Introduce endpoint for removing pending activation client-side

[petrdvorak]

If the user cancels the activation on the device after it has been committed on the client, the server has no way of learning that the registration has been canceled.

We could provide an endpoint to remove such registration. The endpoint would allow modifications only for CREATED and PENDING_COMMIT activations. As the activation ID is sufficiently random and the new endpoint would have no effect on ACTIVE, BLOCKED or REMOVED activations, we should evaluate if we need to authenticate the endpoint or if we can simply rely on the time window.

If the authentication is omitted, the server should always return a blank success response, to provide minimum information about if such activation exists (this should also remove any motivation to just send requests to the endpoint).

Endpoint

POST /pa/v3/activation/pending/remove

Request

{
    "requestObject": {
        "activationId": "12...fe",
    }
}

Response 200 - OK

{
    "status": "OK"
}

[hvge]

What about to provide a H_K_DEVICE_PUBLIC as a proof of authenticity? It should be already calculated on both sides. It will work for PENDING_COMMIT only, but activation in CREATED state is irrelevant for the mobile device (it should never happen)

We can modify H_K_DEVICE_PUBLIC calculation a little by replacing SHA256 with HMAC_SHA256 with using KEY_TRANSPORT for the derivation. For example:

byte[] activationIdBytes = ACTIVATION_ID.getBytes("UTF-8");
byte[] fingerprintBytes = ByteUtils.concat(K_DEVICE_PUBLIC_BYTES, ByteUtils.concat(activationIdBytes, K_SERVER_PUBLIC_BYTES));
byte[] truncatedBytes = ByteUtils.truncate(Mac.hmacSha256(KEY_TRANSPORT, fingerprintBytes), 4);
int H_K_DEVICE_PUBLIC = ByteUtils.getInt(truncatedBytes) & 0x7FFFFFFF);