Fix FLEXIAPI-242 Add stricter validation for the AccountCreationToken Push Notification endpoint

CHANGELOG.md

@@ -14,6 +14,7 @@ v1.6
 - Fix FLEXIAPI-238 Replace Material Icons with Phosphor
 - Fix FLEXIAPI-240 Update the Docker images
 - Fix GH-15 Add password import from CSV
+- Fix FLEXIAPI-242 Add stricter validation for the AccountCreationToken Push Notification endpoint
 
 v1.5
 ---

flexiapi/app/AccountCreationToken.php

@@ -19,6 +19,7 @@
 
 namespace App;
 
+use Illuminate\Validation\Rule;
 use Illuminate\Database\Eloquent\Factories\HasFactory;
 
 class AccountCreationToken extends Consommable

flexiapi/app/Http/Controllers/Api/Account/CreationTokenController.php

@@ -26,6 +26,9 @@ use Carbon\Carbon;
 
 use App\AccountCreationToken;
 use App\AccountCreationRequestToken;
+use App\Rules\PnParam;
+use App\Rules\PnPrid;
+use App\Rules\PnProvider;
 use App\Http\Controllers\Controller;
 use App\Http\Controllers\Account\AuthenticateController as WebAuthenticateController;
 use App\Libraries\FlexisipPusherConnector;
@@ -36,9 +39,9 @@ class CreationTokenController extends Controller
     public function sendByPush(Request $request)
     {
         $request->validate([
-            'pn_provider' => 'required',
-            'pn_param' => 'required',
-            'pn_prid' => 'required',
+            'pn_provider' => ['required', new PnProvider],
+            'pn_param' => [new PnParam],
+            'pn_prid' => [new PnPrid],
         ]);
 
         $last = AccountCreationToken::where('pn_provider', $request->get('pn_provider'))

flexiapi/app/Rules/PnParam.php

@@ -0,0 +1,19 @@
+<?php
+
+namespace App\Rules;
+
+use Illuminate\Contracts\Validation\Rule;
+use Respect\Validation\Validator;
+
+class PnParam implements Rule
+{
+    public function passes($attribute, $value)
+    {
+        return $value == null || Validator::regex('/^\w+$/')->validate($value);
+    }
+
+    public function message()
+    {
+        return 'The :attribute should be null or contain only alphanumeric and underscore characters';
+    }
+}

flexiapi/app/Rules/PnPrid.php

@@ -0,0 +1,19 @@
+<?php
+
+namespace App\Rules;
+
+use Illuminate\Contracts\Validation\Rule;
+use Respect\Validation\Validator;
+
+class PnPrid implements Rule
+{
+    public function passes($attribute, $value)
+    {
+        return $value == null || Validator::regex('/^[\w\-\:]+$/')->validate($value);
+    }
+
+    public function message()
+    {
+        return 'The :attribute should be null or contain only alphanumeric, dashes and colon characters';
+    }
+}

flexiapi/app/Rules/PnProvider.php

@@ -0,0 +1,21 @@
+<?php
+
+namespace App\Rules;
+
+use Illuminate\Contracts\Validation\Rule;
+use Respect\Validation\Validator;
+
+class PnProvider implements Rule
+{
+    private $values = ['apns.dev', 'apns', 'fcm'];
+
+    public function passes($attribute, $value)
+    {
+        return in_array($value, $this->values);
+    }
+
+    public function message()
+    {
+        return 'The :attribute should be in ' . implode(', ', $this->values);
+    }
+}

flexiapi/resources/views/api/documentation_markdown.blade.php

@@ -201,9 +201,9 @@ Return `503` if the token was not successfully sent.
 
 JSON parameters:
 
-* `pn_provider` the push notification provider
-* `pn_param` the push notification parameter
-* `pn_prid` the push notification unique id
+* `pn_provider` **required**, the push notification provider, must be in apns.dev, apns or fcm
+* `pn_param` the push notification parameter, can be null or contain only alphanumeric and underscore characters
+* `pn_prid` the push notification unique id, can be null or contain only alphanumeric, dashes and colon characters
 
 ### `POST /account_creation_tokens/using-account-creation-request-token`
 <span class="badge badge-success">Public</span>

flexiapi/tests/Feature/ApiAccountCreationTokenTest.php

@@ -36,7 +36,7 @@ class ApiAccountCreationTokenTest extends TestCase
     protected $adminRoute = '/api/account_creation_tokens';
     protected $method = 'POST';
 
-    protected $pnProvider = 'provider';
+    protected $pnProvider = 'fcm';
     protected $pnParam = 'param';
     protected $pnPrid = 'id';
 
@@ -63,6 +63,27 @@ class ApiAccountCreationTokenTest extends TestCase
     }
     public function testCorrectParameters()
     {
+        $this->assertSame(AccountCreationToken::count(), 0);
+        $this->json($this->method, $this->tokenRoute, [
+            'pn_provider' => 'wrong',
+            'pn_param' => $this->pnParam,
+            'pn_prid' => $this->pnPrid,
+        ])->assertJsonValidationErrors(['pn_provider']);
+
+        $this->assertSame(AccountCreationToken::count(), 0);
+        $this->json($this->method, $this->tokenRoute, [
+            'pn_provider' => $this->pnProvider,
+            'pn_param' => '@wrong',
+            'pn_prid' => $this->pnPrid,
+        ])->assertJsonValidationErrors(['pn_param']);
+
+        $this->assertSame(AccountCreationToken::count(), 0);
+        $this->json($this->method, $this->tokenRoute, [
+            'pn_provider' => $this->pnProvider,
+            'pn_param' => $this->pnParam,
+            'pn_prid' => '@wrong',
+        ])->assertJsonValidationErrors(['pn_prid']);
+
         $this->assertSame(AccountCreationToken::count(), 0);
         $this->json($this->method, $this->tokenRoute, [
             'pn_provider' => $this->pnProvider,
@@ -173,8 +194,7 @@ class ApiAccountCreationTokenTest extends TestCase
             'algorithm' => 'SHA-256',
             'password' => '123',
             'account_creation_token' => $token->token
-        ])->assertStatus(422)
-        ->assertJsonValidationErrors(['account_creation_token']);
+        ])->assertJsonValidationErrors(['account_creation_token']);
     }
 
     public function testBlacklistedUsername()