Hid profile data via API

server/equipment.js

@@ -9,7 +9,7 @@ const statistics = (connection, req, res, cb) => {
 };
 
 const owned = (connection, req, res, cb) => {
-	//verify the credentials
+	//validate the credentials
 	let query = 'SELECT COUNT(*) AS total FROM sessions WHERE accountId = ? AND token = ?;';
 	connection.query(query, [req.body.id, req.body.token], (err, results) => {
 		if (err) throw err;

server/profiles.js

@@ -75,6 +75,17 @@ function profileRequestInner(connection, req, res, body) {
 				}
 			});
 		} else {
+			//validate the credentials
+			let query = 'SELECT COUNT(*) AS total FROM sessions WHERE accountId = ? AND token = ?;';
+			connection.query(query, [body.id, body.token], (err, credentials) => {
+				if (err) throw err;
+
+				if (credentials[0].total !== 1) {
+					res.status(400).write(log('Invalid profile request credentials', JSON.stringify(body), body.id, body.token));
+					res.end();
+					return;
+				}
+
 				//results.length === 1
 				res.status(200).json({
 					username: body.username,
@@ -86,6 +97,7 @@ function profileRequestInner(connection, req, res, body) {
 				});
 				res.end();
 				log('Profile sent', body.username, body.id, body.token);
+			});
 		}
 	});
 };

src/components/pages/equipment.jsx

@@ -106,6 +106,8 @@ class Equipment extends React.Component {
 };
 
 Equipment.propTypes = {
+	id: PropTypes.number.isRequired,
+	token: PropTypes.number.isRequired,
 	username: PropTypes.string.isRequired,
 	loggedIn: PropTypes.bool.isRequired,
 	storeScientists: PropTypes.func.isRequired,
@@ -115,6 +117,8 @@ Equipment.propTypes = {
 
 const mapStoreToProps = (store) => {
 	return {
+		id: store.account.id,
+		token: store.account.token,
 		username: store.account.username,
 		loggedIn: store.account.id !== 0,
 		scientists: store.profile.scientists,