Do not require auth info in super user transfer

Super users can look up auth info in Datastore or BigQuery backup anyway. Requiring it only adds friction when using the super user extension, without any additional security benefit. ------------- Created by MOE: https://github.com/google/moe MOE_MIGRATED_REVID=235786090
2025-05-14 00:17:20 +02:00 · 2019-02-26 13:51:43 -08:00 · 2019-02-26 13:51:43 -08:00 · d3a6d5483e
commit d3a6d5483e
parent e9f2a49e9a
2 changed files with 4 additions and 5 deletions
--- a/java/google/registry/flows/domain/DomainTransferRequestFlow.java
+++ b/java/google/registry/flows/domain/DomainTransferRequestFlow.java
@ -254,8 +254,10 @@ public final class DomainTransferRequestFlow implements TransactionalFlow {
      Optional<DomainTransferRequestSuperuserExtension> superuserExtension)
      throws EppException {
    verifyNoDisallowedStatuses(existingDomain, DISALLOWED_STATUSES);
+    if (!isSuperuser) {
      verifyAuthInfoPresentForResourceTransfer(authInfo);
      verifyAuthInfo(authInfo.get(), existingDomain);
+    }
    // Verify that the resource does not already have a pending transfer.
    if (TransferStatus.PENDING.equals(existingDomain.getTransferData().getTransferStatus())) {
      throw new AlreadyPendingTransferException(targetId);
--- a/javatests/google/registry/flows/domain/testdata/domain_transfer_request_superuser_extension.xml
+++ b/javatests/google/registry/flows/domain/testdata/domain_transfer_request_superuser_extension.xml
@ -4,9 +4,6 @@
      <domain:transfer
          xmlns:domain="urn:ietf:params:xml:ns:domain-1.0">
        <domain:name>example.tld</domain:name>
-        <domain:authInfo>
-          <domain:pw roid="JD1234-REP">2fooBAR</domain:pw>
-        </domain:authInfo>
      </domain:transfer>
    </transfer>
    <extension>