From 6a11078ae18f800653c62cc9d7a9d3d06db552a4 Mon Sep 17 00:00:00 2001 From: JR Conlin Date: Wed, 7 Oct 2020 14:25:50 -0700 Subject: [PATCH] bug: compare VAPID aud to endpoint_url (#1435) bug: compare VAPID aud to endpoint_url Closes #1434 --- autopush/tests/test_integration.py | 22 +++++++++++----------- autopush/web/webpush.py | 8 +++----- 2 files changed, 14 insertions(+), 16 deletions(-) diff --git a/autopush/tests/test_integration.py b/autopush/tests/test_integration.py index 8445dbc9..808958f8 100644 --- a/autopush/tests/test_integration.py +++ b/autopush/tests/test_integration.py @@ -65,9 +65,9 @@ def setup_module(): raise SkipTest("Skipping integration tests") -def _get_vapid(key=None, payload=None): +def _get_vapid(key=None, payload=None, endpoint="http://localhost"): if not payload: - payload = {"aud": "http://localhost", + payload = {"aud": endpoint, "exp": int(time.time()) + 86400, "sub": "mailto:admin@example.com"} if not key: @@ -754,7 +754,7 @@ def test_topic_no_delivery_on_reconnect(self): def test_basic_delivery_with_vapid(self): data = str(uuid.uuid4()) client = yield self.quick_register() - vapid_info = _get_vapid() + vapid_info = _get_vapid(endpoint=self.ep.conf.endpoint_url) result = yield client.send_notification(data=data, vapid=vapid_info) clean_header = client._crypto_key.replace( '"', '').rstrip('=') @@ -768,7 +768,7 @@ def test_basic_delivery_with_vapid(self): def test_basic_delivery_with_invalid_vapid(self): data = str(uuid.uuid4()) client = yield self.quick_register() - vapid_info = _get_vapid() + vapid_info = _get_vapid(endpoint=self.ep.conf.endpoint_url) vapid_info['crypto-key'] = "invalid" yield client.send_notification( data=data, @@ -781,7 +781,7 @@ def test_basic_delivery_with_invalid_vapid_exp(self): data = str(uuid.uuid4()) client = yield self.quick_register() vapid_info = _get_vapid( - payload={"aud": "http://localhost", + payload={"aud": self.ep.conf.endpoint_url, "exp": '@', "sub": "mailto:admin@example.com"}) yield client.send_notification( @@ -790,7 +790,7 @@ def test_basic_delivery_with_invalid_vapid_exp(self): status=401) vapid_info = _get_vapid( - payload={"aud": "http://localhost", + payload={"aud": self.ep.conf.endpoint_url, "exp": ['@'], "sub": "mailto:admin@example.com"}) yield client.send_notification( @@ -814,7 +814,7 @@ def test_basic_delivery_with_invalid_vapid_aud(self): # try a different scheme vapid_info = _get_vapid( - payload={"aud": "https://localhost", + payload={"aud": self.ep.conf.endpoint_url, "sub": "mailto:admin@example.com"}) yield client.send_notification( data=data, @@ -826,7 +826,7 @@ def test_basic_delivery_with_invalid_vapid_aud(self): def test_basic_delivery_with_invalid_vapid_auth(self): data = str(uuid.uuid4()) client = yield self.quick_register() - vapid_info = _get_vapid() + vapid_info = _get_vapid(endpoint=self.ep.conf.endpoint_url) vapid_info['auth'] = "" yield client.send_notification( data=data, @@ -839,7 +839,7 @@ def test_basic_delivery_with_invalid_signature(self): data = str(uuid.uuid4()) client = yield self.quick_register() vapid_info = _get_vapid( - payload={"aud": "https://pusher_origin.example.com", + payload={"aud": self.ep.conf.endpoint_url, "sub": "mailto:admin@example.com"}) vapid_info['auth'] = vapid_info['auth'][:-3] + "bad" yield client.send_notification( @@ -852,7 +852,7 @@ def test_basic_delivery_with_invalid_signature(self): def test_basic_delivery_with_invalid_vapid_ckey(self): data = str(uuid.uuid4()) client = yield self.quick_register() - vapid_info = _get_vapid() + vapid_info = _get_vapid(endpoint=self.ep.conf.endpoint_url) vapid_info['crypto-key'] = "invalid|" yield client.send_notification( data=data, @@ -1545,7 +1545,7 @@ def test_webpush_monthly_rotation_no_channels(self): @inlineCallbacks def test_with_key(self): private_key = ecdsa.SigningKey.generate(curve=ecdsa.NIST256p) - claims = {"aud": "http://localhost", + claims = {"aud": self.ep.conf.endpoint_url, "exp": int(time.time()) + 86400, "sub": "a@example.com"} vapid = _get_vapid(private_key, claims) diff --git a/autopush/web/webpush.py b/autopush/web/webpush.py index 52e14c42..dddfd0b1 100644 --- a/autopush/web/webpush.py +++ b/autopush/web/webpush.py @@ -72,8 +72,8 @@ def extract_subscription(self, d): ckey_header=d["ckey_header"], auth_header=d["auth_header"], ) - except (VapidAuthException): - raise InvalidRequest("missing authorization header", + except (VapidAuthException) as ex: + raise InvalidRequest("missing authorization header: {}".format(ex), status_code=401, errno=109) except (InvalidTokenException, InvalidToken): raise InvalidRequest("invalid token", status_code=404, errno=102) @@ -429,9 +429,7 @@ def validate_auth(self, d): raise InvalidRequest("Invalid bearer token: No Audience specified", status_code=401, errno=109, headers={"www-authenticate": PREF_SCHEME}) - if jwt['aud'] != "{}://{}".format( - self.context["conf"].endpoint_scheme or "http", - self.context["conf"].hostname): + if jwt['aud'] != self.context["conf"].endpoint_url: raise InvalidRequest( "Invalid bearer token: Invalid Audience Specified", status_code=401, errno=109,