steve
/
sunrise-cms
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

increased input validation for login

deepsource-autofix-76c6eb20
Dan Gowans 2022-09-22 12:15:36 -04:00
parent eaa28441ac
commit ad423113ac
2 changed files with 22 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
routes/login.js
View File

@ -24,8 +24,8 @@ router
}
})
.post(async (request, response) => {
const userName = request.body.userName;
const passwordPlain = request.body.password;
const userName = (typeof request.body.userName === "string" ? request.body.userName : "");
const passwordPlain = (typeof request.body.password === "string" ? request.body.password : "");
const unsafeRedirectURL = request.body.redirect;
const redirectURL = authenticationFunctions.getSafeRedirectURL(typeof unsafeRedirectURL === "string" ? unsafeRedirectURL : "");
let isAuthenticated = false;
@ -37,7 +37,7 @@ router
}
}
}
else {
else if (userName !== "" && passwordPlain !== "") {
isAuthenticated = await authenticationFunctions.authenticate(userName, passwordPlain);
}
let userObject;
@ -52,12 +52,12 @@ router
const canUpdate = configFunctions
.getProperty("users.canUpdate")
.some((currentUserName) => {
return (userNameLowerCase === currentUserName.toLowerCase());
return userNameLowerCase === currentUserName.toLowerCase();
});
const isAdmin = configFunctions
.getProperty("users.isAdmin")
.some((currentUserName) => {
return (userNameLowerCase === currentUserName.toLowerCase());
return userNameLowerCase === currentUserName.toLowerCase();
});
const apiKey = await getApiKey(userNameLowerCase);
userObject = {

35
routes/login.ts
View File

@ -19,8 +19,7 @@ export const router = Router();
router
.route("/")
.get((request, response) => {
const sessionCookieName =
configFunctions.getProperty("session.cookieName");
const sessionCookieName = configFunctions.getProperty("session.cookieName");
if (request.session.user && request.cookies[sessionCookieName]) {
const redirectURL = authenticationFunctions.getSafeRedirectURL(
@ -38,8 +37,13 @@ router
}
})
.post(async (request, response) => {
const userName = request.body.userName as string;
const passwordPlain = request.body.password as string;
const userName = (
typeof request.body.userName === "string" ? request.body.userName : ""
) as string;
const passwordPlain = (
typeof request.body.password === "string" ? request.body.password : ""
) as string;
const unsafeRedirectURL = request.body.redirect;
@ -51,18 +55,15 @@ router
if (userName.charAt(0) === "*") {
if (useTestDatabases && userName === passwordPlain) {
isAuthenticated = configFunctions.getProperty("users.testing").includes(userName);
isAuthenticated = configFunctions.getProperty("users.testing").includes(userName);
if (isAuthenticated) {
debug("Authenticated testing user: " + userName);
}
if (isAuthenticated) {
debug("Authenticated testing user: " + userName);
}
}
} else {
} else if (userName !== "" && passwordPlain !== "") {
isAuthenticated = await authenticationFunctions.authenticate(userName, passwordPlain);
}
}
let userObject: recordTypes.User;
@ -79,17 +80,13 @@ router
const canUpdate = configFunctions
.getProperty("users.canUpdate")
.some((currentUserName) => {
return (
userNameLowerCase === currentUserName.toLowerCase()
);
return userNameLowerCase === currentUserName.toLowerCase();
});
const isAdmin = configFunctions
.getProperty("users.isAdmin")
.some((currentUserName) => {
return (
userNameLowerCase === currentUserName.toLowerCase()
);
return userNameLowerCase === currentUserName.toLowerCase();
});
const apiKey = await getApiKey(userNameLowerCase);