Check for an empty/null allocation token (#489)

* Check for an empty/null allocation token In addition, we should be returning an authorization exception for an invalid token, not a parameter syntax exception. See https://tools.ietf.org/html/draft-ietf-regext-allocation-token-04#section-2.1 * Add comment
2025-05-29 08:50:09 +02:00 · 2020-02-20 15:50:10 -05:00 · 2020-02-20 15:50:10 -05:00 · 05ed4fd849
commit 05ed4fd849
parent ecf1721755
3 changed files with 26 additions and 3 deletions
--- a/core/src/main/java/google/registry/flows/domain/token/AllocationTokenFlowUtils.java
+++ b/core/src/main/java/google/registry/flows/domain/token/AllocationTokenFlowUtils.java
@ -17,6 +17,7 @@ package google.registry.flows.domain.token;
 import static com.google.common.base.Preconditions.checkArgument;
 import static google.registry.model.ofy.ObjectifyService.ofy;

+import com.google.common.base.Strings;
 import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.Maps;
@ -24,7 +25,7 @@ import com.google.common.net.InternetDomainName;
 import com.googlecode.objectify.Key;
 import google.registry.flows.EppException;
 import google.registry.flows.EppException.AssociationProhibitsOperationException;
-import google.registry.flows.EppException.ParameterValueSyntaxErrorException;
+import google.registry.flows.EppException.AuthorizationErrorException;
 import google.registry.flows.EppException.StatusProhibitsOperationException;
 import google.registry.model.domain.DomainCommand;
 import google.registry.model.domain.token.AllocationToken;
@ -137,6 +138,12 @@ public class AllocationTokenFlowUtils {

  /** Loads a given token and validates that it is not redeemed */
  private AllocationToken loadToken(String token) throws EppException {
+    if (Strings.isNullOrEmpty(token)) {
+      // We load the token directly from the input XML. If it's null or empty we should throw
+      // an InvalidAllocationTokenException before the Datastore load attempt fails.
+      // See https://tools.ietf.org/html/draft-ietf-regext-allocation-token-04#section-2.1
+      throw new InvalidAllocationTokenException();
+    }
    AllocationToken tokenEntity = ofy().load().key(Key.create(AllocationToken.class, token)).now();
    if (tokenEntity == null) {
      throw new InvalidAllocationTokenException();
@ -181,7 +188,7 @@ public class AllocationTokenFlowUtils {
  }

  /** The allocation token is invalid. */
-  public static class InvalidAllocationTokenException extends ParameterValueSyntaxErrorException {
+  public static class InvalidAllocationTokenException extends AuthorizationErrorException {
    public InvalidAllocationTokenException() {
      super("The allocation token is invalid");
    }
--- a/core/src/test/java/google/registry/flows/domain/token/AllocationTokenFlowUtilsTest.java
+++ b/core/src/test/java/google/registry/flows/domain/token/AllocationTokenFlowUtilsTest.java
@ -90,6 +90,22 @@ public class AllocationTokenFlowUtilsTest extends ShardableTestCase {
    assertValidateThrowsEppException(InvalidAllocationTokenException.class);
  }

+  @Test
+  public void test_validateToken_failsOnNullToken() {
+    assertAboutEppExceptions()
+        .that(
+            assertThrows(
+                InvalidAllocationTokenException.class,
+                () ->
+                    flowUtils.loadTokenAndValidateDomainCreate(
+                        createCommand("blah.tld"),
+                        null,
+                        Registry.get("tld"),
+                        "TheRegistrar",
+                        DateTime.now(UTC))))
+        .marshalsToXml();
+  }
+
  @Test
  public void test_validateToken_callsCustomLogic() {
    AllocationTokenFlowUtils failingFlowUtils =