diff options
author | pennae <github@quasiparticle.net> | 2022-08-10 01:54:20 +0200 |
---|---|---|
committer | pennae <github@quasiparticle.net> | 2022-08-10 01:58:29 +0200 |
commit | aeb116bace23f66a86caf6d5868ea82dfb901e36 (patch) | |
tree | d634ec843f6d5513f487b82331fff23e23f3f20f /tests/test_auth_device.py | |
parent | 6fdf7e463ee939c7f8eacf89d820e7ab405de587 (diff) | |
download | minor-skulk-aeb116bace23f66a86caf6d5868ea82dfb901e36.tar.gz minor-skulk-aeb116bace23f66a86caf6d5868ea82dfb901e36.tar.xz minor-skulk-aeb116bace23f66a86caf6d5868ea82dfb901e36.zip |
don't allow users to edit devices of other users
while device ids should be impossible to guess (being as long as oauth
tokens), we should still guard against malicious activity if they should
ever leak.
Diffstat (limited to 'tests/test_auth_device.py')
-rw-r--r-- | tests/test_auth_device.py | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/tests/test_auth_device.py b/tests/test_auth_device.py index 5ec42f3..c978d87 100644 --- a/tests/test_auth_device.py +++ b/tests/test_auth_device.py @@ -192,6 +192,21 @@ def test_change(account_or_rt, populate_devices): assert mdevs1[i1]['pushPublicKey'] or '' == mdevs2[i2]['pushPublicKey'] or '' assert mdevs1[i1]['pushAuthKey'] or '' == mdevs2[i2]['pushAuthKey'] or '' +def test_change_foreign(account_plain, account2_plain): + dev = account_plain.post_a("/account/device", device_data[0]) + dev['name'] = 'foo' + del dev['isCurrentDevice'] + del dev['lastAccessTime'] + del dev['pushEndpointExpired'] + with pytest.raises(ClientError) as e: + account2_plain.post_a("/account/device", dev) + assert e.value.details == { + 'code': 400, + 'errno': 123, + 'error': 'Bad Request', + 'message': 'unknown device' + } + def test_invoke_noauth(client): body = {"target": "0" * 32, "command": "foo", "payload": {}, "ttl": 10} with pytest.raises(ClientError) as e: |