diff --git a/CHANGELOG.md b/CHANGELOG.md index 8093430..7a31ebd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,7 @@ v1.7 - Fix FLEXIAPI-206 Upgrade to Laravel 10, PHP 8.1 minimum and bump all the related dependencies, drop Debian 11 Bullseye - Fix FLEXIAPI-220 Migrate SIP Domains to Spaces - Fix GH-15 Add password import from CSV +- Fix FLEXIAPI-242 Add stricter validation for the AccountCreationToken Push Notification endpoint v1.6 ---- diff --git a/flexiapi/app/AccountCreationToken.php b/flexiapi/app/AccountCreationToken.php index cafaa94..ea54f27 100644 --- a/flexiapi/app/AccountCreationToken.php +++ b/flexiapi/app/AccountCreationToken.php @@ -19,6 +19,7 @@ namespace App; +use Illuminate\Validation\Rule; use Illuminate\Database\Eloquent\Factories\HasFactory; class AccountCreationToken extends Consommable diff --git a/flexiapi/app/Http/Controllers/Api/Account/CreationTokenController.php b/flexiapi/app/Http/Controllers/Api/Account/CreationTokenController.php index 57db8cf..0e6e00a 100644 --- a/flexiapi/app/Http/Controllers/Api/Account/CreationTokenController.php +++ b/flexiapi/app/Http/Controllers/Api/Account/CreationTokenController.php @@ -26,6 +26,9 @@ use Carbon\Carbon; use App\AccountCreationToken; use App\AccountCreationRequestToken; +use App\Rules\PnParam; +use App\Rules\PnPrid; +use App\Rules\PnProvider; use App\Http\Controllers\Controller; use App\Http\Controllers\Account\AuthenticateController as WebAuthenticateController; use App\Libraries\FlexisipPusherConnector; @@ -36,9 +39,9 @@ class CreationTokenController extends Controller public function sendByPush(Request $request) { $request->validate([ - 'pn_provider' => 'required', - 'pn_param' => 'required', - 'pn_prid' => 'required', + 'pn_provider' => ['required', new PnProvider], + 'pn_param' => [new PnParam], + 'pn_prid' => [new PnPrid], ]); $last = AccountCreationToken::where('pn_provider', $request->get('pn_provider')) diff --git a/flexiapi/app/Rules/PnParam.php b/flexiapi/app/Rules/PnParam.php new file mode 100644 index 0000000..10a3539 --- /dev/null +++ b/flexiapi/app/Rules/PnParam.php @@ -0,0 +1,19 @@ +validate($value); + } + + public function message() + { + return 'The :attribute should be null or contain only alphanumeric and underscore characters'; + } +} diff --git a/flexiapi/app/Rules/PnPrid.php b/flexiapi/app/Rules/PnPrid.php new file mode 100644 index 0000000..b7fd8ba --- /dev/null +++ b/flexiapi/app/Rules/PnPrid.php @@ -0,0 +1,19 @@ +validate($value); + } + + public function message() + { + return 'The :attribute should be null or contain only alphanumeric, dashes and colon characters'; + } +} diff --git a/flexiapi/app/Rules/PnProvider.php b/flexiapi/app/Rules/PnProvider.php new file mode 100644 index 0000000..e88d05d --- /dev/null +++ b/flexiapi/app/Rules/PnProvider.php @@ -0,0 +1,21 @@ +values); + } + + public function message() + { + return 'The :attribute should be in ' . implode(', ', $this->values); + } +} diff --git a/flexiapi/resources/views/api/documentation_markdown.blade.php b/flexiapi/resources/views/api/documentation_markdown.blade.php index da3e8e1..74f78f3 100644 --- a/flexiapi/resources/views/api/documentation_markdown.blade.php +++ b/flexiapi/resources/views/api/documentation_markdown.blade.php @@ -209,9 +209,9 @@ Return `503` if the token was not successfully sent. JSON parameters: -* `pn_provider` the push notification provider -* `pn_param` the push notification parameter -* `pn_prid` the push notification unique id +* `pn_provider` **required**, the push notification provider, must be in apns.dev, apns or fcm +* `pn_param` the push notification parameter, can be null or contain only alphanumeric and underscore characters +* `pn_prid` the push notification unique id, can be null or contain only alphanumeric, dashes and colon characters ### `POST /account_creation_tokens/using-account-creation-request-token` Public diff --git a/flexiapi/tests/Feature/ApiAccountCreationTokenTest.php b/flexiapi/tests/Feature/ApiAccountCreationTokenTest.php index 4a7a807..9bdbd67 100644 --- a/flexiapi/tests/Feature/ApiAccountCreationTokenTest.php +++ b/flexiapi/tests/Feature/ApiAccountCreationTokenTest.php @@ -37,7 +37,7 @@ class ApiAccountCreationTokenTest extends TestCase protected $adminRoute = '/api/account_creation_tokens'; protected $method = 'POST'; - protected $pnProvider = 'provider'; + protected $pnProvider = 'fcm'; protected $pnParam = 'param'; protected $pnPrid = 'id'; @@ -64,6 +64,27 @@ class ApiAccountCreationTokenTest extends TestCase } public function testCorrectParameters() { + $this->assertSame(AccountCreationToken::count(), 0); + $this->json($this->method, $this->tokenRoute, [ + 'pn_provider' => 'wrong', + 'pn_param' => $this->pnParam, + 'pn_prid' => $this->pnPrid, + ])->assertJsonValidationErrors(['pn_provider']); + + $this->assertSame(AccountCreationToken::count(), 0); + $this->json($this->method, $this->tokenRoute, [ + 'pn_provider' => $this->pnProvider, + 'pn_param' => '@wrong', + 'pn_prid' => $this->pnPrid, + ])->assertJsonValidationErrors(['pn_param']); + + $this->assertSame(AccountCreationToken::count(), 0); + $this->json($this->method, $this->tokenRoute, [ + 'pn_provider' => $this->pnProvider, + 'pn_param' => $this->pnParam, + 'pn_prid' => '@wrong', + ])->assertJsonValidationErrors(['pn_prid']); + $this->assertSame(AccountCreationToken::count(), 0); $this->json($this->method, $this->tokenRoute, [ 'pn_provider' => $this->pnProvider, @@ -176,8 +197,7 @@ class ApiAccountCreationTokenTest extends TestCase 'algorithm' => 'SHA-256', 'password' => '123', 'account_creation_token' => $token->token - ])->assertStatus(422) - ->assertJsonValidationErrors(['account_creation_token']); + ])->assertJsonValidationErrors(['account_creation_token']); } public function testBlacklistedUsername()