From 8770224eff34d68cd48eb382e1df8e7e3ec43c43 Mon Sep 17 00:00:00 2001
From: Karina Kwiatek <kjk@kjk.dog>
Date: Wed, 4 Jan 2023 12:32:16 +0100
Subject: [PATCH] Make `endpoint` and `subscription` parameters required on web
 push endpoints

---
 app/controllers/ajax/web_push_controller.rb | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/app/controllers/ajax/web_push_controller.rb b/app/controllers/ajax/web_push_controller.rb
index e9723c54..220e8300 100644
--- a/app/controllers/ajax/web_push_controller.rb
+++ b/app/controllers/ajax/web_push_controller.rb
@@ -12,7 +12,7 @@ class Ajax::WebPushController < AjaxController
   end
 
   def check
-    params.permit(:endpoint)
+    params.require(:endpoint)
 
     found = current_user.web_push_subscriptions.where("subscription ->> 'endpoint' = ?", params[:endpoint]).first
 
@@ -29,6 +29,8 @@ class Ajax::WebPushController < AjaxController
   end
 
   def subscribe
+    params.require(:subscription)
+
     WebPushSubscription.create!(
       user:         current_user,
       subscription: params[:subscription]
@@ -40,7 +42,7 @@ class Ajax::WebPushController < AjaxController
   end
 
   def unsubscribe # rubocop:disable Metrics/AbcSize
-    params.permit(:endpoint)
+    params.require(:endpoint)
 
     removed = if params.key?(:endpoint)
                 current_user.web_push_subscriptions.where("subscription ->> 'endpoint' = ?", params[:endpoint]).destroy_all