Closed
Description
What happened?
I am able to send a web push notification without passing any authentication information. The code is:
import onesignal
from onesignal.api import default_api
from onesignal.model.notification import Notification
with onesignal.ApiClient() as api_client:
api_instance = default_api.DefaultApi(api_client)
def createNotification():
notification = Notification()
notification.set_attribute('app_id', ONESIGNAL_APP_ID)
notification.set_attribute('headings', { 'en': 'New Message' })
notification.set_attribute('contents', { 'en': "Test Message" })
notification.set_attribute('include_player_ids', [VALID_ONESIGNAL_PLAYER_ID])
return notification
notification = createNotification()
notificationResponse = api_instance.create_notification(notification)
print(notificationResponse)
The documentation states you should pass a configuration object to onesignal.ApiClient() as follows:
configuration = onesignal.Configuration(
app_key = "YOUR_APP_KEY",
user_key = "YOUR_USER_KEY"
)
with onesignal.ApiClient(configuration)
However, the code works without passing the configuration object, thus enabling a push notification to be sent with only an app id and player id.
Steps to reproduce?
1. pip3 install onesignal
2. pip3 install onesignal-python-api
3. python3 <code in descriptionn>What did you expect to happen?
I expected the push send to fail because no Rest API Key was provided
Relevant log output
The code responds with the following object when run:
{'external_id': 'A-UUID-STRING',
'id': 'ANOTHER-UUID-STRING'}Code of Conduct
- I agree to follow this project's Code of Conduct