: Bug fixes for POST /quotes with unknown destination FSP (mojal…

…oop#160)

* Validate that FSP Ids in headers and payload match for both payerfsp and payeefsp

package.json

@@ -2,7 +2,7 @@
   "name": "quoting-service",
   "description": "Quoting Service hosted by a scheme",
   "license": "Apache-2.0",
-  "version": "9.3.2-snapshot",
+  "version": "9.3.3-snapshot",
   "author": "Modusbox",
   "contributors": [
     "James Bush <james.bush@modusbox.com>",

src/model/quotes.js

@@ -162,6 +162,16 @@ class QuotesModel {
       // internal-error
       throw ErrorHandler.CreateInternalServerFSPIOPError('Missing quoteRequest', null, fspiopSource)
     }
+
+    // We need to validate that the FSP Ids in the headers and payload match
+    if (fspiopSource !== quoteRequest.payer.partyIdInfo.fspId) {
+      throw ErrorHandler.CreateFSPIOPError(ErrorHandler.Enums.FSPIOPErrorCodes.VALIDATION_ERROR, '"fspiop-source" header does not match the payer FSP ID', null, fspiopSource)
+    }
+
+    if (fspiopDestination !== quoteRequest.payee.partyIdInfo.fspId) {
+      throw ErrorHandler.CreateFSPIOPError(ErrorHandler.Enums.FSPIOPErrorCodes.VALIDATION_ERROR, '"fspiop-destination" header does not match the payee FSP ID', null, fspiopSource)
+    }
+
     await this.db.getParticipant(fspiopSource, LOCAL_ENUM.PAYER_DFSP)
     await this.db.getParticipant(fspiopDestination, LOCAL_ENUM.PAYEE_DFSP)
   }