database_api::verify_account_authority is broken

[pmconrad]

Bug Description
According to the description, the API call verifies that a given set of public keys is sufficient to authorize a transaction for a given account.

The implementation creates a transfer transaction from that account and verifies it. Since it is completely ignoring the keys, this will always fail.

Impacts
Describe which portion(s) of BitShares Core may be impacted by this bug. Please tick at least one box.

• API (the application programming interface)
• Build (the build process or something prior to compiled code)
• CLI (the command line wallet)
• Deployment (the deployment process after building such as Docker, Travis, etc.)
• DEX (the Decentralized EXchange, market engine, etc.)
• P2P (the peer-to-peer network for transaction/block propagation)
• Performance (system or user efficiency, etc.)
• Protocol (the blockchain logic, consensus, validation, etc.)
• Security (the security of system or user data, etc.)
• UX (the User Experience)
• Other (please add below)

Steps To Reproduce
Steps to reproduce the behavior (example outlined below):

$ curl--data '{"id":0,"method":"verify_account_authority","params":["cyrano",["BTS6MkMxwBjFWmcDjXRoJ4mW9Hd4LCSPwtv9tKG1qYW5Kgu4AhoZy"]]}' 'https://<api-node>/rpc'
{"id":0,"jsonrpc":"2.0","error":{"code":1,"message":"missing required active authority: Missing Active Authority 1.2.28788", ...

Expected Behavior
Call should have returned true.

Additional Context (optional)
Since the call has never worked correctly it is safe to assume that it is unused. So it might be an option to remove it.

CORE TEAM TASK LIST

• Evaluate / Prioritize Bug Report
• Refine User Stories / Requirements
• Define Test Cases
• Design / Develop Solution
• Perform QA/Testing
• Update Documentation

[cogutvalera]

@pmconrad nice catch !

Several months ago I wanted to use this API method while had troubles with signing transaction in C#.
This method is very helpful for debugging purposes. I disagree that we should remove it, I think we should fix it, IMHO it is very helpful for developers. Just my thoughts.

Thanks !

[pmconrad]

Agree that it might be useful for debugging. Probably not for regular clients.

[jmjatlanta]

Please correct me if I am wrong. I believe we should be looking at the active and owner public keys for the passed in account, and verify that the keys match what was passed in.

Am I missing something? What else should be validated?

[pmconrad]

It's much more complicated than that, since the keys can also authorize other accounts who in turn form a multisig for the account that has to authorize the transaction etc.
The general idea to create an actual transaction and let that verify the keys is good IMO, but it has to be done properly.

[pmconrad]

Resolved via #1384