Forbid linked devices from setting backup-ids

2026-04-22 07:58:07 +01:00 · 2025-06-17 16:16:07 -05:00
parent 5de848bf38
commit 9dfe51eac4
6 changed files with 71 additions and 17 deletions
--- a/service/src/main/java/org/whispersystems/textsecuregcm/grpc/BackupsGrpcService.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/grpc/BackupsGrpcService.java
@@ -32,6 +32,7 @@ import org.whispersystems.textsecuregcm.metrics.BackupMetrics;
 import org.whispersystems.textsecuregcm.metrics.UserAgentTagUtil;
 import org.whispersystems.textsecuregcm.storage.Account;
 import org.whispersystems.textsecuregcm.storage.AccountsManager;
+import org.whispersystems.textsecuregcm.storage.Device;
 import reactor.core.publisher.Mono;

 import static org.whispersystems.textsecuregcm.metrics.MetricsUtil.name;
@@ -60,9 +61,15 @@ public class BackupsGrpcService extends ReactorBackupsGrpc.BackupsImplBase {
        BackupAuthCredentialRequest::new,
        request.getMediaBackupAuthCredentialRequest().toByteArray());

+    final AuthenticatedDevice authenticatedDevice = AuthenticationUtil.requireAuthenticatedDevice();
    return authenticatedAccount()
-        .flatMap(account -> Mono.fromFuture(
-            backupAuthManager.commitBackupId(account, messagesCredentialRequest, mediaCredentialRequest)))
+        .flatMap(account -> {
+          final Device device = account
+              .getDevice(authenticatedDevice.deviceId())
+              .orElseThrow(Status.UNAUTHENTICATED::asRuntimeException);
+          return Mono.fromFuture(
+              backupAuthManager.commitBackupId(account, device, messagesCredentialRequest, mediaCredentialRequest));
+        })
        .thenReturn(SetBackupIdResponse.getDefaultInstance());
  }