From 6cdfb7ab63cb13f541e3f0d76e08834e2f9f1087 Mon Sep 17 00:00:00 2001 From: Ravi Khadiwala Date: Wed, 14 Aug 2024 16:30:46 -0500 Subject: [PATCH] Reject authenticated one-time donation requests --- .../OneTimeDonationController.java | 20 +++++-------------- 1 file changed, 5 insertions(+), 15 deletions(-) diff --git a/service/src/main/java/org/whispersystems/textsecuregcm/controllers/OneTimeDonationController.java b/service/src/main/java/org/whispersystems/textsecuregcm/controllers/OneTimeDonationController.java index 211d99b5b..d5b588624 100644 --- a/service/src/main/java/org/whispersystems/textsecuregcm/controllers/OneTimeDonationController.java +++ b/service/src/main/java/org/whispersystems/textsecuregcm/controllers/OneTimeDonationController.java @@ -28,6 +28,7 @@ import javax.validation.constraints.NotEmpty; import javax.validation.constraints.NotNull; import javax.ws.rs.BadRequestException; import javax.ws.rs.Consumes; +import javax.ws.rs.ForbiddenException; import javax.ws.rs.HeaderParam; import javax.ws.rs.POST; import javax.ws.rs.Path; @@ -79,9 +80,6 @@ public class OneTimeDonationController { private static final Logger logger = LoggerFactory.getLogger(SubscriptionController.class); - private static final String AUTHENTICATED_BOOST_OPERATION_COUNTER_NAME = - MetricsUtil.name(SubscriptionController.class, "authenticatedBoostOperation"); - private static final String OPERATION_TAG_NAME = "operation"; private static final String EURO_CURRENCY_CODE = "EUR"; private final Clock clock; @@ -136,9 +134,7 @@ public class OneTimeDonationController { @HeaderParam(HttpHeaders.USER_AGENT) final String userAgent) { if (authenticatedAccount.isPresent()) { - Metrics.counter(AUTHENTICATED_BOOST_OPERATION_COUNTER_NAME, Tags.of( - UserAgentTagUtil.getPlatformTag(userAgent), - Tag.of(OPERATION_TAG_NAME, "boost/create"))).increment(); + throw new ForbiddenException("must not use authenticated connection for one-time donation operations"); } return CompletableFuture.runAsync(() -> { @@ -225,9 +221,7 @@ public class OneTimeDonationController { @Context ContainerRequestContext containerRequestContext) { if (authenticatedAccount.isPresent()) { - Metrics.counter(AUTHENTICATED_BOOST_OPERATION_COUNTER_NAME, Tags.of( - UserAgentTagUtil.getPlatformTag(userAgent), - Tag.of(OPERATION_TAG_NAME, "boost/paypal/create"))).increment(); + throw new ForbiddenException("must not use authenticated connection for one-time donation operations"); } return CompletableFuture.runAsync(() -> { @@ -273,9 +267,7 @@ public class OneTimeDonationController { @HeaderParam(HttpHeaders.USER_AGENT) final String userAgent) { if (authenticatedAccount.isPresent()) { - Metrics.counter(AUTHENTICATED_BOOST_OPERATION_COUNTER_NAME, Tags.of( - UserAgentTagUtil.getPlatformTag(userAgent), - Tag.of(OPERATION_TAG_NAME, "boost/paypal/confirm"))).increment(); + throw new ForbiddenException("must not use authenticated connection for one-time donation operations"); } return CompletableFuture.runAsync(() -> { @@ -321,9 +313,7 @@ public class OneTimeDonationController { @HeaderParam(HttpHeaders.USER_AGENT) final String userAgent) { if (authenticatedAccount.isPresent()) { - Metrics.counter(AUTHENTICATED_BOOST_OPERATION_COUNTER_NAME, Tags.of( - UserAgentTagUtil.getPlatformTag(userAgent), - Tag.of(OPERATION_TAG_NAME, "boost/receipt_credentials"))).increment(); + throw new ForbiddenException("must not use authenticated connection for one-time donation operations"); } final CompletableFuture paymentDetailsFut = switch (request.processor) {