Merge pull request from GHSA-h4mf-75hf-67w4

* Fix session token issue * verify email problem * Fix password reset problem * Change test file name * Split tests * Refetch user * Replaces lets to consts * Refactor unit test What you have is just finee, but wanted to show you what I meant with my comment Use jasmine's this to set stuff in beforeEach's Not that all functions need to be `function ()` instead of `() =>` so `this` is preserved. see: https://jasmine.github.io/tutorials/your_first_suite#section-The_%3Ccode%3Ethis%3C/code%3E_keyword Co-authored-by: Antonio Davi Macedo Coelho de Castro <adavimacedo@gmail.com>
2020-03-02 15:46:01 -08:00
parent bde8ab6d55
commit 3a3a5eee5f
3 changed files with 212 additions and 3 deletions
--- a/src/Routers/PublicAPIRouter.js
+++ b/src/Routers/PublicAPIRouter.js
@@ -11,7 +11,10 @@ const views = path.resolve(__dirname, '../../views');

 export class PublicAPIRouter extends PromiseRouter {
  verifyEmail(req) {
-    const { token, username } = req.query;
+    const { username, token: rawToken } = req.query;
+    const token =
+      rawToken && typeof rawToken !== 'string' ? rawToken.toString() : rawToken;
+
    const appId = req.params.appId;
    const config = Config.get(appId);

@@ -122,7 +125,9 @@ export class PublicAPIRouter extends PromiseRouter {
      return this.missingPublicServerURL();
    }

-    const { username, token } = req.query;
+    const { username, token: rawToken } = req.query;
+    const token =
+      rawToken && typeof rawToken !== 'string' ? rawToken.toString() : rawToken;

    if (!username || !token) {
      return this.invalidLink(req);
@@ -158,7 +163,9 @@ export class PublicAPIRouter extends PromiseRouter {
      return this.missingPublicServerURL();
    }

-    const { username, token, new_password } = req.body;
+    const { username, new_password, token: rawToken } = req.body;
+    const token =
+      rawToken && typeof rawToken !== 'string' ? rawToken.toString() : rawToken;

    if ((!username || !token || !new_password) && req.xhr === false) {
      return this.invalidLink(req);
--- a/src/middlewares.js
+++ b/src/middlewares.js
@@ -105,6 +105,10 @@ export function handleParseHeaders(req, res, next) {
    }
  }

+  if (info.sessionToken && typeof info.sessionToken !== 'string') {
+    info.sessionToken = info.sessionToken.toString();
+  }
+
  if (info.clientVersion) {
    info.clientSDK = ClientSDK.fromString(info.clientVersion);
  }