fix: allow to query sharing status using fingerprint

This way there is no posibility for someone to squat OOB devices
by guessing their IMEI.

Author: coderbyheart

cdk/BackendLambdas.d.ts

@@ -4,6 +4,7 @@ type BackendLambdas = {
 	updatesToLwM2M: PackedLambda
 	shareDevice: PackedLambda
 	sharingStatus: PackedLambda
+	sharingStatusFingerprint: PackedLambda
 	confirmOwnership: PackedLambda
 	connectionInformationGeoLocation: PackedLambda
 	devicesData: PackedLambda

cdk/BackendStack.ts

@@ -133,6 +133,7 @@ export class BackendStack extends Stack {
 		})
 		api.addRoute('POST /share', shareAPI.shareFn)
 		api.addRoute('POST /share/confirm', shareAPI.confirmOwnershipFn)
+		api.addRoute('GET /share/status', shareAPI.sharingStatusFingerprintFn)
 		api.addRoute('GET /device/{id}', shareAPI.sharingStatusFn)
 
 		const devicesAPI = new DevicesAPI(this, {

cdk/packBackendLambdas.ts

@@ -7,6 +7,7 @@ export const packBackendLambdas = async (): Promise<BackendLambdas> => ({
 	updatesToLwM2M: await pack('updatesToLwM2M'),
 	shareDevice: await pack('shareDevice'),
 	sharingStatus: await pack('sharingStatus'),
+	sharingStatusFingerprint: await pack('sharingStatusFingerprint'),
 	confirmOwnership: await pack('confirmOwnership'),
 	connectionInformationGeoLocation: await pack(
 		'connectionInformationGeoLocation',

cdk/resources/ShareAPI.ts

@@ -14,6 +14,7 @@ export class ShareAPI extends Construct {
 	public readonly shareFn: Lambda.IFunction
 	public readonly confirmOwnershipFn: Lambda.IFunction
 	public readonly sharingStatusFn: Lambda.IFunction
+	public readonly sharingStatusFingerprintFn: Lambda.IFunction
 	constructor(
 		parent: Construct,
 		{
@@ -27,7 +28,10 @@ export class ShareAPI extends Construct {
 			baseLayer: Lambda.ILayerVersion
 			lambdaSources: Pick<
 				BackendLambdas,
-				'shareDevice' | 'confirmOwnership' | 'sharingStatus'
+				| 'shareDevice'
+				| 'confirmOwnership'
+				| 'sharingStatus'
+				| 'sharingStatusFingerprint'
 			>
 		},
 	) {
@@ -109,5 +113,35 @@ export class ShareAPI extends Construct {
 			...new LambdaLogGroup(this, 'sharingStatusFnLogs'),
 		})
 		publicDevices.publicDevicesTable.grantReadData(this.sharingStatusFn)
+
+		this.sharingStatusFingerprintFn = new Lambda.Function(
+			this,
+			'sharingStatusFingerprintFn',
+			{
+				handler: lambdaSources.sharingStatusFingerprint.handler,
+				architecture: Lambda.Architecture.ARM_64,
+				runtime: Lambda.Runtime.NODEJS_20_X,
+				timeout: Duration.seconds(10),
+				memorySize: 1792,
+				code: Lambda.Code.fromAsset(
+					lambdaSources.sharingStatusFingerprint.zipFile,
+				),
+				description:
+					'Returns the sharing status of a device using the fingerprint.',
+				layers: [baseLayer],
+				environment: {
+					VERSION: this.node.getContext('version'),
+					PUBLIC_DEVICES_TABLE_NAME: publicDevices.publicDevicesTable.tableName,
+					PUBLIC_DEVICES_ID_INDEX_NAME: publicDevices.idIndex,
+					NODE_NO_WARNINGS: '1',
+					STACK_NAME: Stack.of(this).stackName,
+				},
+				...new LambdaLogGroup(this, 'sharingStatusFingerprintFnLogs'),
+				initialPolicy: [Permissions(Stack.of(this))],
+			},
+		)
+		publicDevices.publicDevicesTable.grantReadData(
+			this.sharingStatusFingerprintFn,
+		)
 	}
 }

cli/commands/configure-hello.ts

@@ -6,7 +6,7 @@ import {
 	deleteSettings,
 	putSetting,
 	type Settings,
-} from '../../settings/hello.js'
+} from '../../hello/settings.js'
 
 export const configureHello = ({
 	ssm,

feature-runner/steps/device.ts

@@ -66,6 +66,7 @@ const oobDeviceWithFingerprint = (
 						model: 'PCA20035+solar',
 					}),
 				},
+				true,
 			)
 		},
 	)

features/OOBMapShare.feature.md

@@ -133,3 +133,21 @@ And the last response should match
   "model": "PCA20035+solar"
 }
 ```
+
+## The sharing status of a device can be checked using the fingerprint
+
+> Users should be able to determine whether a certain device is sharing data
+
+When I `GET` to `${API}/share/status?fingerprint=${fingerprint}`
+
+Then I should receive a `https://github.com/hello-nrfcloud/proto-map/device`
+response
+
+And the last response should match
+
+```json
+{
+  "id": "${publicDeviceId}",
+  "model": "PCA20035+solar"
+}
+```

hello/api.ts

@@ -0,0 +1,43 @@
+import { models } from '@hello.nrfcloud.com/proto-map'
+import { DeviceId } from '@hello.nrfcloud.com/proto-map/api'
+import type { ProblemDetail } from '@hello.nrfcloud.com/proto/hello'
+import { Type, type Static } from '@sinclair/typebox'
+import { typedFetch } from './typedFetch.js'
+
+const Model = Type.Union(
+	Object.keys(models).map((model) => Type.Literal(model)),
+)
+
+export const helloApi = ({
+	endpoint,
+	fetchImplementation,
+}: {
+	endpoint: URL
+	fetchImplementation?: typeof fetch
+}): {
+	getDeviceByFingerprint: (fingerprint: string) => Promise<
+		| {
+				error: Omit<Static<typeof ProblemDetail>, '@context'>
+		  }
+		| {
+				result: {
+					id: string
+					model: Static<typeof Model>
+				}
+		  }
+	>
+} => ({
+	getDeviceByFingerprint: async (fingerprint: string) =>
+		typedFetch({
+			url: new URL(
+				`./device?${new URLSearchParams({ fingerprint }).toString()}`,
+				endpoint,
+			),
+			RequestBodySchema: Type.Undefined(),
+			ResponseBodySchema: Type.Object({
+				id: DeviceId,
+				model: Model,
+			}),
+			fetchImplementation,
+		})(),
+})

settings/hello.ts renamed to hello/settings.ts

@@ -0,0 +1,87 @@
+import { validateWithTypeBox } from '@hello.nrfcloud.com/proto'
+import { ProblemDetail } from '@hello.nrfcloud.com/proto/hello'
+import { type Static, type TSchema } from '@sinclair/typebox'
+
+export const typedFetch = <Body, ResponseBodySchemaType extends TSchema>({
+	url,
+	RequestBodySchema,
+	ResponseBodySchema,
+	fetchImplementation,
+	...init
+}: {
+	url: URL
+	RequestBodySchema: TSchema
+	ResponseBodySchema: ResponseBodySchemaType
+	fetchImplementation?: typeof fetch
+} & RequestInit) => {
+	const validateRequestBody = validateWithTypeBox(RequestBodySchema)
+	const validateResponseBody = validateWithTypeBox(ResponseBodySchema)
+
+	return async (
+		requestBody?: Body,
+	): Promise<
+		| {
+				error: Omit<Static<typeof ProblemDetail>, '@context'>
+		  }
+		| { result: Static<ResponseBodySchemaType> }
+	> => {
+		if (requestBody !== undefined) {
+			const maybeValidRequestBody = validateRequestBody(requestBody)
+			if ('errors' in maybeValidRequestBody) {
+				return {
+					error: {
+						title: 'Request body validation failed',
+						detail: JSON.stringify({
+							body: requestBody,
+							errors: maybeValidRequestBody.errors,
+						}),
+					},
+				}
+			}
+		}
+		const res = await (fetchImplementation ?? fetch)(url, init)
+		const hasContent =
+			parseInt(res.headers.get('content-length') ?? '0', 10) > 0
+		if (!res.ok) {
+			return {
+				error: {
+					title: `Request failed (${res.status})`,
+					detail: hasContent ? await res.text() : undefined,
+				},
+			}
+		}
+		let responseBody = undefined
+		if (hasContent) {
+			responseBody = await res.text()
+			const isJSON =
+				res.headers.get('content-type')?.includes('application/json') ?? false
+			if (isJSON) {
+				try {
+					responseBody = JSON.parse(responseBody)
+				} catch {
+					return {
+						error: {
+							title: `Failed to parse response as JSON!`,
+							detail: responseBody,
+						},
+					}
+				}
+			}
+		}
+		const maybeValidResponseBody = validateResponseBody(responseBody)
+		if ('errors' in maybeValidResponseBody) {
+			return {
+				error: {
+					title: 'Response body validation failed',
+					detail: JSON.stringify({
+						body: responseBody,
+						errors: maybeValidResponseBody.errors,
+					}),
+				},
+			}
+		}
+		return {
+			result: responseBody,
+		}
+	}
+}