Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

bug: fix local Authorization header #284

Merged
merged 7 commits into from
Sep 28, 2021
Merged

bug: fix local Authorization header #284

merged 7 commits into from
Sep 28, 2021

Conversation

jrconlin
Copy link
Member

So the problem isn't with Vapid. It's with how we were generating the
other authorization token, specifically differences with how python
and rust were handling things.

Python was converting the hex UAID string into a set of bytes, rust
was converting the 128bit UUID UAID into bytes. Combine that with some
fun regarding the base auth key string, and.. yeah.

I added a test to this to compare the auth key generated by python with
rust, broke the generate and validate functions into the
AuthorizationCheck impl and added a bunch of comments.

Closes #282

So the problem isn't with Vapid. It's with how we were generating the
other authorization token, specifically differences with how python
and rust were handling things.

Python was converting the hex UAID string into a set of bytes, rust
was converting the 128bit UUID UAID into bytes. Combine that with some
fun regarding the base auth key string, and.. yeah.

I added a test to this to compare the auth key generated by python with
rust, broke the generate and validate functions into the
AuthorizationCheck impl and added a bunch of comments.

Closes #282
@jrconlin jrconlin requested review from a team August 14, 2021 01:01
pjenvey
pjenvey previously approved these changes Sep 3, 2021
Copy link
Member

@pjenvey pjenvey left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good, but isn't it also an issue that get_token_from_auth_header only allows the Bearer scheme whereas mobile sends webpush?

use uuid::Uuid;

/// Verifies the request authorization via the authorization header.
///
/// The expected token is the HMAC-SHA256 hash of the UAID, signed with one of
/// the available keys (allows for key rotation).
/// NOTE: This is *ONLY* for internal calls that require authorization and should
/// NOT be used by calls that are using VAPID authentication (e.g.
/// subscription provider endpoints)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what do we mean by "local auth" exactly?

All the registration endpoints use this auth check.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are two types of authentication: VAPID, which is meant for external, 3rd party subscription providers, and "local" User Agent authorization, which uses a bearer token provided as part of the registration process.

The complication here is that both share the "Authentication" header. This call should only be used to check the latter Authentication form.

@jrconlin
Copy link
Member Author

jrconlin commented Sep 3, 2021

Sigh. you're right. The fennec Android component does send the local, non-vapid Auth token Authorization header with a webpush prefix, not a bearer prefix.

@jrconlin jrconlin merged commit 0027d78 into master Sep 28, 2021
@jrconlin jrconlin deleted the bug/282-vapid branch September 28, 2021 20:52
sign_with_key(key.as_bytes(), uaid.to_simple().to_string().as_bytes())
.map_err(ApiErrorKind::RegistrationSecretHash)?;

dbg!(&expected_token, &token);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Temporary debugging code? This logs secrets.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep, this needs to go. It's not super critical since the local log is discarded and the token would already be compromised at that point, but it's needless chatter.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Autopush-rs Endpoint fails to read AUTHENTICATION header
3 participants