Patched some holes when poking with curl
This commit is contained in:
@@ -9,18 +9,26 @@ const { accounts } = require('../database/models');
|
||||
|
||||
//auth/deletion
|
||||
const route = async (req, res) => {
|
||||
if (!req.body.password) {
|
||||
return res.status(401).end('Missing password');
|
||||
}
|
||||
|
||||
const account = await accounts.findOne({
|
||||
where: {
|
||||
index: req.user.index
|
||||
index: req.user.index || ''
|
||||
}
|
||||
});
|
||||
|
||||
if (!account) {
|
||||
return res.status(401).end('Missing account');
|
||||
}
|
||||
|
||||
//compare the user's password
|
||||
const compare = utils.promisify(bcrypt.compare);
|
||||
const match = await compare(req.body.password || '', account.hash);
|
||||
const match = await compare(req.body.password, account.hash);
|
||||
|
||||
if (!match) {
|
||||
return res.status(401).send('incorrect password');
|
||||
return res.status(401).send('Incorrect password');
|
||||
}
|
||||
|
||||
//set the deletion time (2 days from now)
|
||||
|
||||
@@ -4,12 +4,12 @@ const { accounts } = require('../database/models');
|
||||
const route = async (req, res) => {
|
||||
const account = await accounts.findOne({
|
||||
where: {
|
||||
index: req.user.index
|
||||
index: req.user.index || ''
|
||||
}
|
||||
});
|
||||
|
||||
if (!account) {
|
||||
return res.status(401).send('Unknown account');
|
||||
return res.status(401).end('Unknown account');
|
||||
}
|
||||
|
||||
//respond with the private-facing data
|
||||
|
||||
@@ -3,13 +3,13 @@ const { accounts } = require('../database/models');
|
||||
|
||||
//auth/update
|
||||
const route = async (req, res) => {
|
||||
//generate the password hash
|
||||
let hash;
|
||||
|
||||
if (req.body.password) {
|
||||
hash = await bcrypt.hash(req.body.password, await bcrypt.genSalt(11));
|
||||
if (!req.body.password) {
|
||||
return res.status(401).end('Missing password');
|
||||
}
|
||||
|
||||
//generate the password hash
|
||||
let hash = await bcrypt.hash(req.body.password, await bcrypt.genSalt(11));
|
||||
|
||||
//update the account
|
||||
await accounts.update({
|
||||
contact: req.body.contact,
|
||||
|
||||
@@ -17,6 +17,9 @@ router.post('/token', require('./token'));
|
||||
//middleware
|
||||
router.use(tokenAuth);
|
||||
|
||||
//logouts allowed when banned, still needs tokens
|
||||
router.delete('/logout', require('./logout'));
|
||||
|
||||
router.use(async (req, res, next) => {
|
||||
const record = await accounts.findOne({
|
||||
where: {
|
||||
@@ -36,7 +39,6 @@ router.use(async (req, res, next) => {
|
||||
});
|
||||
|
||||
//basic account management (needs a token)
|
||||
router.delete('/logout', require('./logout'));
|
||||
router.get('/account', require('./account-query'));
|
||||
router.patch('/account', require('./account-update'));
|
||||
router.delete('/account', require('./account-delete'));
|
||||
|
||||
+11
-6
@@ -13,7 +13,7 @@ const route = async (req, res) => {
|
||||
//validate the given details
|
||||
const validateErr = await validateDetails(req.body);
|
||||
if (validateErr) {
|
||||
return res.status(401).send(validateErr);
|
||||
return res.status(401).end(validateErr);
|
||||
}
|
||||
|
||||
//get the existing account
|
||||
@@ -55,13 +55,18 @@ const route = async (req, res) => {
|
||||
};
|
||||
|
||||
const validateDetails = async (body) => {
|
||||
//basic formatting (with an exception for the default admin account)
|
||||
if (!validateEmail(body.email) && body.email != `${process.env.ADMIN_DEFAULT_USERNAME}@${process.env.WEB_ADDRESS}`) {
|
||||
return 'invalid email';
|
||||
if (!body.email) {
|
||||
return 'Missing email';
|
||||
}
|
||||
|
||||
//check for existing (banned)
|
||||
//TODO: restore banning
|
||||
if (!body.password) {
|
||||
return 'Missing password';
|
||||
}
|
||||
|
||||
//basic formatting (with an exception for the default admin account)
|
||||
if (!validateEmail(body.email) && body.email != `${process.env.ADMIN_DEFAULT_USERNAME}@${process.env.WEB_ADDRESS}`) {
|
||||
return 'Invalid email';
|
||||
}
|
||||
|
||||
return null;
|
||||
}
|
||||
|
||||
+14
-6
@@ -46,11 +46,11 @@ const route = async (req, res) => {
|
||||
const validateDetails = async (body) => {
|
||||
//basic formatting
|
||||
if (!validateEmail(body.email)) {
|
||||
return 'invalid email';
|
||||
return 'Invalid email';
|
||||
}
|
||||
|
||||
if (!validateUsername(body.username)) {
|
||||
return 'invalid username';
|
||||
return 'Invalid username';
|
||||
}
|
||||
|
||||
//check for existing (banned)
|
||||
@@ -64,23 +64,31 @@ const validateDetails = async (body) => {
|
||||
});
|
||||
|
||||
if (emailRecord) {
|
||||
return 'email already exists';
|
||||
return 'Email already exists';
|
||||
}
|
||||
|
||||
if (!body.username) {
|
||||
return 'Missing username';
|
||||
}
|
||||
|
||||
//check for existing username
|
||||
const usernameRecord = await accounts.findOne({
|
||||
where: {
|
||||
username: body.username || ''
|
||||
username: body.username
|
||||
}
|
||||
});
|
||||
|
||||
if (usernameRecord) {
|
||||
return 'username already exists';
|
||||
return 'Username already exists';
|
||||
}
|
||||
|
||||
//validate password
|
||||
if (!body.password) {
|
||||
return 'Missing password';
|
||||
}
|
||||
|
||||
if (body.password.length < 8) {
|
||||
return 'password too short';
|
||||
return 'Password too short';
|
||||
}
|
||||
|
||||
return null;
|
||||
|
||||
@@ -11,11 +11,11 @@ const route = async (req, res) => {
|
||||
|
||||
//check the given info
|
||||
if (!info) {
|
||||
return res.status(401).send('validation failed');
|
||||
return res.status(401).send('Validation failed');
|
||||
}
|
||||
|
||||
if (info.token != req.query.token) {
|
||||
return res.status(401).send('tokens do not match');
|
||||
return res.status(401).send('Tokens do not match');
|
||||
}
|
||||
|
||||
//move data to the accounts table
|
||||
|
||||
Reference in New Issue
Block a user