Client: Check if client ID is valid

1 files changed, 29 insertions, 1 deletions

diff --git a/client/client.go b/client/client.go
index c443528..1a1e881 100644
--- a/client/client.go
+++ b/client/client.go
@@ -32,10 +32,34 @@ func (c *Client) logError(err error) {
 }
 
 func (c *Client) isLetsConnect() bool {
-	// see https://git.sr.ht/~fkooman/vpn-user-portal/tree/v3/item/src/OAuth/ClientDb.php
+	// see https://git.sr.ht/~fkooman/vpn-user-portal/tree/v3/item/src/OAuth/VpnClientDb.php
 	return strings.HasPrefix(c.Name, "org.letsconnect-vpn.app")
 }
 
+// isAllowedClientID checks if the 'clientID' is in the list of allowed client IDs
+func isAllowedClientID(clientID string) bool {
+	allowList := []string{
+		// eduVPN
+		"org.eduvpn.app.windows",
+		"org.eduvpn.app.android",
+		"org.eduvpn.app.ios",
+		"org.eduvpn.app.macos",
+		"org.eduvpn.app.linux",
+		// Let's Connect!
+		"org.letsconnect-vpn.app.windows",
+		"org.letsconnect-vpn.app.android",
+		"org.letsconnect-vpn.app.ios",
+		"org.letsconnect-vpn.app.macos",
+		"org.letsconnect-vpn.app.linux",
+	}
+	for _, x := range allowList {
+		if x == clientID {
+			return true
+		}
+	}
+	return false
+}
+
 // Client is the main struct for the VPN client.
 type Client struct {
 	// The name of the client
@@ -93,6 +117,10 @@ func (c *Client) Register(
 		return errors.Errorf("fsm attempt to register while in '%v'", c.FSM.Current)
 	}
 
+	if !isAllowedClientID(name) {
+		return errors.Errorf("client ID is not allowed: '%v', see https://git.sr.ht/~fkooman/vpn-user-portal/tree/v3/item/src/OAuth/VpnClientDb.php for a list of allowed IDs", name)
+	}
+
 	c.Name = name
 
 	// TODO: Verify language setting?