Add FIRETEXT_INBOUND_SMS_AUTH config variable and auth check

Checks authentication header value on inbound SMS requests from Firetext against a list of allowed API keys set in the application config. At the moment, we're only logging the attempts without aborting the requests. Once this is rolled out to production and we've checked the logs we'll switch on the aborts and add the tests for 401 and 403 responses.
2026-01-30 14:31:57 -05:00 · 2017-11-20 12:25:01 +00:00
parent 22ec134668
commit 5e53d781e0
4 changed files with 19 additions and 5 deletions
--- a/app/cloudfoundry_config.py
+++ b/app/cloudfoundry_config.py
@@ -45,6 +45,7 @@ def extract_notify_config(notify_config):
    os.environ['SECRET_KEY'] = notify_config['credentials']['secret_key']
    os.environ['DANGEROUS_SALT'] = notify_config['credentials']['dangerous_salt']
    os.environ['SMS_INBOUND_WHITELIST'] = json.dumps(notify_config['credentials']['allow_ip_inbound_sms'])
+    os.environ['FIRETEXT_INBOUND_SMS_AUTH'] = json.dumps(notify_config['credentials']['firetext_inbound_sms_auth'])
    os.environ['ROUTE_SECRET_KEY_1'] = notify_config['credentials']['route_secret_key_1']
    os.environ['ROUTE_SECRET_KEY_2'] = notify_config['credentials']['route_secret_key_2']

--- a/app/config.py
+++ b/app/config.py
@@ -295,6 +295,8 @@ class Config(object):
    FREE_SMS_TIER_FRAGMENT_COUNT = 250000

    SMS_INBOUND_WHITELIST = json.loads(os.environ.get('SMS_INBOUND_WHITELIST', '[]'))
+    FIRETEXT_INBOUND_SMS_AUTH = json.loads(os.environ.get('FIRETEXT_INBOUND_SMS_AUTH', '[]'))
+
    ROUTE_SECRET_KEY_1 = os.environ.get('ROUTE_SECRET_KEY_1', '')
    ROUTE_SECRET_KEY_2 = os.environ.get('ROUTE_SECRET_KEY_2', '')

@@ -364,6 +366,7 @@ class Test(Config):
    }

    SMS_INBOUND_WHITELIST = ['203.0.113.195']
+    FIRETEXT_INBOUND_SMS_AUTH = ['testkey']


 class Preview(Config):
--- a/app/notifications/receive_notifications.py
+++ b/app/notifications/receive_notifications.py
@@ -1,7 +1,7 @@
 from urllib.parse import unquote

 import iso8601
-from flask import jsonify, Blueprint, current_app, request
+from flask import jsonify, Blueprint, current_app, request, abort
 from notifications_utils.recipients import validate_and_format_phone_number

 from app import statsd_client, firetext_client, mmg_client
@@ -58,10 +58,12 @@ def receive_firetext_sms():

    # This is pre-implementation test code to validate the provider is basic auth headers.
    auth = request.authorization
-    if auth:
-        current_app.logger.info("Inbound sms username: {}".format(auth.username))
-    else:
-        current_app.logger.info("Inbound sms no auth header")
+    if not auth:
+        current_app.logger.warning("Inbound sms no auth header")
+        # abort(401)
+    elif auth.username != 'notify' or auth.password not in current_app.config['FIRETEXT_INBOUND_SMS_AUTH']:
+        current_app.logger.warning("Inbound sms incorrect username ({}) or password".format(auth.username))
+        # abort(403)

    inbound_number = strip_leading_forty_four(post_data['destination'])