bug: VAPID errors should return 401, not 404; handle InvalidToken exc…

…eption for parse_endpoint closes #807, #808
mozilla-services · Feb 8, 2017 · 03c513b · 03c513b
1 parent b20e1e9
commit 03c513b
Show file tree

Hide file tree

Showing 4 changed files with 9 additions and 7 deletions.
diff --git a/autopush/settings.py b/autopush/settings.py
@@ -363,14 +363,14 @@ def parse_endpoint(self, token, version="v1", ckey_header=None,
             if len(token) != 64:
                 raise InvalidTokenException("Corrupted push token")
             if not public_key:
-                raise InvalidTokenException("Invalid key data")
+                raise VapidAuthException("Invalid key data")
             try:
                 decoded_key = base64url_decode(public_key)
             except TypeError:
-                raise InvalidTokenException("Invalid key data")
+                raise VapidAuthException("Invalid key data")
             if not constant_time.bytes_eq(sha256(decoded_key).digest(),
                                           token[32:]):
-                raise InvalidTokenException("Key mismatch")
+                raise VapidAuthException("Key mismatch")
         return dict(uaid=token[:16].encode('hex'),
                     chid=token[16:32].encode('hex'),
                     version=version,

diff --git a/autopush/tests/test_integration.py b/autopush/tests/test_integration.py
@@ -1560,7 +1560,7 @@ def test_with_key(self):
 
         yield client.send_notification(
             vapid=vapid,
-            status=404)
+            status=401)
 
         yield self.shut_down(client)
 

diff --git a/autopush/tests/test_web_webpush.py b/autopush/tests/test_web_webpush.py
@@ -151,7 +151,7 @@ def handle_finish(result):
 
     def test_request_bad_v2_id_missing_pubkey(self):
         def handle_finish(result):
-            self.wp.set_status.assert_called_with(404, reason=None)
+            self.wp.set_status.assert_called_with(401, reason=None)
 
         self.finish_deferred.addCallback(handle_finish)
         self.fernet_mock.decrypt.return_value = 'a' * 64
@@ -199,7 +199,7 @@ def handle_finish(result):
 
     def test_request_bad_v2_id_bad_pubkey(self):
         def handle_finish(result):
-            self.wp.set_status.assert_called_with(404, reason=None)
+            self.wp.set_status.assert_called_with(401, reason=None)
 
         self.finish_deferred.addCallback(handle_finish)
         self.fernet_mock.decrypt.return_value = 'a' * 64

diff --git a/autopush/web/simplepush.py b/autopush/web/simplepush.py
@@ -2,13 +2,15 @@
 import urlparse
 
 from boto.dynamodb2.exceptions import ItemNotFound
+from cryptography.fernet import InvalidToken
 from marshmallow import (
     Schema,
     fields,
     pre_load,
     validates,
     validates_schema,
 )
+
 from twisted.internet.defer import Deferred
 
 from autopush.exceptions import (
@@ -35,7 +37,7 @@ def extract_subscription(self, d):
                 token=d["token"],
                 version=d["api_ver"],
             )
-        except InvalidTokenException:
+        except (InvalidTokenException, InvalidToken):
             raise InvalidRequest("invalid token", errno=102)
         return result