talaria requires header but does not validate/use it

[ilawjr]

When you submit an api request Talaria requires the "X-Webpa-Device-Name" header, but it doesn't validate it against the message.

e.g.

curl -i -H "Authorization:$basicauth" -H "Content-Type:application/json" -H "Accept:application/json" --data-binary '@SimpleApiRequestMessage.json' -X POST https://$a:8080/api/v2/device/send

results in a 400

{"code": 400, "message": "Could extract device id: Missing device name header"}

whereas :

export b=mac:112233445566
curl -i -H "Authorization:$basicauth" -H "Content-Type:application/json" -H "Accept:application/json" --data-binary '@SimpleApiRequestMessage.json' -X POST https://$a:8080/api/v2/device/send -H "X-Webpa-Device-Name:$b"

will succeed even if $b does not match the device inside the SimpleApiRequestMessage.json which is set to

"dest":"mac:4ca155000006/config",

It appears that talaria doesn't use or validate against this header. A request without the dest field will fail with a 400.

[johnabass]

This was a design decision from very early in the project's life, years ago. There's no bug here, and it shouldn't hold up any deployments.

As to whether things should still work this way, that's a question for @schmidtw

[joe94]

After discussions, we decided talaria should no longer require this header. We should also then change scytale so it no longer sends such header.