SmartThingsCommunity / smartapp-sdk-nodejs

Javascript/NodeJS SDK to create SmartThings SmartApps
https://smartthings.developer.samsung.com/
Apache License 2.0
146 stars 80 forks source link

New app confirmation flow is mishandled #139

Closed Laptopmini closed 4 years ago

Laptopmini commented 4 years ago

Describe the bug This relates to #77, #78 & #82.

When a CONFIRMATION lifecycle is received, the callback should NOT be automatically handled as this opens up a security risk. The purpose of this callback is to validate the registration of a SmartApp but also confirm that this registration was intended. If the callback is automatically handled, anyone can hijack your SmartApp by re-registering a different instance under their account using YOUR endpoint. Either to just make you bare the weight of the traffic, or with more malicious intents such as DDOSing it.

To Reproduce Find a currently registered SmartApp's endpoint which uses the latest SDK version, use its public webhook endpoint to register a SmartApp on your own account.

Expected behavior When CONFIRMATION lifecycle is received, print confirmation URL to log, requesting developer click the URL if and ONLY if he has requested a registration confirmation.

Actual behavior When CONFIRMATION lifecycle is received, it is automatically approved regardless of its author/intent.

Additional context There should most likely be a way to report unwanted confirmation requests, but this is outside of the scope of this SDK.

bflorian commented 4 years ago

Resolved in PR #142