Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Custom Safe Browsing API key #55

Merged
merged 5 commits into from
Jul 1, 2019
Merged

Custom Safe Browsing API key #55

merged 5 commits into from
Jul 1, 2019

Conversation

stklcode
Copy link
Contributor

@stklcode stklcode commented May 30, 2019
edited
Loading

To overcome the rate limitations of the hard-coded API key I've added an option to provide a custom key.

If the key is given, i.e. is not empty, it is used instead of the default. However the fixed key is still available as fallback.

As there's a risk of misconfiguration now, because the key may be invalid or expired I've also split the response handling. There's an open TODO in handling the error cases.

Old:

  • status 200 and empty body
    • OK
  • otherwise
    • send warning

New:

  • status 200
    • empty body
      • OK
    • non-empty body
      • send warning
  • status 400/403
    • invalid key, asssuming the request itself is not messed up
      • send notification, including an advice to solve the problem (check the custom key if provided or provide one otherwise)
  • otherwise (likely status 5xx)
    • an error occured during request (TODO)

Although you might expect a 403 from an invalid code[1], I've seen a 400 with an arbitrary invalid key (i.e. "foobar") and message "Invalid API key ..." in the JSON body.

[1] https://developers.google.com/safe-browsing/v4/status-codes

stklcode added 3 commits May 30, 2019 17:06
@stklcode
add option for custom Safe Browsing API key
e05a73f 
Allow the user to configure a custom API key with fallback to the hard
coded default. No sanity check yet, if the key is invalid the request
fails.
@stklcode
only send Safe Browsing Alert if request succeeded
dce1737 
Response code 200 is expected for a successful request, independent of
the actual result. Separate response handling into 200, 4xx and 5xx and
handle these cases differently.
@stklcode
extract error message from Safe Browsing response and send notification
52c54ac 
If a Safe Browsing request fails because of an invalid/expired API key,
the user is now notified about this, including the original API response
and an advice whether to check or provide a custom key.
@stklcode
Copy link
Contributor Author

stklcode commented Jun 3, 2019

I've extended the error handling in case of 4xx errors, s.t. the error message from the API (if available) is sent along with a notification. The mail points out that this is not necessarily a security warning and suggests to check the key, if yet provided, or provide a custom key if our defauls is exceeded.

@stklcode stklcode force-pushed the feature/custom-safe-browsing-key branch from 5d1f8be to 6f9a4b5 Compare June 5, 2019 10:35
@stklcode
Copy link
Contributor Author

stklcode commented Jun 5, 2019

Added some unit tests to verify key usage and mail behavior.

Tests require runkit(7) to intercept HTTP and mail. I've already adapted CI configuration, but this is probably out of scope for this PR.

@stklcode stklcode force-pushed the feature/custom-safe-browsing-key branch from 6e49b0a to 5e5c8c1 Compare June 5, 2019 10:49
@stklcode stklcode mentioned this pull request Jun 5, 2019
Merged
@Zodiac1978 Zodiac1978 merged commit 2ef7f02 into master Jul 1, 2019
@stklcode stklcode deleted the feature/custom-safe-browsing-key branch July 3, 2019 18:36
@stklcode stklcode added this to the 1.4.0 milestone Jan 16, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
1.4.0
Development

Successfully merging this pull request may close these issues.
2 participants
@stklcode @Zodiac1978