Reviewed the quickstart and improved the READMEs. Updated the token binding check to make the pay claim mandatory to be in line with the latest changes in Approov.

Signed-off-by: Exadra37 <exadra37@gmail.com>

Author: Exadra37

docs/APPROOV_TOKEN_BINDING_QUICKSTART.md

@@ -143,13 +143,9 @@ class ApproovMiddleware:
 
     # @link https://approov.io/docs/latest/approov-usage-documentation/#token-binding
     def verifyApproovTokenBinding(self, request, approov_token_claims):
-        # Note that the `pay` claim will, under normal circumstances, be present,
-        # but if the Approov failover system is enabled, then no claim will be
-        # present, and in this case you want to return true, otherwise you will not
-        # be able to benefit from the redundancy afforded by the failover system.
         if not 'pay' in approov_token_claims:
             # You may want to add some logging here.
-            return True
+            return False
 
         # We use the Authorization token, but feel free to use another header in
         # the request. Beqar in mind that it needs to be the same header used in the

src/approov-protected-server/token-binding-check/README.md

@@ -45,20 +45,40 @@ Second, you need to set the dummy secret in the `src/approov-protected-server/to
 
 Next, you need to install the dependencies. From the `src/approov-protected-server/token-binding-check` folder execute:
 
-```text
+```bash
 python -m venv venv
 source venv/bin/activate
 pip3 install -r requirements.txt
 ```
 
 Now, you can run this example from the `src/approov-protected-server/token-binding-check` folder with:
 
-```text
+```bash
 python manage.py runserver 8002
 ```
 
 > **NOTE:** If running inside a docker container use `0.0.0.0:8002`, otherwise Django will not answer requests from outside the container, like the ones you want to do from your browser.
 
+Next, you can test that it works with:
+
+```bash
+curl -iX GET 'http://localhost:8002'
+```
+
+The response will be a `401` unauthorized request:
+
+```text
+HTTP/1.1 401 Unauthorized
+Date: Wed, 23 Mar 2022 18:36:35 GMT
+Server: WSGIServer/0.2 CPython/3.10.3
+Content-Type: application/json
+Connection: close
+
+{}
+```
+
+The reason you got a `401` is because no Approoov token isn't provided in the headers of the request.
+
 Finally, you can test that the Approov integration example works as expected with this [Postman collection](/README.md#testing-with-postman) or with some cURL requests [examples](/README.md#testing-with-curl).
 
 [TOC](#toc---table-of-contents)

src/approov-protected-server/token-binding-check/hello/approov_middleware.py

@@ -55,13 +55,9 @@ def verifyApproovToken(self, request):
 
     # @link https://approov.io/docs/latest/approov-usage-documentation/#token-binding
     def verifyApproovTokenBinding(self, request, approov_token_claims):
-        # Note that the `pay` claim will, under normal circumstances, be present,
-        # but if the Approov failover system is enabled, then no claim will be
-        # present, and in this case you want to return true, otherwise you will not
-        # be able to benefit from the redundancy afforded by the failover system.
         if not 'pay' in approov_token_claims:
             # You may want to add some logging here.
-            return True
+            return False
 
         # We use the Authorization token, but feel free to use another header in
         # the request. Beqar in mind that it needs to be the same header used in the

src/approov-protected-server/token-check/README.md

@@ -37,28 +37,48 @@ To run this example you will need to have Python installed. If you don't have th
 
 First, you need to create the `.env` file. From the `src/approov-protected-server/token-check/hello` folder execute:
 
-```
+```bash
 cp .env.example .env
 ```
 
 Second, you need to set the dummy secret in the `src/approov-protected-server/token-check/hello/.env` file as explained [here](/README.md#the-dummy-secret).
 
 Next, you need to install the dependencies. From the `src/approov-protected-server/token-check` folder execute:
 
-```text
+```bash
 python -m venv venv
 source venv/bin/activate
 pip3 install -r requirements.txt
 ```
 
 Now, you can run this example from the `src/approov-protected-server/token-check` folder with:
 
-```text
+```bash
 python manage.py runserver 8002
 ```
 
 > **NOTE:** If running inside a docker container use `0.0.0.0:8002`, otherwise Django will not answer requests from outside the container, like the ones you want to do from your browser.
 
+Next, you can test that it works with:
+
+```bash
+curl -iX GET 'http://localhost:8002'
+```
+
+The response will be a `401` unauthorized request:
+
+```text
+HTTP/1.1 401 Unauthorized
+Date: Wed, 23 Mar 2022 18:36:35 GMT
+Server: WSGIServer/0.2 CPython/3.10.3
+Content-Type: application/json
+Connection: close
+
+{}
+```
+
+The reason you got a `401` is because no Approoov token isn't provided in the headers of the request.
+
 Finally, you can test that the Approov integration example works as expected with this [Postman collection](/README.md#testing-with-postman) or with some cURL requests [examples](/README.md#testing-with-curl).
 
 [TOC](#toc---table-of-contents)