IABTechLab · sunnywu · Jan 24, 2024 · Feb 21, 2024 · Feb 23, 2024 · Mar 11, 2024
diff --git a/conf/local-config.json b/conf/local-config.json
@@ -17,7 +17,7 @@
   "refresh_token_v3": false,
   "identity_v3": false,
   "identity_scope": "uid2",
-  "enable_v2_encryption": false,
+  "enable_v2_encryption": true,
   "sharing_token_expiry_seconds": 2592000,
   "cloud_download_threads": 8,
   "cloud_upload_threads": 2,
@@ -34,5 +34,6 @@
   "optout_partition_interval": 86400,
   "client_side_token_generate": true,
   "client_side_token_generate_domain_name_check_enabled": true,
+  "client_side_token_generate_app_name_check_enabled": false,
   "key_sharing_endpoint_provide_site_domain_names": true
 }
diff --git a/src/main/java/com/uid2/operator/model/CstgRequest.java b/src/main/java/com/uid2/operator/model/CstgRequest.java
@@ -11,6 +11,9 @@ public class CstgRequest {
     private String publicKey;
     private long timestamp;
 
+    @JsonProperty("app_name")
+    private String appName;
+
     public String getPayload() {
         return payload;
     }
@@ -30,5 +33,9 @@ public String getPublicKey() {
     public long getTimestamp() {
         return timestamp;
     }
+
+    public String getAppName() {
+        return appName;
+    }
 }
 
diff --git a/src/main/java/com/uid2/operator/service/ResponseUtil.java b/src/main/java/com/uid2/operator/service/ResponseUtil.java
@@ -175,5 +175,6 @@ public static class ResponseStatus {
         public static final String UnknownError = "unknown";
         public static final String InsufficientUserConsent = "insufficient_user_consent";
         public static final String InvalidHttpOrigin = "invalid_http_origin";
+        public static final String InvalidAppName = "invalid_app_name";
     }
 }
diff --git a/src/main/java/com/uid2/operator/vertx/UIDOperatorVerticle.java b/src/main/java/com/uid2/operator/vertx/UIDOperatorVerticle.java
@@ -103,6 +103,7 @@ public class UIDOperatorVerticle extends AbstractVerticle {
     private final KeyManager keyManager;
     private final SecureLinkValidatorService secureLinkValidatorService;
     private final boolean cstgDoDomainNameCheck;
+    private final boolean cstgDoAppNameCheck;
     public final static int MASTER_KEYSET_ID_FOR_SDKS = 9999999; //this is because SDKs have an issue where they assume keyset ids are always positive; that will be fixed.
     public final static long OPT_OUT_CHECK_CUTOFF_DATE = Instant.parse("2023-09-01T00:00:00.00Z").getEpochSecond();
 
@@ -141,6 +142,7 @@ public UIDOperatorVerticle(JsonObject config,
         this.phoneSupport = config.getBoolean("enable_phone_support", true);
         this.tcfVendorId = config.getInteger("tcf_vendor_id", 21);
         this.cstgDoDomainNameCheck = config.getBoolean("client_side_token_generate_domain_name_check_enabled", true);
+        this.cstgDoAppNameCheck = config.getBoolean("client_side_token_generate_app_name_check_enabled", true);
         this.keySharingEndpointProvideSiteDomainNames = config.getBoolean("key_sharing_endpoint_provide_site_domain_names", false);
         this._statsCollectorQueue = statsCollectorQueue;
         this.clientKeyProvider = clientKeyProvider;
@@ -303,14 +305,33 @@ private void handleClientSideTokenGenerateImpl(RoutingContext rc) throws NoSuchA
             return;
         }
 
+        String origin = rc.request().getHeader("origin");
+
         if (cstgDoDomainNameCheck) {
             final Set<String> domainNames = getDomainNameListForClientSideTokenGenerate(clientSideKeypair);
-            String origin = rc.request().getHeader("origin");
-
             boolean allowedDomain = DomainNameCheckUtil.isDomainNameAllowed(origin, domainNames);
             if (!allowedDomain) {
-                SendClientErrorResponseAndRecordStats(ResponseStatus.InvalidHttpOrigin, 403, rc, "unexpected http origin", clientSideKeypair.getSiteId(), TokenResponseStatsCollector.Endpoint.ClientSideTokenGenerateV2, TokenResponseStatsCollector.ResponseStatus.InvalidHttpOrigin, siteProvider);
-                return;
+                if (cstgDoAppNameCheck) {
+                    String appName = request.getAppName();
+                    boolean allowedApp = domainNames.contains(appName);
+
+                    if (appName == null) {
+                        SendClientErrorResponseAndRecordStats(ResponseStatus.InvalidAppName, 403, rc, "app name is not provided", clientSideKeypair.getSiteId(), TokenResponseStatsCollector.Endpoint.ClientSideTokenGenerateV2, TokenResponseStatsCollector.ResponseStatus.InvalidHttpOrigin, siteProvider);
+                        return;
+                    }
+                    else if(!allowedApp) {
+                        SendClientErrorResponseAndRecordStats(ResponseStatus.InvalidAppName, 403, rc, "app name is not on the allowed list", clientSideKeypair.getSiteId(), TokenResponseStatsCollector.Endpoint.ClientSideTokenGenerateV2, TokenResponseStatsCollector.ResponseStatus.InvalidHttpOrigin, siteProvider);
+                        return;
+                    }
+                    else {
+                        //app is allowed proceed to handle this CSTG request 
+                    }
+                }
+                else if (request.getAppName() == null) {
+                     SendClientErrorResponseAndRecordStats(ResponseStatus.InvalidHttpOrigin, 403, rc, "unexpected http origin", clientSideKeypair.getSiteId(), TokenResponseStatsCollector.Endpoint.ClientSideTokenGenerateV2, TokenResponseStatsCollector.ResponseStatus.InvalidHttpOrigin, siteProvider);
+                     return;    
+                }
+                // if !cstgDoAppNameCheck and request.getAppName() has an app name then we will let it pass  
             }
         }
 
@@ -351,7 +372,15 @@ private void handleClientSideTokenGenerateImpl(RoutingContext rc) throws NoSuchA
             return;
         }
 
-        final byte[] aad = new JsonArray(List.of(request.getTimestamp())).toBuffer().getBytes();
+        byte[] aad;
+        if(request.getAppName() == null) {
+           aad = new JsonArray(List.of(request.getTimestamp())).toBuffer().getBytes();
+        }
+        else {
+            // we required app name to be part of Authenticated encryption with associated data (AEAD) if it's a CSTG call from mobile app
+            aad = new JsonArray(List.of(request.getTimestamp(), request.getAppName())).toBuffer().getBytes();
+        }
+
 
         final byte[] requestPayloadBytes;
         try {

diff --git a/src/main/resources/com.uid2.core/test/sites/sites.json b/src/main/resources/com.uid2.core/test/sites/sites.json
@@ -3,7 +3,7 @@
     "id": 123,
     "name": "MegaTest Site",
     "enabled": true,
-    "domain_names" : ["localhost", "uidapi.com"]
+    "domain_names" : ["localhost", "uidapi.com", "com.uid2.devapp"]
   },
   {
     "id": 124,