Check public key and auth secret length

Author: marco-c

index.js

@@ -148,12 +148,20 @@ function sendNotification(endpoint, params) {
         console.warn('You are using the old, deprecated, interface of the `sendNotification` function.'.bold.red);
       }
 
-      if (typeof userPublicKey !== 'undefined' && typeof userPublicKey !== 'string') {
-        throw new Error('userPublicKey should be a base64-encoded string.');
+      if (typeof userPublicKey !== 'undefined') {
+        if (typeof userPublicKey !== 'string') {
+          throw new Error('userPublicKey should be a base64-encoded string.');
+        } else if (urlBase64.decode(userPublicKey).length !== 65) {
+          throw new Error('userPublicKey should be 65 bytes long.');
+        }
       }
 
-      if (typeof userAuth !== 'undefined' && typeof userAuth !== 'string') {
-        throw new Error('userAuth should be a base64-encoded string.');
+      if (typeof userAuth !== 'undefined') {
+        if (typeof userAuth !== 'string') {
+          throw new Error('userAuth should be a base64-encoded string.');
+        } else if (urlBase64.decode(userAuth).length < 12) {
+          throw new Error('userAuth should be at least 12 bytes long');
+        }
       }
 
       const isGCM = endpoint.indexOf('https://android.googleapis.com/gcm/send') === 0;

test/testSendNotification.js

@@ -421,7 +421,7 @@ suite('sendNotification', function() {
     });
   });
 
-  test('invalid userPublicKey arguments', function() {
+  test('userPublicKey argument isn\'t a string', function() {
     return webPush.sendNotification('https://127.0.0.1:' + serverPort, {
       userPublicKey: userPublicKey,
       userAuth: urlBase64.encode(userAuth),
@@ -434,7 +434,7 @@ suite('sendNotification', function() {
     });
   });
 
-  test('invalid userAuth arguments', function() {
+  test('userAuth argument isn\'t a string', function() {
     return webPush.sendNotification('https://127.0.0.1:' + serverPort, {
       userPublicKey: urlBase64.encode(userPublicKey),
       userAuth: userAuth,
@@ -447,6 +447,45 @@ suite('sendNotification', function() {
     });
   });
 
+  test('userPublicKey argument is too long', function() {
+    return webPush.sendNotification('https://127.0.0.1:' + serverPort, {
+      userPublicKey: urlBase64.encode(Buffer.concat([ userPublicKey, new Buffer(1) ])),
+      userAuth: urlBase64.encode(userAuth),
+      payload: 'hello',
+    })
+    .then(function(body) {
+      assert(false, 'sendNotification promise resolved');
+    }, function() {
+      assert(true, 'sendNotification promise rejected');
+    });
+  });
+
+  test('userPublicKey argument is too short', function() {
+    return webPush.sendNotification('https://127.0.0.1:' + serverPort, {
+      userPublicKey: urlBase64.encode(userPublicKey.slice(1)),
+      userAuth: urlBase64.encode(userAuth),
+      payload: 'hello',
+    })
+    .then(function(body) {
+      assert(false, 'sendNotification promise resolved');
+    }, function() {
+      assert(true, 'sendNotification promise rejected');
+    });
+  });
+
+  test('userAuth argument is too short', function() {
+    return webPush.sendNotification('https://127.0.0.1:' + serverPort, {
+      userPublicKey: urlBase64.encode(userPublicKey),
+      userAuth: urlBase64.encode(userAuth.slice(1)),
+      payload: 'hello',
+    })
+    .then(function(body) {
+      assert(false, 'sendNotification promise resolved');
+    }, function() {
+      assert(true, 'sendNotification promise rejected');
+    });
+  });
+
   test('TTL with old interface', function() {
     return startServer(undefined, 5)
     .then(function() {