don't allow users to edit devices of other users

while device ids should be impossible to guess (being as long as oauth tokens), we should still guard against malicious activity if they should ever leak.
author: pennae <github@quasiparticle.net> 2022-08-10 01:54:20 +0200
committer: pennae <github@quasiparticle.net> 2022-08-10 01:58:29 +0200
commit: aeb116bace23f66a86caf6d5868ea82dfb901e36 (patch)
tree: d634ec843f6d5513f487b82331fff23e23f3f20f /tests
parent: 6fdf7e463ee939c7f8eacf89d820e7ab405de587 (diff)
download: minor-skulk-aeb116bace23f66a86caf6d5868ea82dfb901e36.tar.gz
minor-skulk-aeb116bace23f66a86caf6d5868ea82dfb901e36.tar.xz
minor-skulk-aeb116bace23f66a86caf6d5868ea82dfb901e36.zip
2 files changed, 26 insertions, 0 deletions
diff --git a/tests/conftest.py b/tests/conftest.py
index bf877e2..487eff9 100644
--- a/tests/conftest.py
+++ b/tests/conftest.py
@@ -55,6 +55,17 @@ def _account(client, primary, email, mail_server):
 email1 = f"test.account-{os.urandom(8).hex()}@test-auth"
 email2 = f"test.account2-{os.urandom(8).hex()}@test-auth"
 
+@pytest.fixture(scope="class")
+def account_plain(request, mail_server):
+    for a in _account(AuthClient(), True, email1, mail_server):
+        yield a
+        break
+@pytest.fixture(scope="class")
+def account2_plain(request, mail_server):
+    for a in _account(AuthClient(), True, email2, mail_server):
+        yield a
+        break
+
 @pytest.fixture(params=[True, False], ids=["primary", "secondary"], scope="class")
 def account(request, mail_server):
     for a in _account(AuthClient(), request.param, email1, mail_server):
diff --git a/tests/test_auth_device.py b/tests/test_auth_device.py
index 5ec42f3..c978d87 100644
--- a/tests/test_auth_device.py
+++ b/tests/test_auth_device.py
@@ -192,6 +192,21 @@ def test_change(account_or_rt, populate_devices):
         assert mdevs1[i1]['pushPublicKey'] or '' == mdevs2[i2]['pushPublicKey'] or ''
         assert mdevs1[i1]['pushAuthKey'] or '' == mdevs2[i2]['pushAuthKey'] or ''
 
+def test_change_foreign(account_plain, account2_plain):
+    dev = account_plain.post_a("/account/device", device_data[0])
+    dev['name'] = 'foo'
+    del dev['isCurrentDevice']
+    del dev['lastAccessTime']
+    del dev['pushEndpointExpired']
+    with pytest.raises(ClientError) as e:
+        account2_plain.post_a("/account/device", dev)
+    assert e.value.details == {
+        'code': 400,
+        'errno': 123,
+        'error': 'Bad Request',
+        'message': 'unknown device'
+    }
+
 def test_invoke_noauth(client):
     body = {"target": "0" * 32, "command": "foo", "payload": {}, "ttl": 10}
     with pytest.raises(ClientError) as e:
author	pennae <github@quasiparticle.net>	2022-08-10 01:54:20 +0200
committer	pennae <github@quasiparticle.net>	2022-08-10 01:58:29 +0200
commit	aeb116bace23f66a86caf6d5868ea82dfb901e36 (patch)
tree	d634ec843f6d5513f487b82331fff23e23f3f20f /tests
parent	6fdf7e463ee939c7f8eacf89d820e7ab405de587 (diff)
download	minor-skulk-aeb116bace23f66a86caf6d5868ea82dfb901e36.tar.gz minor-skulk-aeb116bace23f66a86caf6d5868ea82dfb901e36.tar.xz minor-skulk-aeb116bace23f66a86caf6d5868ea82dfb901e36.zip