Page MenuHomePhabricator

[identity] Verify UpdateDeviceList RPC is called by primary device
ClosedPublic

Authored by bartek on Aug 11 2024, 3:13 AM.
Tags
None
Referenced Files
F3396591: D13042.id43444.diff
Sun, Dec 1, 1:33 PM
F3396582: D13042.id43294.diff
Sun, Dec 1, 1:28 PM
F3396305: D13042.diff
Sun, Dec 1, 11:40 AM
Unknown Object (File)
Tue, Nov 26, 9:19 PM
Unknown Object (File)
Wed, Nov 20, 2:06 PM
Unknown Object (File)
Wed, Nov 20, 2:06 PM
Unknown Object (File)
Oct 22 2024, 1:16 PM
Unknown Object (File)
Oct 22 2024, 9:14 AM
Subscribers

Details

Summary

Addresses ENG-8549.
The only place with missing check was UpdateDeviceList.

Test Plan
  • Had user with two mobile devices (primary and secondary)
  • Called the RPC with different auth metadata - switched device_id metadata between primary and secondary
  • The RPC accepted request from primary device and rejected from the secondary.

Note that the RPC can also reject requests because of invalid signature so it's good to test it without signatures.

Diff Detail

Repository
rCOMM Comm
Lint
No Lint Coverage
Unit
No Test Coverage