joe/kami-parse-server
Public Access
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix for unhandled undefined config in reset password pages (#4334)

Browse Source 
* Fix for unhandled undefined config

When an invalid application id is passed either for reset/change password or email verification, config.get returns undefined. This causes internal server.

* Throwing a 403 exception instead of returning a 404 for an invalid app id

Also, added a missing semicolon

* Fix indent issues

* Fix invalid colon to semicolon

* Fix space and indent issues

* Tests for the fix for unhandled undefined config
This commit is contained in:
Bryan de Leon
2017-11-11 22:42:20 +08:00
committed by Florent Vilmart
parent 72e20be06d
commit 4e207d32a7
2 changed files with 73 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
spec/PublicAPI.spec.js
View File

@@ -63,3 +63,47 @@ describe("public API without publicServerURL", () => {
}); });
}); });
}); });
describe("public API supplied with invalid application id", () => {
beforeEach(done => {
reconfigureServer({appName: "unused"})
.then(done, fail);
});
it("should get 403 on verify_email", (done) => {
request('http://localhost:8378/1/apps/invalid/verify_email', (err, httpResponse) => {
expect(httpResponse.statusCode).toBe(403);
done();
});
});
it("should get 403 choose_password", (done) => {
request('http://localhost:8378/1/apps/choose_password?id=invalid', (err, httpResponse) => {
expect(httpResponse.statusCode).toBe(403);
done();
});
});
it("should get 403 on get of request_password_reset", (done) => {
request('http://localhost:8378/1/apps/invalid/request_password_reset', (err, httpResponse) => {
expect(httpResponse.statusCode).toBe(403);
done();
});
});
it("should get 403 on post of request_password_reset", (done) => {
request.post('http://localhost:8378/1/apps/invalid/request_password_reset', (err, httpResponse) => {
expect(httpResponse.statusCode).toBe(403);
done();
});
});
it("should get 403 on resendVerificationEmail", (done) => {
request('http://localhost:8378/1/apps/invalid/resend_verification_email', (err, httpResponse) => {
expect(httpResponse.statusCode).toBe(403);
done();
});
});
});

30
src/Routers/PublicAPIRouter.js
View File

@@ -15,6 +15,10 @@ export class PublicAPIRouter extends PromiseRouter {
const appId = req.params.appId; const appId = req.params.appId;
const config = Config.get(appId); const config = Config.get(appId);
if(!config){
this.invalidRequest();
}
if (!config.publicServerURL) { if (!config.publicServerURL) {
return this.missingPublicServerURL(); return this.missingPublicServerURL();
} }
@@ -40,6 +44,10 @@ export class PublicAPIRouter extends PromiseRouter {
const appId = req.params.appId; const appId = req.params.appId;
const config = Config.get(appId); const config = Config.get(appId);
if(!config){
this.invalidRequest();
}
if (!config.publicServerURL) { if (!config.publicServerURL) {
return this.missingPublicServerURL(); return this.missingPublicServerURL();
} }
@@ -66,6 +74,11 @@ export class PublicAPIRouter extends PromiseRouter {
changePassword(req) { changePassword(req) {
return new Promise((resolve, reject) => { return new Promise((resolve, reject) => {
const config = Config.get(req.query.id); const config = Config.get(req.query.id);
if(!config){
this.invalidRequest();
}
if (!config.publicServerURL) { if (!config.publicServerURL) {
return resolve({ return resolve({
status: 404, status: 404,
@@ -89,6 +102,10 @@ export class PublicAPIRouter extends PromiseRouter {
const config = req.config; const config = req.config;
if(!config){
this.invalidRequest();
}
if (!config.publicServerURL) { if (!config.publicServerURL) {
return this.missingPublicServerURL(); return this.missingPublicServerURL();
} }
@@ -114,6 +131,10 @@ export class PublicAPIRouter extends PromiseRouter {
const config = req.config; const config = req.config;
if(!config){
this.invalidRequest();
}
if (!config.publicServerURL) { if (!config.publicServerURL) {
return this.missingPublicServerURL(); return this.missingPublicServerURL();
} }
@@ -135,7 +156,7 @@ export class PublicAPIRouter extends PromiseRouter {
location: `${config.passwordResetSuccessURL}?${params}` location: `${config.passwordResetSuccessURL}?${params}`
}); });
}, (err) => { }, (err) => {
const params = qs.stringify({username: username, token: token, id: config.applicationId, error:err, app:config.appName}) const params = qs.stringify({username: username, token: token, id: config.applicationId, error:err, app:config.appName});
return Promise.resolve({ return Promise.resolve({
status: 302, status: 302,
location: `${config.choosePasswordURL}?${params}` location: `${config.choosePasswordURL}?${params}`
@@ -171,6 +192,13 @@ export class PublicAPIRouter extends PromiseRouter {
}); });
} }
invalidRequest() {
const error = new Error();
error.status = 403;
error.message = "unauthorized";
throw error;
}
setConfig(req) { setConfig(req) {
req.config = Config.get(req.params.appId); req.config = Config.get(req.params.appId);
return Promise.resolve(); return Promise.resolve();