Merge pull request #998 from mozilla-services/bug/997

bug: allow only known protocols for /register calls
mozilla-services · Sep 5, 2017 · 8a22425 · 8a22425
2 parents dc33966 + f9b19d3
commit 8a22425
Show file tree

Hide file tree

Showing 3 changed files with 35 additions and 4 deletions.
diff --git a/autopush/tests/test_integration.py b/autopush/tests/test_integration.py
@@ -1829,6 +1829,22 @@ def test_registration(self):
         eq_(ca_data['enc'], salt)
         eq_(ca_data['body'], base64url_encode(data))
 
+    @inlineCallbacks
+    def test_invalid_registration(self):
+        self._add_router()
+
+        url = "{}/v1/{}/{}/registration".format(
+            self.ep.conf.endpoint_url,
+            "invalid",
+            self.senderID,
+        )
+        response, body = yield _agent('POST', url, body=json.dumps(
+            {"chid": str(uuid.uuid4()),
+             "token": uuid.uuid4().hex,
+             }
+        ))
+        eq_(response.code, 400)
+
     @inlineCallbacks
     def test_registration_aes128gcm(self):
         self._add_router()

diff --git a/autopush/web/registration.py b/autopush/web/registration.py
@@ -174,9 +174,16 @@ def validate_auth(self, data):
 
 
 def conditional_token_check(object_dict, parent_dict):
-    if parent_dict['path_kwargs']['type'] in ['gcm', 'fcm']:
+    ptype = parent_dict['path_kwargs']['type']
+    # Basic "bozo-filter" to prevent customer surprises later.
+    if ptype not in ['apns', 'fcm', 'gcm', 'webpush', 'simplepush', 'test']:
+        raise InvalidRequest("Unknown registration type",
+                             status_code=400,
+                             errno=108,
+                             )
+    if ptype in ['gcm', 'fcm']:
         return GCMTokenSchema()
-    if parent_dict['path_kwargs']['type'] == 'apns':
+    if ptype == 'apns':
         return APNSTokenSchema()
     return TokenSchema()
 

diff --git a/docs/http.rst b/docs/http.rst
@@ -22,7 +22,11 @@ a message that has not yet been delivered to be deleted. See :ref:`cancel`.
 `/v1/.../.../registration/...`
 
 This is tied to the :ref:`reg_calls` Handlers. This endpoint is used by
-apps that wish to use :term:`bridging` protocols to register new channels.
+devices that wish to use :term:`bridging` protocols to register new channels.
+
+*NOTE*: This is not intended to be used by app developers. Please see the
+`Web Push API on MDN <https://developer.mozilla.org/en-US/docs/Web/API/Push_API>`_
+for how to use WebPush.
 See :ref:`bridge_api`.
 
 ---
@@ -312,10 +316,14 @@ Calls
 Registration
 ~~~~~~~~~~~~
 
-Request a new UAID registration, Channel ID, and optionally set a bridge
+Request a new UAID registration, Channel ID, and set a bridge
 type and 3rd party bridge instance ID token for this connection. (See
 :class:`~autopush.web.registration.NewRegistrationHandler`)
 
+*NOTE*: This call is designed for devices to register endpoints to be
+used by bridge protocols. Please see `Web Push API <https://developer.mozilla.org/en-US/docs/Web/API/Push_API>`_
+for how to use Web Push in your application.
+
 **Call:**