Obfuscate PayPal IPN route

apiserver/.gitignore

@@ -110,3 +110,4 @@ migrations/
 data/
 old_photos/
 old_paypal/
+secrets.py

apiserver/apiserver/api/views.py

@@ -277,8 +277,8 @@ class DoorViewSet(viewsets.ViewSet, List):
 
 
 
-class IpnViewSet(viewsets.ViewSet, Create):
+class IpnView(views.APIView):
-    def create(self, request):
+    def post(self, request):
         try:
             utils_paypal.process_paypal_ipn(request.data)
         except BaseException as e:

apiserver/apiserver/secrets.py.example

@@ -0,0 +1,6 @@
+# Spaceport secrets file, don't commit to version control!
+
+# Set this to random characters so the PayPal IPN POST route is unguessable
+# For example, use the output of this:
+# head /dev/urandom | md5sum
+IPN_RANDOM = ''

apiserver/apiserver/urls.py

@@ -4,9 +4,12 @@ from django.urls import include, path
 from rest_framework import routers
 
 from .api import views
+from . import secrets
+
+IPN_ROUTE = r'^ipn/{}/'.format(secrets.IPN_RANDOM)
+print('IPN route is:', '/'+IPN_ROUTE[1:])
 
 router = routers.DefaultRouter()
-router.register(r'ipn', views.IpnViewSet, basename='ipn')
 router.register(r'door', views.DoorViewSet, basename='door')
 router.register(r'cards', views.CardViewSet, basename='card')
 router.register(r'search', views.SearchViewSet, basename='search')
@@ -26,4 +29,5 @@ urlpatterns = [
     url(r'^registration/', views.RegistrationView.as_view(), name='rest_name_register'),
     url(r'^password/change/', views.PasswordChangeView.as_view(), name='rest_password_change'),
     url(r'^user/', views.UserView.as_view(), name='user'),
+    url(IPN_ROUTE, views.IpnView.as_view(), name='ipn'),
 ]

apiserver/docs/source/dev.rst

@@ -39,6 +39,8 @@ Create a venv, activate it, and install:
     $ source env/bin/activate
     (env) $ pip install -r requirements.txt
 
+Edit ``apiserver/secrets.py.example`` and save it as ``apiserver/secrets.py``.
+
 Now setup Django and run it:
 
 .. sourcecode:: bash