Only accept backup receipt redemption when account has a backup credential request

service/src/main/java/org/whispersystems/textsecuregcm/backup/BackupAuthManager.java

@@ -236,6 +236,12 @@ public class BackupAuthManager {
           .asRuntimeException();
     }
 
+    if (account.getBackupCredentialRequest(BackupCredentialType.MEDIA).isEmpty()) {
+      throw Status.ABORTED
+          .withDescription("account must have a backup-id commitment")
+          .asRuntimeException();
+    }
+
     return redeemedReceiptsManager
         .put(receiptSerial, receiptExpiration.getEpochSecond(), receiptLevel, account.getUuid())
         .thenCompose(receiptAllowed -> {

service/src/main/java/org/whispersystems/textsecuregcm/controllers/ArchiveController.java

@@ -173,9 +173,13 @@ public class ArchiveController {
 
           After successful redemption, subsequent requests to /v1/archive/auth will return credentials with the level on
           the provided receipt until the expiration time on the receipt.
+
+          Accounts must have an existing backup credential request in order to redeem a receipt. This request will fail
+          if the account has not already set a backup credential request via PUT `/v1/archives/backupid`.
           """)
   @ApiResponse(responseCode = "204", description = "The receipt was redeemed")
   @ApiResponse(responseCode = "400", description = "The provided presentation or receipt was invalid")
+  @ApiResponse(responseCode = "409", description = "The target account does not have a backup-id commitment")
   @ApiResponse(responseCode = "429", description = "Rate limited.")
   public CompletionStage<Response> redeemReceipt(
       @Mutable @Auth final AuthenticatedDevice account,