From 6103e748b0435bd40e89ad1b282abad8ce6d6cad Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Gabriel=20Thom=C3=A9?= <gabrielallan.thome@gmail.com>
Date: Tue, 2 Mar 2021 04:04:34 -0300
Subject: [PATCH] validate auth token before sending notification

---
 app/push/server/push.js | 38 ++++++++++++++++++++++++++++++++------
 1 file changed, 32 insertions(+), 6 deletions(-)

diff --git a/app/push/server/push.js b/app/push/server/push.js
index e95ca8f88716..5469488b6e63 100644
--- a/app/push/server/push.js
+++ b/app/push/server/push.js
@@ -2,12 +2,14 @@ import { Meteor } from 'meteor/meteor';
 import { Match, check } from 'meteor/check';
 import { Mongo } from 'meteor/mongo';
 import { HTTP } from 'meteor/http';
+import { Accounts } from 'meteor/accounts-base';
 import _ from 'underscore';
 
 import { initAPN, sendAPN } from './apn';
 import { sendGCM } from './gcm';
 import { logger, LoggerManager } from './logger';
 import { settings } from '../../settings/server';
+import { Users } from '../../models/server';
 
 export const _matchToken = Match.OneOf({ apn: String }, { gcm: String });
 export const appTokensCollection = new Mongo.Collection('_raix_push_app_tokens');
@@ -63,11 +65,11 @@ export class PushClass {
 	}
 
 	_replaceToken(currentToken, newToken) {
-		appTokensCollection.rawCollection().updateMany({ token: currentToken }, { $set: { token: newToken } });
+		appTokensCollection.updateMany({ token: currentToken }, { $set: { token: newToken } });
 	}
 
 	_removeToken(token) {
-		appTokensCollection.rawCollection().deleteOne({ token });
+		appTokensCollection.deleteOne({ token });
 	}
 
 	_shouldUseGateway() {
@@ -76,17 +78,41 @@ export class PushClass {
 			&& settings.get('Cloud_Service_Agree_PrivacyTerms');
 	}
 
+	_validateAuthTokenByPushToken(pushToken) {
+		const pushTokenQuery = appTokensCollection.findOne({ token: pushToken });
+
+		if (!pushTokenQuery) {
+			return;
+		}
+
+		console.log('token query result: ', pushTokenQuery);
+		const { authToken, userId } = pushTokenQuery;
+		const hashedToken = Accounts._hashLoginToken(authToken);
+		console.log('hashed token: ', hashedToken);
+
+		const user = Users.findOne({ _id: userId });
+
+		const hasToken = user
+			.services
+			.resume
+			.loginTokens
+			.filter((t) => t.hashedToken === hashedToken).length > 0;
+
+		console.log('should send notification? ', !!hasToken);
+		return !!hasToken;
+	}
+
 	sendNotificationNative(app, notification, countApn, countGcm) {
 		logger.debug('send to token', app.token);
 
-		if (app.token.apn) {
+		if (app.token.apn && this._validateAuthTokenByPushToken(app.token)) {
 			countApn.push(app._id);
 			// Send to APN
 			if (this.options.apn) {
 				notification.topic = app.appName;
 				sendAPN({ userToken: app.token.apn, notification, _removeToken: this._removeToken });
 			}
-		} else if (app.token.gcm) {
+		} else if (app.token.gcm && this._validateAuthTokenByPushToken(app.token)) {
 			countGcm.push(app._id);
 
 			// Send to GCM
@@ -159,13 +185,13 @@ export class PushClass {
 		for (const gateway of this.options.gateways) {
 			logger.debug('send to token', app.token);
 
-			if (app.token.apn) {
+			if (app.token.apn && this._validateAuthTokenByPushToken(app.token)) {
 				countApn.push(app._id);
 				notification.topic = app.appName;
 				return this.sendGatewayPush(gateway, 'apn', app.token.apn, notification);
 			}
 
-			if (app.token.gcm) {
+			if (app.token.gcm && this._validateAuthTokenByPushToken(app.token)) {
 				countGcm.push(app._id);
 				return this.sendGatewayPush(gateway, 'gcm', app.token.gcm, notification);
 			}