From 75d9268ecd675ba55750b623064465c6bb8427da Mon Sep 17 00:00:00 2001
From: cgoldfeder <cgoldfeder@google.com>
Date: Wed, 14 Sep 2016 13:49:45 -0700
Subject: [PATCH] Resolve an old TODO by doing nothing

The RFCs are ambiguous.

5733 (contacts):

3.2.4.  EPP <transfer> Command

   ...the
   <transfer> command MUST contain a <contact:transfer> element that
   identifies the contact namespace.  The <contact:transfer> element
   contains the following child elements:

    ...

   -  A <contact:authInfo> element that contains authorization
      information associated with the contact object.

However, the xsd explicitly marks it as optional:

    <complexType name="authIDType">
      <sequence>
        <element name="id" type="eppcom:clIDType"/>
        <element name="authInfo" type="contact:authInfoType"
         minOccurs="0"/>
      </sequence>
    </complexType>

The language in 5731 (domains) is [] The only example given in both is for a transfer request, which is the one flow that obviously requires the authInfo.

We had decided that for transfer approve and reject, which are done by the losing client, requiring the authInfo is silly because it's available to that registrar from an <info> and there's no extra security in having them present it (although if they do present it we validate it). The question about cancel was whether the gaining client, which had to present the authInfo in the original transfer request, needs it again for cancel.

I can't come up with any reason this would be beneficial, and I'm making the decision: authInfo is not required on transfer cancel.

-------------
Created by MOE: https://github.com/google/moe
MOE_MIGRATED_REVID=133168739
---
 java/google/registry/flows/ResourceTransferCancelFlow.java      | 1 -
 .../registry/flows/contact/ContactTransferCancelFlow.java       | 2 --
 2 files changed, 3 deletions(-)

diff --git a/java/google/registry/flows/ResourceTransferCancelFlow.java b/java/google/registry/flows/ResourceTransferCancelFlow.java
index 2ccd18b58..9925482ba 100644
--- a/java/google/registry/flows/ResourceTransferCancelFlow.java
+++ b/java/google/registry/flows/ResourceTransferCancelFlow.java
@@ -39,7 +39,6 @@ public abstract class ResourceTransferCancelFlow
   /** Verify that this is the correct client to cancel this pending transfer. */
   @Override
   protected final void verifyPendingTransferMutationAllowed() throws EppException {
-    // TODO(b/18997997): Determine if authInfo is necessary to cancel a transfer.
     if (!getClientId().equals(existingResource.getTransferData().getGainingClientId())) {
       throw new NotTransferInitiatorException();
     }
diff --git a/java/google/registry/flows/contact/ContactTransferCancelFlow.java b/java/google/registry/flows/contact/ContactTransferCancelFlow.java
index 6224132ae..3e02035d4 100644
--- a/java/google/registry/flows/contact/ContactTransferCancelFlow.java
+++ b/java/google/registry/flows/contact/ContactTransferCancelFlow.java
@@ -71,11 +71,9 @@ public class ContactTransferCancelFlow extends LoggedInFlow implements Transacti
       throw new ResourceToMutateDoesNotExistException(ContactResource.class, targetId);
     }
     verifyOptionalAuthInfoForResource(authInfo, existingResource);
-    // Fail if object doesn't have a pending transfer, or if authinfo doesn't match. */
     if (existingResource.getTransferData().getTransferStatus() != TransferStatus.PENDING) {
       throw new NotPendingTransferException(targetId);
     }
-    // TODO(b/18997997): Determine if authInfo is necessary to cancel a transfer.
     if (!clientId.equals(existingResource.getTransferData().getGainingClientId())) {
       throw new NotTransferInitiatorException();
     }