Fix for unhandled undefined config in reset password pages (#4334)

* Fix for unhandled undefined config When an invalid application id is passed either for reset/change password or email verification, config.get returns undefined. This causes internal server. * Throwing a 403 exception instead of returning a 404 for an invalid app id Also, added a missing semicolon * Fix indent issues * Fix invalid colon to semicolon * Fix space and indent issues * Tests for the fix for unhandled undefined config
2017-11-11 22:42:20 +08:00
parent 72e20be06d
commit 4e207d32a7
2 changed files with 73 additions and 1 deletions
--- a/src/Routers/PublicAPIRouter.js
+++ b/src/Routers/PublicAPIRouter.js
@@ -15,6 +15,10 @@ export class PublicAPIRouter extends PromiseRouter {
    const appId = req.params.appId;
    const config = Config.get(appId);

+    if(!config){
+      this.invalidRequest();
+    }
+
    if (!config.publicServerURL) {
      return this.missingPublicServerURL();
    }
@@ -40,6 +44,10 @@ export class PublicAPIRouter extends PromiseRouter {
    const appId = req.params.appId;
    const config = Config.get(appId);

+    if(!config){
+      this.invalidRequest();
+    }
+
    if (!config.publicServerURL) {
      return this.missingPublicServerURL();
    }
@@ -66,6 +74,11 @@ export class PublicAPIRouter extends PromiseRouter {
  changePassword(req) {
    return new Promise((resolve, reject) => {
      const config = Config.get(req.query.id);
+
+      if(!config){
+        this.invalidRequest();
+      }
+
      if (!config.publicServerURL) {
        return resolve({
          status: 404,
@@ -89,6 +102,10 @@ export class PublicAPIRouter extends PromiseRouter {

    const config = req.config;

+    if(!config){
+      this.invalidRequest();
+    }
+
    if (!config.publicServerURL) {
      return this.missingPublicServerURL();
    }
@@ -114,6 +131,10 @@ export class PublicAPIRouter extends PromiseRouter {

    const config = req.config;

+    if(!config){
+      this.invalidRequest();
+    }
+
    if (!config.publicServerURL) {
      return this.missingPublicServerURL();
    }
@@ -135,7 +156,7 @@ export class PublicAPIRouter extends PromiseRouter {
        location: `${config.passwordResetSuccessURL}?${params}`
      });
    }, (err) => {
-      const params = qs.stringify({username: username, token: token, id: config.applicationId, error:err, app:config.appName})
+      const params = qs.stringify({username: username, token: token, id: config.applicationId, error:err, app:config.appName});
      return Promise.resolve({
        status: 302,
        location: `${config.choosePasswordURL}?${params}`
@@ -171,6 +192,13 @@ export class PublicAPIRouter extends PromiseRouter {
    });
  }

+  invalidRequest() {
+    const error = new Error();
+    error.status = 403;
+    error.message = "unauthorized";
+    throw error;
+  }
+
  setConfig(req) {
    req.config = Config.get(req.params.appId);
    return Promise.resolve();