steve
/
sunrise-cms
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

increased input validation for login

deepsource-autofix-76c6eb20
Dan Gowans 2022-09-22 12:15:36 -04:00
parent eaa28441ac
commit ad423113ac
2 changed files with 22 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
routes/login.js
View File

@ -24,8 +24,8 @@ router
} }
}) })
.post(async (request, response) => { .post(async (request, response) => {
const userName = request.body.userName; const userName = (typeof request.body.userName === "string" ? request.body.userName : "");
const passwordPlain = request.body.password; const passwordPlain = (typeof request.body.password === "string" ? request.body.password : "");
const unsafeRedirectURL = request.body.redirect; const unsafeRedirectURL = request.body.redirect;
const redirectURL = authenticationFunctions.getSafeRedirectURL(typeof unsafeRedirectURL === "string" ? unsafeRedirectURL : ""); const redirectURL = authenticationFunctions.getSafeRedirectURL(typeof unsafeRedirectURL === "string" ? unsafeRedirectURL : "");
let isAuthenticated = false; let isAuthenticated = false;
@ -37,7 +37,7 @@ router
} }
} }
} }
else { else if (userName !== "" && passwordPlain !== "") {
isAuthenticated = await authenticationFunctions.authenticate(userName, passwordPlain); isAuthenticated = await authenticationFunctions.authenticate(userName, passwordPlain);
} }
let userObject; let userObject;
@ -52,12 +52,12 @@ router
const canUpdate = configFunctions const canUpdate = configFunctions
.getProperty("users.canUpdate") .getProperty("users.canUpdate")
.some((currentUserName) => { .some((currentUserName) => {
return (userNameLowerCase === currentUserName.toLowerCase()); return userNameLowerCase === currentUserName.toLowerCase();
}); });
const isAdmin = configFunctions const isAdmin = configFunctions
.getProperty("users.isAdmin") .getProperty("users.isAdmin")
.some((currentUserName) => { .some((currentUserName) => {
return (userNameLowerCase === currentUserName.toLowerCase()); return userNameLowerCase === currentUserName.toLowerCase();
}); });
const apiKey = await getApiKey(userNameLowerCase); const apiKey = await getApiKey(userNameLowerCase);
userObject = { userObject = {

35
routes/login.ts
View File

@ -19,8 +19,7 @@ export const router = Router();
router router
.route("/") .route("/")
.get((request, response) => { .get((request, response) => {
const sessionCookieName = const sessionCookieName = configFunctions.getProperty("session.cookieName");
configFunctions.getProperty("session.cookieName");
if (request.session.user && request.cookies[sessionCookieName]) { if (request.session.user && request.cookies[sessionCookieName]) {
const redirectURL = authenticationFunctions.getSafeRedirectURL( const redirectURL = authenticationFunctions.getSafeRedirectURL(
@ -38,8 +37,13 @@ router
} }
}) })
.post(async (request, response) => { .post(async (request, response) => {
const userName = request.body.userName as string; const userName = (
const passwordPlain = request.body.password as string; typeof request.body.userName === "string" ? request.body.userName : ""
) as string;
const passwordPlain = (
typeof request.body.password === "string" ? request.body.password : ""
) as string;
const unsafeRedirectURL = request.body.redirect; const unsafeRedirectURL = request.body.redirect;
@ -51,18 +55,15 @@ router
if (userName.charAt(0) === "*") { if (userName.charAt(0) === "*") {
if (useTestDatabases && userName === passwordPlain) { if (useTestDatabases && userName === passwordPlain) {
isAuthenticated = configFunctions.getProperty("users.testing").includes(userName);
isAuthenticated = configFunctions.getProperty("users.testing").includes(userName); if (isAuthenticated) {
debug("Authenticated testing user: " + userName);
if (isAuthenticated) { }
debug("Authenticated testing user: " + userName);
}
} }
} else if (userName !== "" && passwordPlain !== "") {
} else {
isAuthenticated = await authenticationFunctions.authenticate(userName, passwordPlain); isAuthenticated = await authenticationFunctions.authenticate(userName, passwordPlain);
} }
let userObject: recordTypes.User; let userObject: recordTypes.User;
@ -79,17 +80,13 @@ router
const canUpdate = configFunctions const canUpdate = configFunctions
.getProperty("users.canUpdate") .getProperty("users.canUpdate")
.some((currentUserName) => { .some((currentUserName) => {
return ( return userNameLowerCase === currentUserName.toLowerCase();
userNameLowerCase === currentUserName.toLowerCase()
);
}); });
const isAdmin = configFunctions const isAdmin = configFunctions
.getProperty("users.isAdmin") .getProperty("users.isAdmin")
.some((currentUserName) => { .some((currentUserName) => {
return ( return userNameLowerCase === currentUserName.toLowerCase();
userNameLowerCase === currentUserName.toLowerCase()
);
}); });
const apiKey = await getApiKey(userNameLowerCase); const apiKey = await getApiKey(userNameLowerCase);