darkhelm/notifications-api
1
0
Fork 0
mirror of https://github.com/GSA/notifications-api.git synced 2025-12-17 10:42:25 -05:00
Code Issues Packages Projects Releases Wiki Activity

Add MMG_INBOUND_SMS_AUTH config variable and auth check

Browse Source 
Checks authentication header value on inbound SMS requests from
MMG  against a list of allowed API keys set in the application
config.

At the moment, we're only logging the attempts without aborting the
requests. Once this is rolled out to production and we've checked
the logs we'll switch on the aborts and add the tests for 401 and 403
responses.

This work has already been done for Firetext in a previous PR:
https://github.com/alphagov/notifications-api/pull/1409
This commit is contained in:
Katie Smith
2017-12-14 13:35:13 +00:00
parent a9a8ef8ff1
commit a8d3b0952f
5 changed files with 67 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
app/notifications/receive_notifications.py
View File

@@ -30,6 +30,15 @@ def receive_mmg_sms():
"""
post_data = request.get_json()
auth = request.authorization
if not auth:
current_app.logger.warning("Inbound sms (MMG) no auth header")
# abort(401)
elif auth.username != 'mmg_co_2017' or auth.password not in current_app.config['MMG_INBOUND_SMS_AUTH']:
current_app.logger.warning("Inbound sms (MMG) incorrect username ({}) or password".format(auth.username))
# abort(403)
inbound_number = strip_leading_forty_four(post_data['Number'])
service = fetch_potential_service(inbound_number, 'mmg')
@@ -49,20 +58,23 @@ def receive_mmg_sms():
tasks.send_inbound_sms_to_service.apply_async([str(inbound.id), str(service.id)], queue=QueueNames.NOTIFY)
return 'RECEIVED', 200
current_app.logger.info(
'{} received inbound SMS with reference {} from MMG'.format(service.id, inbound.provider_reference))
return jsonify({
"status": "ok"
}), 200
@receive_notifications_blueprint.route('/notifications/sms/receive/firetext', methods=['POST'])
def receive_firetext_sms():
post_data = request.form
# This is pre-implementation test code to validate the provider is basic auth headers.
auth = request.authorization
if not auth:
current_app.logger.warning("Inbound sms no auth header")
current_app.logger.warning("Inbound sms (Firetext) no auth header")
abort(401)
elif auth.username != 'notify' or auth.password not in current_app.config['FIRETEXT_INBOUND_SMS_AUTH']:
current_app.logger.warning("Inbound sms incorrect username ({}) or password".format(auth.username))
current_app.logger.warning("Inbound sms (Firetext) incorrect username ({}) or password".format(auth.username))
abort(403)
inbound_number = strip_leading_forty_four(post_data['destination'])