Skip to content
This repository has been archived by the owner on Jul 13, 2023. It is now read-only.

Commit

Permalink
bug: compare VAPID aud to endpoint_url (#1435)
Browse files Browse the repository at this point in the history
bug: compare VAPID aud to endpoint_url

Closes #1434
  • Loading branch information
jrconlin authored Oct 7, 2020
1 parent a73c95a commit 6a11078
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 16 deletions.
22 changes: 11 additions & 11 deletions autopush/tests/test_integration.py
Original file line number Diff line number Diff line change
Expand Up @@ -65,9 +65,9 @@ def setup_module():
raise SkipTest("Skipping integration tests")


def _get_vapid(key=None, payload=None):
def _get_vapid(key=None, payload=None, endpoint="http://localhost"):
if not payload:
payload = {"aud": "http://localhost",
payload = {"aud": endpoint,
"exp": int(time.time()) + 86400,
"sub": "mailto:admin@example.com"}
if not key:
Expand Down Expand Up @@ -754,7 +754,7 @@ def test_topic_no_delivery_on_reconnect(self):
def test_basic_delivery_with_vapid(self):
data = str(uuid.uuid4())
client = yield self.quick_register()
vapid_info = _get_vapid()
vapid_info = _get_vapid(endpoint=self.ep.conf.endpoint_url)
result = yield client.send_notification(data=data, vapid=vapid_info)
clean_header = client._crypto_key.replace(
'"', '').rstrip('=')
Expand All @@ -768,7 +768,7 @@ def test_basic_delivery_with_vapid(self):
def test_basic_delivery_with_invalid_vapid(self):
data = str(uuid.uuid4())
client = yield self.quick_register()
vapid_info = _get_vapid()
vapid_info = _get_vapid(endpoint=self.ep.conf.endpoint_url)
vapid_info['crypto-key'] = "invalid"
yield client.send_notification(
data=data,
Expand All @@ -781,7 +781,7 @@ def test_basic_delivery_with_invalid_vapid_exp(self):
data = str(uuid.uuid4())
client = yield self.quick_register()
vapid_info = _get_vapid(
payload={"aud": "http://localhost",
payload={"aud": self.ep.conf.endpoint_url,
"exp": '@',
"sub": "mailto:admin@example.com"})
yield client.send_notification(
Expand All @@ -790,7 +790,7 @@ def test_basic_delivery_with_invalid_vapid_exp(self):
status=401)

vapid_info = _get_vapid(
payload={"aud": "http://localhost",
payload={"aud": self.ep.conf.endpoint_url,
"exp": ['@'],
"sub": "mailto:admin@example.com"})
yield client.send_notification(
Expand All @@ -814,7 +814,7 @@ def test_basic_delivery_with_invalid_vapid_aud(self):

# try a different scheme
vapid_info = _get_vapid(
payload={"aud": "https://localhost",
payload={"aud": self.ep.conf.endpoint_url,
"sub": "mailto:admin@example.com"})
yield client.send_notification(
data=data,
Expand All @@ -826,7 +826,7 @@ def test_basic_delivery_with_invalid_vapid_aud(self):
def test_basic_delivery_with_invalid_vapid_auth(self):
data = str(uuid.uuid4())
client = yield self.quick_register()
vapid_info = _get_vapid()
vapid_info = _get_vapid(endpoint=self.ep.conf.endpoint_url)
vapid_info['auth'] = ""
yield client.send_notification(
data=data,
Expand All @@ -839,7 +839,7 @@ def test_basic_delivery_with_invalid_signature(self):
data = str(uuid.uuid4())
client = yield self.quick_register()
vapid_info = _get_vapid(
payload={"aud": "https://pusher_origin.example.com",
payload={"aud": self.ep.conf.endpoint_url,
"sub": "mailto:admin@example.com"})
vapid_info['auth'] = vapid_info['auth'][:-3] + "bad"
yield client.send_notification(
Expand All @@ -852,7 +852,7 @@ def test_basic_delivery_with_invalid_signature(self):
def test_basic_delivery_with_invalid_vapid_ckey(self):
data = str(uuid.uuid4())
client = yield self.quick_register()
vapid_info = _get_vapid()
vapid_info = _get_vapid(endpoint=self.ep.conf.endpoint_url)
vapid_info['crypto-key'] = "invalid|"
yield client.send_notification(
data=data,
Expand Down Expand Up @@ -1545,7 +1545,7 @@ def test_webpush_monthly_rotation_no_channels(self):
@inlineCallbacks
def test_with_key(self):
private_key = ecdsa.SigningKey.generate(curve=ecdsa.NIST256p)
claims = {"aud": "http://localhost",
claims = {"aud": self.ep.conf.endpoint_url,
"exp": int(time.time()) + 86400,
"sub": "a@example.com"}
vapid = _get_vapid(private_key, claims)
Expand Down
8 changes: 3 additions & 5 deletions autopush/web/webpush.py
Original file line number Diff line number Diff line change
Expand Up @@ -72,8 +72,8 @@ def extract_subscription(self, d):
ckey_header=d["ckey_header"],
auth_header=d["auth_header"],
)
except (VapidAuthException):
raise InvalidRequest("missing authorization header",
except (VapidAuthException) as ex:
raise InvalidRequest("missing authorization header: {}".format(ex),
status_code=401, errno=109)
except (InvalidTokenException, InvalidToken):
raise InvalidRequest("invalid token", status_code=404, errno=102)
Expand Down Expand Up @@ -429,9 +429,7 @@ def validate_auth(self, d):
raise InvalidRequest("Invalid bearer token: No Audience specified",
status_code=401, errno=109,
headers={"www-authenticate": PREF_SCHEME})
if jwt['aud'] != "{}://{}".format(
self.context["conf"].endpoint_scheme or "http",
self.context["conf"].hostname):
if jwt['aud'] != self.context["conf"].endpoint_url:
raise InvalidRequest(
"Invalid bearer token: Invalid Audience Specified",
status_code=401, errno=109,
Expand Down

0 comments on commit 6a11078

Please sign in to comment.