verdnatura-mirror
/
loopback
mirror of https://github.com/strongloop/loopback.git
0
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fix: disallow queries in username and email fields 

Username and email fields should not allow queries.
This commit is contained in:
Hage Yaapa 2019-05-29 20:24:29 +05:30 committed by jannyHou
parent a3619df4b5
commit 2dd98a368b
2 changed files with 58 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
common/models/user.js
View File

@ -208,12 +208,20 @@ module.exports = function(User) {
var query = self.normalizeCredentials(credentials, realmRequired, var query = self.normalizeCredentials(credentials, realmRequired,
realmDelimiter); realmDelimiter);
if (realmRequired && !query.realm) { if (realmRequired) {
if (!query.realm) {
var err1 = new Error(g.f('{{realm}} is required')); var err1 = new Error(g.f('{{realm}} is required'));
err1.statusCode = 400; err1.statusCode = 400;
err1.code = 'REALM_REQUIRED'; err1.code = 'REALM_REQUIRED';
fn(err1); fn(err1);
return fn.promise; return fn.promise;
} else if (typeof query.realm !== 'string') {
var err5 = new Error(g.f('Invalid realm'));
err5.statusCode = 400;
err5.code = 'INVALID_REALM';
fn(err5);
return fn.promise;
}
} }
if (!query.email && !query.username) { if (!query.email && !query.username) {
var err2 = new Error(g.f('{{username}} or {{email}} is required')); var err2 = new Error(g.f('{{username}} or {{email}} is required'));
@ -222,6 +230,19 @@ module.exports = function(User) {
fn(err2); fn(err2);
return fn.promise; return fn.promise;
} }
if (query.username && typeof query.username !== 'string') {
var err3 = new Error(g.f('Invalid username'));
err3.statusCode = 400;
err3.code = 'INVALID_USERNAME';
fn(err3);
return fn.promise;
} else if (query.email && typeof query.email !== 'string') {
var err4 = new Error(g.f('Invalid email'));
err4.statusCode = 400;
err4.code = 'INVALID_EMAIL';
fn(err4);
return fn.promise;
}
self.findOne({where: query}, function(err, user) { self.findOne({where: query}, function(err, user) {
var defaultError = new Error(g.f('login failed')); var defaultError = new Error(g.f('login failed'));

31
test/user.test.js
View File

@ -555,6 +555,37 @@ describe('User', function() {
}); });
}); });
it('should not allow queries in email field', function(done) {
User.login({email: {'neq': 'x'}, password: 'x'}, function(err, accessToken) {
assert(err);
assert.equal(err.code, 'INVALID_EMAIL');
assert(!accessToken);
done();
});
});
it('should not allow queries in username field', function(done) {
User.login({username: {'neq': 'x'}, password: 'x'}, function(err, accessToken) {
assert(err);
assert.equal(err.code, 'INVALID_USERNAME');
assert(!accessToken);
done();
});
});
it('should not allow queries in realm field', function(done) {
User.settings.realmRequired = true;
User.login({username: 'x', password: 'x', realm: {'neq': 'x'}}, function(err, accessToken) {
assert(err);
assert.equal(err.code, 'INVALID_REALM');
assert(!accessToken);
done();
});
});
it('Login a user by providing credentials with TTL', function(done) { it('Login a user by providing credentials with TTL', function(done) {
User.login(validCredentialsWithTTL, function(err, accessToken) { User.login(validCredentialsWithTTL, function(err, accessToken) {
assert(accessToken.userId); assert(accessToken.userId);