-
lovetox
should a client check the jid on a iq response
-
lovetox
i use a uuid as iq id
-
lovetox
and i dont check if the jid in the response is the jid i did send the iq too✎ -
lovetox
and i dont check if the jid in the response is the jid i did send the iq to ✏
-
lovetox
because i always thought its almost impossible that another account can send me a response with this id that fits what i expect
-
Ge0rG
I think we pondered about that in the past and tried to come up with situations where you leak the id of an in-flight IQ to third parties. But I'm not sure what the outcome was
-
Zash
Why wouldn't you check the JID?
-
lovetox
because its additional work
-
Ge0rG
still it's good practice to check the sender JID
-
lovetox
there should be a gain which we could name
-
lovetox
but i just realized its very easy to do this
-
lovetox
right now i have the callbacks in a dict
-
lovetox
id: callbacks
-
lovetox
and i just need to save it like (jid, id): callback
-
Ge0rG
don't forget to expire them from the map after a timeout