View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0009684 | Taler | exchange AML backoffice (SPA) | public | 2025-04-01 15:07 | 2025-04-02 21:49 |
| Reporter | sebasjm | Assigned To | sebasjm | ||
| Priority | normal | Severity | major | Reproducibility | have not tried |
| Status | resolved | Resolution | fixed | ||
| Product Version | git (master) | ||||
| Target Version | 1.0 | ||||
| Summary | 0009684: AML officer should set "account name" when doing a decision of a no-yet-known account | ||||
| Description | was: can't post a decision to an account without a decision yet exchange supports "payto_uri" for this case, but returns 400 Response < HTTP/1.1 400 Bad Request < Server: nginx/1.24.0 (Ubuntu) < Date: Tue, 01 Apr 2025 13:07:00 GMT < Content-Type: application/json < Content-Length: 259 < Connection: keep-alive < Access-Control-Allow-Origin: * < Access-Control-Expose-Headers: * < Access-Control-Allow-Credentials: true < { "hint": "The JSON in the client's request was malformed. This is likely a bug in the client implementation. Check if you are using the latest available version and/or file a report with the developers.", "code": 22, "field": "payto_uri", "line": 2 * Connection #0 to host exchange.taler.test left intact } Request curl 'http://exchange.taler.test:1180/aml/8RTE8VXBYDTR6P20T77NGQCJXRD5RJ4RGVASWBKFJNRMSGKBKQT0/decision' \ -H 'Accept: application/json' \ -H 'Taler-AML-Officer-Signature: FB77QSM31RFTASFEH9QYCNH3AV22VNGGT31MKB80DVD0BPPPJRHT6WZ28Y90T74EKJN4CTNY7DF0ZCB5EYXG8ZTS8ZDBY58S8FANE1R' \ --data-raw '{"officer_sig":"RZ7JXVX9MT7Q5ZQGQCT4VP5MNW5WMP99J6FRX2CFWNW5Q8H576Z137AZA8VYWBJPTFNRXSJHAY6AVJ2J5NZW7ZSGQP050J606HAD020","h_payto":"RVMJAC602NH8D756ERYZCW6YGBN3340M8N8PFMYVVTGR6E780C50","decision_time":{"t_s":1743512468},"justification":"asd","payto_uri":"payto://iban/DE1231231231","keep_investigating":false,"new_rules":{"expiration_time":{"t_s":"never"},"rules":[{"operation_type":"WITHDRAW","threshold":"JRSL:100","timeframe":{"d_us":2592000000000},"measures":["VERBOTEN"],"display_priority":1},{"operation_type":"DEPOSIT","threshold":"JRSL:100","timeframe":{"d_us":2592000000000},"measures":["VERBOTEN"],"display_priority":1},{"operation_type":"MERGE","threshold":"JRSL:100","timeframe":{"d_us":2592000000000},"measures":["VERBOTEN"],"display_priority":1},{"operation_type":"AGGREGATE","threshold":"JRSL:100","timeframe":{"d_us":2592000000000},"measures":["VERBOTEN"],"display_priority":1},{"operation_type":"BALANCE","threshold":"JRSL:100","timeframe":{"d_us":"forever"},"measures":["VERBOTEN"],"display_priority":1},{"operation_type":"REFUND","threshold":"JRSL:100","timeframe":{"d_us":2592000000000},"measures":["VERBOTEN"],"display_priority":1},{"operation_type":"CLOSE","threshold":"JRSL:100","timeframe":{"d_us":2592000000000},"measures":["VERBOTEN"],"display_priority":1},{"operation_type":"TRANSACTION","threshold":"JRSL:100","timeframe":{"d_us":"forever"},"measures":["VERBOTEN"],"display_priority":1}],"successor_measure":"","custom_measures":{}},"events":[],"attributes":{"CUSTOMER_TYPE":"NATURAL_PERSON","FULL_NAME":"Sebastian Marchano","DOMICILE_ADDRESS":"Balcarse 129","DATE_OF_BIRTH":"2025-04-16","NATIONALITY":"AR","PERSONAL_IDENTIFICATION_DOCUMENT_COPY":{"CONTENTS":"<removed>","ENCODING":"base64","FILENAME":"primero.pdf","MIME_TYPE":"application/pdf"},"CORRESPONDENCE_LANGUAGE":"en","CUSTOMER_TYPE_VQF":"NATURAL_PERSON","FORM_ID":"vqf_902_1_customer","FORM_VERSION":1},"properties":{"AML_ACCOUNT_OPEN":true},"new_measures":"nothing"}' \ | ||||
| Tags | No tags attached. | ||||
|
|
i will check the differences on how the validation of payto is implemented. the checksum of DE1231231231 is valid but not the length, an it seems that this was some new check added somewhat recently |
|
|
I found that the exchange is doing full payto validation in the payto_uri field. The usecase where this is a problem is when the AML officer Search for an IBAN account and tries to make a decision on an account that is not yet known to the exchange. Asking for the full payto require the `receiver-name` of the account. The problem is that if the name provided by the AML officer is wrong by a letter or space then the hash of the payto (a) provided by the aml officer and the payto (b) calculated by the bank wire transfer will not match. From the AML officer perspective is a decision that land in nowhere, lost in the vacuum of an dark and mysterious database. IMO the payto_uri should be the normalized version. |
|
|
Talking with Florian: * exchange handles if the customer change the receiver name * in case of sanction list we have a receiver name for a decision So, I'm adding a "account name" in the decision wizard |
|
|
60c162a57..dd9dc8c52 |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2025-04-01 15:07 | sebasjm | New Issue | |
| 2025-04-01 15:07 | sebasjm | Status | new => assigned |
| 2025-04-01 15:07 | sebasjm | Assigned To | => Florian Dold |
| 2025-04-01 19:30 | sebasjm | Assigned To | Florian Dold => sebasjm |
| 2025-04-01 19:31 | sebasjm | Note Added: 0024364 | |
| 2025-04-01 22:44 | sebasjm | Assigned To | sebasjm => Christian Grothoff |
| 2025-04-01 22:44 | sebasjm | Status | assigned => feedback |
| 2025-04-01 22:44 | sebasjm | Note Added: 0024368 | |
| 2025-04-01 23:50 | sebasjm | Note Added: 0024371 | |
| 2025-04-01 23:50 | sebasjm | Status | feedback => assigned |
| 2025-04-01 23:50 | sebasjm | Assigned To | Christian Grothoff => sebasjm |
| 2025-04-01 23:51 | sebasjm | Status | assigned => confirmed |
| 2025-04-02 16:40 | sebasjm | Category | exchange => exchange AML backoffice (SPA) |
| 2025-04-02 16:40 | sebasjm | Summary | can't post a decision to an account without a decision yet => AML officer should set "account name" when doing a decision of a no-yet-known account |
| 2025-04-02 16:40 | sebasjm | Description Updated | |
| 2025-04-02 21:49 | sebasjm | Status | confirmed => resolved |
| 2025-04-02 21:49 | sebasjm | Resolution | open => fixed |
| 2025-04-02 21:49 | sebasjm | Note Added: 0024381 |
