From 7c7e69d4c526a7622a7b083a553ddb95901f73b8 Mon Sep 17 00:00:00 2001
From: Kayne Ruse <kayneruse@gmail.com>
Date: Sat, 1 Jun 2019 20:47:56 +1000
Subject: [PATCH] Hid profile data via API

---
 server/equipment.js                |  2 +-
 server/profiles.js                 | 32 ++++++++++++++++++++----------
 src/components/pages/equipment.jsx |  4 ++++
 3 files changed, 27 insertions(+), 11 deletions(-)

diff --git a/server/equipment.js b/server/equipment.js
index d0a1fba..379fb9e 100644
--- a/server/equipment.js
+++ b/server/equipment.js
@@ -9,7 +9,7 @@ const statistics = (connection, req, res, cb) => {
 };
 
 const owned = (connection, req, res, cb) => {
-	//verify the credentials
+	//validate the credentials
 	let query = 'SELECT COUNT(*) AS total FROM sessions WHERE accountId = ? AND token = ?;';
 	connection.query(query, [req.body.id, req.body.token], (err, results) => {
 		if (err) throw err;
diff --git a/server/profiles.js b/server/profiles.js
index 54da52a..0c5e849 100644
--- a/server/profiles.js
+++ b/server/profiles.js
@@ -75,17 +75,29 @@ function profileRequestInner(connection, req, res, body) {
 				}
 			});
 		} else {
-			//results.length === 1
-			res.status(200).json({
-				username: body.username,
-				gold: results[0].gold,
-				recruits: results[0].recruits,
-				soldiers: results[0].soldiers,
-				spies: results[0].spies,
-				scientists: results[0].scientists
+			//validate the credentials
+			let query = 'SELECT COUNT(*) AS total FROM sessions WHERE accountId = ? AND token = ?;';
+			connection.query(query, [body.id, body.token], (err, credentials) => {
+				if (err) throw err;
+
+				if (credentials[0].total !== 1) {
+					res.status(400).write(log('Invalid profile request credentials', JSON.stringify(body), body.id, body.token));
+					res.end();
+					return;
+				}
+
+				//results.length === 1
+				res.status(200).json({
+					username: body.username,
+					gold: results[0].gold,
+					recruits: results[0].recruits,
+					soldiers: results[0].soldiers,
+					spies: results[0].spies,
+					scientists: results[0].scientists
+				});
+				res.end();
+				log('Profile sent', body.username, body.id, body.token);
 			});
-			res.end();
-			log('Profile sent', body.username, body.id, body.token);
 		}
 	});
 };
diff --git a/src/components/pages/equipment.jsx b/src/components/pages/equipment.jsx
index 9c9517a..43bb1bc 100644
--- a/src/components/pages/equipment.jsx
+++ b/src/components/pages/equipment.jsx
@@ -106,6 +106,8 @@ class Equipment extends React.Component {
 };
 
 Equipment.propTypes = {
+	id: PropTypes.number.isRequired,
+	token: PropTypes.number.isRequired,
 	username: PropTypes.string.isRequired,
 	loggedIn: PropTypes.bool.isRequired,
 	storeScientists: PropTypes.func.isRequired,
@@ -115,6 +117,8 @@ Equipment.propTypes = {
 
 const mapStoreToProps = (store) => {
 	return {
+		id: store.account.id,
+		token: store.account.token,
 		username: store.account.username,
 		loggedIn: store.account.id !== 0,
 		scientists: store.profile.scientists,