Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bug: use better host validation for sub #92

Merged
merged 1 commit into from
Mar 29, 2021
Merged

bug: use better host validation for sub #92

merged 1 commit into from
Mar 29, 2021

Conversation

jrconlin
Copy link
Member

While far from perfect, this is a little better about checking the sorts
of values passed in the sub claim. It checks for ipv6 like as well as
localhost in mailto and https forms. (Yeah, you'll still need to supply
https since that's part of the RFC. Plus, letsEncrypt is a thing, so
there's that.)

I've also introduced a new option --no-strict which turns off
sub checks. It has to be present, but what the value is can be up to
you. I'll note that this kinda ruins what VAPID is supposed to be about.
The sub is there so that if there's a problem with your subscription,
Ops can reach out to you to help fix it rather than just straight up
block you.

Closes: #90

@jrconlin
bug: use better host validation for sub
01349c7 
While far from perfect, this is a little better about checking the sorts
of values passed in the `sub` claim. It checks for ipv6 like as well as
localhost in mailto and https forms. (Yeah, you'll still need to supply
`https` since that's part of the RFC. Plus, letsEncrypt is a thing, so
there's that.)

I've also introduced a new option `--no-strict` which turns off
`sub` checks. It has to be present, but what the value is can be up to
you. I'll note that this kinda ruins what VAPID is supposed to be about.
The `sub` is there so that if there's a problem with your subscription,
Ops can reach out to you to help fix it rather than just straight up
block you.

Closes: #90
@jrconlin jrconlin requested a review from pjenvey March 20, 2021 22:48
pjenvey
pjenvey approved these changes Mar 29, 2021
View reviewed changes
python/py_vapid/tests/test_vapid.py
@@ -247,3 +252,29 @@ def test_invalid_sig(self, mm):
decode,
'foo.bar.a',
'aaaa')

def test_sub(self):
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rarely do I use py.test's parameterized tests (it's a bit of magic) but I may have actually considered it here

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe? I dunno. For something like this, I think it's clearer for future me to be less clever and just specify what goes into which gauntlet as a delineated list like this, rather than as a CSV.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yea that's part of why I don't use it, it's a bit too clever. I think the main benefit is debugging and test output is a bit improved over a loop

@jrconlin jrconlin merged commit 871d67d into main Mar 29, 2021
@pjenvey pjenvey deleted the bug/91-sub branch March 30, 2021 22:41
@wshuman3 wshuman3 mentioned this pull request Apr 13, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pjenvey pjenvey pjenvey approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jrconlin @pjenvey