From 582cc0d9b93add6fdaa2d3fe4bec80ca6e571cc9 Mon Sep 17 00:00:00 2001
From: Florian <flo@meergans.org>
Date: Thu, 9 Oct 2025 16:31:37 +0200
Subject: [PATCH] Checking if a valid token has been supplied from the app,
 only works with Android tokens

---
 src/validator.py | 24 +++++++++++++++++++-----
 1 file changed, 19 insertions(+), 5 deletions(-)

diff --git a/src/validator.py b/src/validator.py
index 1a3afdd..d5d1dfe 100644
--- a/src/validator.py
+++ b/src/validator.py
@@ -1,18 +1,32 @@
 from argon2 import PasswordHasher
+import re
 
-def is_valid_platform(platform):
+def is_valid_platform(platform) -> bool:
 	if platform not in ["ios","android","web"]:
 		return False
 	return True
 
-def is_valid_token(token): #Later check for specific Firebase tokens
+def is_valid_token(token: str) -> bool:
 	"""
-	Correct length
-	No malicious characters
-	Freshness?
+	Validate a push notification token.
+
+	Criteria:
+	- Must be a string
+	- Correct length (e.g., 140–200 chars)
+	- Only safe characters (alphanumeric, dash, underscore)
 	"""
+	if not isinstance(token, str):
+		return False
+
+	if not (140 <= len(token) <= 200):
+		return False
+
+	if not re.match(r'^[A-Za-z0-9\-_]+$', token):
+		return False
+
 	return True
 
+
 ph = PasswordHasher()
 
 def hash_api_key(api_key: str) -> str: