Page MenuHomePhabricator

[identity] Verify UpdateDeviceList RPC is called by primary device
ClosedPublic

Authored by bartek on Aug 11 2024, 3:13 AM.
Tags
None
Referenced Files
F3396305: D13042.diff
Sun, Dec 1, 11:40 AM
Unknown Object (File)
Tue, Nov 26, 9:19 PM
Unknown Object (File)
Wed, Nov 20, 2:06 PM
Unknown Object (File)
Wed, Nov 20, 2:06 PM
Unknown Object (File)
Oct 22 2024, 1:16 PM
Unknown Object (File)
Oct 22 2024, 9:14 AM
Unknown Object (File)
Oct 22 2024, 8:32 AM
Unknown Object (File)
Oct 22 2024, 8:32 AM
Subscribers

Details

Summary

Addresses ENG-8549.
The only place with missing check was UpdateDeviceList.

Test Plan
  • Had user with two mobile devices (primary and secondary)
  • Called the RPC with different auth metadata - switched device_id metadata between primary and secondary
  • The RPC accepted request from primary device and rejected from the secondary.

Note that the RPC can also reject requests because of invalid signature so it's good to test it without signatures.

Diff Detail

Repository
rCOMM Comm
Lint
Lint Not Applicable
Unit
Tests Not Applicable