Prevent old versions of the Android app from carrying out "change phone number" requests

2026-04-22 23:08:05 +01:00 · 2024-02-08 13:33:59 -05:00
parent c5dc01ee11
commit 4f45f23094
2 changed files with 69 additions and 4 deletions
--- a/service/src/test/java/org/whispersystems/textsecuregcm/controllers/AccountControllerV2Test.java
+++ b/service/src/test/java/org/whispersystems/textsecuregcm/controllers/AccountControllerV2Test.java
@@ -56,6 +56,7 @@ import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.junit.jupiter.params.ParameterizedTest;
 import org.junit.jupiter.params.provider.Arguments;
+import org.junit.jupiter.params.provider.CsvSource;
 import org.junit.jupiter.params.provider.EnumSource;
 import org.junit.jupiter.params.provider.MethodSource;
 import org.mockito.ArgumentCaptor;
@@ -88,7 +89,6 @@ import org.whispersystems.textsecuregcm.storage.Device;
 import org.whispersystems.textsecuregcm.storage.RegistrationRecoveryPasswordsManager;
 import org.whispersystems.textsecuregcm.tests.util.AccountsHelper;
 import org.whispersystems.textsecuregcm.tests.util.AuthHelper;
-import org.whispersystems.textsecuregcm.tests.util.KeysHelper;
 import org.whispersystems.textsecuregcm.util.SystemMapper;
 import org.whispersystems.textsecuregcm.util.Util;

@@ -419,6 +419,49 @@ class AccountControllerV2Test {
      }
    }

+    @ParameterizedTest
+    @CsvSource({
+        "Signal-Android/4.68.3, true",
+        "Signal-Android/6.46.7, false",
+        "Signal-Android/6.46.8, false",
+        "Signal-Desktop/1.2.3 Linux, false",
+        "Signal-iOS/3.9.0 iOS/14.2, false",
+        "Not a real user-agent string, false"
+    })
+    void changeNumberVersionEnforced(final String userAgentString, final boolean expectBlocked) throws Exception {
+
+      when(registrationServiceClient.getSession(any(), any()))
+          .thenReturn(CompletableFuture.completedFuture(
+              Optional.of(new RegistrationServiceSession(new byte[16], NEW_NUMBER, true, null, null, null,
+                  SESSION_EXPIRATION_SECONDS))));
+
+      try (final Response response = resources.getJerseyTest()
+              .target("/v2/accounts/number")
+              .request()
+              .header(HttpHeaders.AUTHORIZATION,
+                  AuthHelper.getAuthHeader(AuthHelper.VALID_UUID, AuthHelper.VALID_PASSWORD))
+              .header(HttpHeaders.USER_AGENT, userAgentString)
+              .put(Entity.entity(
+                  new ChangeNumberRequest(encodeSessionId("session"), null, NEW_NUMBER, "123", new IdentityKey(Curve.generateKeyPair().getPublicKey()),
+                      Collections.emptyList(),
+                      Collections.emptyMap(), null, Collections.emptyMap()),
+                  MediaType.APPLICATION_JSON_TYPE))) {
+
+        if (expectBlocked) {
+          assertEquals(499, response.getStatus());
+
+          verify(changeNumberManager, never())
+              .changeNumber(eq(AuthHelper.VALID_ACCOUNT), eq(NEW_NUMBER), any(), any(), any(), any(), any());
+        } else {
+          assertEquals(200, response.getStatus());
+
+          verify(changeNumberManager)
+              .changeNumber(eq(AuthHelper.VALID_ACCOUNT), eq(NEW_NUMBER), any(), any(), any(), any(), any());
+
+        }
+      }
+    }
+
    /**
     * Valid request JSON with the given Recovery Password
     */