Hid profile data via API

2019-06-01 20:47:56 +10:00
parent 7ecf4fec93
commit 7c7e69d4c5
3 changed files with 27 additions and 11 deletions
@@ -9,7 +9,7 @@ const statistics = (connection, req, res, cb) => {
 };

 const owned = (connection, req, res, cb) => {
-	//verify the credentials
+	//validate the credentials
 	let query = 'SELECT COUNT(*) AS total FROM sessions WHERE accountId = ? AND token = ?;';
 	connection.query(query, [req.body.id, req.body.token], (err, results) => {
 		if (err) throw err;
@@ -75,17 +75,29 @@ function profileRequestInner(connection, req, res, body) {
 				}
 			});
 		} else {
-			//results.length === 1
-			res.status(200).json({
-				username: body.username,
-				gold: results[0].gold,
-				recruits: results[0].recruits,
-				soldiers: results[0].soldiers,
-				spies: results[0].spies,
-				scientists: results[0].scientists
+			//validate the credentials
+			let query = 'SELECT COUNT(*) AS total FROM sessions WHERE accountId = ? AND token = ?;';
+			connection.query(query, [body.id, body.token], (err, credentials) => {
+				if (err) throw err;
+
+				if (credentials[0].total !== 1) {
+					res.status(400).write(log('Invalid profile request credentials', JSON.stringify(body), body.id, body.token));
+					res.end();
+					return;
+				}
+
+				//results.length === 1
+				res.status(200).json({
+					username: body.username,
+					gold: results[0].gold,
+					recruits: results[0].recruits,
+					soldiers: results[0].soldiers,
+					spies: results[0].spies,
+					scientists: results[0].scientists
+				});
+				res.end();
+				log('Profile sent', body.username, body.id, body.token);
 			});
-			res.end();
-			log('Profile sent', body.username, body.id, body.token);
 		}
 	});
 };