fix critical things + validation

Author: JerryImMouse

routes/api.js

@@ -3,25 +3,19 @@ const database = require("../database/sqlite");
 const logger = require("../utilities/logger");
 const {discordLinkTemplate, clientId, redirectUri, use_caching, cache_size, use_given_table, checkGuild, guildId} = require("../configuration/config");
 const dHelper = require("../utilities/discordhelper");
-const {checkAccess} = require("../utilities/tokenutils");
-const path = require("path");
+const {validateToken} = require("../utilities/tokenutils");
 const CacheManager = require("../utilities/cache_managing");
 const {setGivenTo, getGivenBySS14Id, setGivenToZeroAll, setGivenDiscordTo, getGivenByDiscordId, getUserByDiscordId,
     getUserBySS14Id } = require('../database/sqlite');
 const {checkInGuild} = require("../utilities/discordhelper");
 
 const userCache = new CacheManager(cache_size);
 
-router.get("/check", async (req, res) => {
-    if (!req.query.api_token)
-        return res.status(401).send("Unauthorized")
-
-    if (!checkAccess(req.query.api_token))
-        return res.status(401).send("Unauthorized")
+router.use(validateToken);
 
-    if (!req.query.userid) {
+router.get("/check", async (req, res) => {
+    if (!req.query.userid)
         return res.status(400).json({ error: "No user id provided" });
-    }
 
     if (use_caching) {
         const user = userCache.get(req.query.userid);
@@ -56,12 +50,6 @@ router.get("/check", async (req, res) => {
 
 // generate auth link
 router.get('/link', async (req, res) => {
-    if (!req.query.api_token)
-        return res.status(401).send("Unauthorized")
-
-    if (!checkAccess(req.query.api_token))
-        return res.status(401).send("Unauthorized")
-
     if (!req.query.userid) {
         return res.status(400).json({ error: "No user ID provided" });
     }
@@ -76,15 +64,8 @@ router.get('/link', async (req, res) => {
 });
 
 router.get('/roles', async (req, res) => {
-    if (!req.query.api_token)
-        return res.status(401).send("Unauthorized")
-
-    if (!checkAccess(req.query.api_token))
-        return res.status(401).send("Unauthorized")
-
-    if (!req.query.userid) {
+    if (!req.query.userid)
         return res.status(400).json({ error: "No user ID provided" });
-    }
 
     if (!req.query.guildid) {
         return res.status(400).json({error: 'No guild ID provided'});
@@ -111,20 +92,13 @@ router.get('/roles', async (req, res) => {
 })
 
 router.get('/user', async (req, res) => {
-    if (!req.query.api_token)
-        return res.status(401).send("Unauthorized")
-
-    if (!checkAccess(req.query.api_token))
-        return res.status(401).send("Unauthorized")
-
-    if (!req.query.method) {
-        return res.status(400).json({error: "Method is not provided"})
-    }
-
+    if (!req.query.method)
+        return res.status(400).json({error: "Method is not provided"});
 
     if (!req.query.id) {
         return res.status(400).json({ error: "No user ID provided" });
     }
+
     const uid = req.query.id;
 
     if (use_caching && req.query.method === 'ss14') {
@@ -154,7 +128,7 @@ router.get('/user', async (req, res) => {
     }
 
     if (!user) {
-        return res.status(400).json({error: "Not Found"});
+        return res.status(404).json({ error: 'User not found' });
     }
 
     const {id, access_token, refresh_token, ...newUser} = user;
@@ -163,12 +137,6 @@ router.get('/user', async (req, res) => {
 })
 
 router.post('/given', async (req, res) => {
-    if (!req.query.api_token)
-        return res.status(401).send("Unauthorized");
-
-    if (!checkAccess(req.query.api_token))
-        return res.status(401).send("Unauthorized");
-
     if (!use_given_table)
         return res.status(405).send("Given table is turned off")
 
@@ -204,12 +172,6 @@ router.post('/given', async (req, res) => {
 })
 
 router.get('/is_given', async (req, res) => {
-    if (!req.query.api_token)
-        return res.status(401).send("Unauthorized")
-
-    if (!checkAccess(req.query.api_token))
-        return res.status(401).send("Unauthorized")
-
     if (!use_given_table)
         return res.status(405).send("Given table is turned off")
 
@@ -250,12 +212,6 @@ router.get('/is_given', async (req, res) => {
 })
 
 router.post('/wipe_given', async (req, res) => {
-    if (!req.query.api_token)
-        return res.status(401).send("Unauthorized")
-
-    if (!checkAccess(req.query.api_token))
-        return res.status(401).send("Unauthorized")
-
     if (!use_given_table)
         return res.status(405).send("Given table is turned off")
 

routes/auth.js

@@ -3,7 +3,7 @@ const path = require('path');
 
 const logger = require('../utilities/logger.js');
 const {insertUser, insertGivenUser, getUserByDiscordId} = require('../database/sqlite.js');
-const {use_given} = require('../configuration/config')
+const {use_given_table} = require('../configuration/config')
 const {exchangeCode, getDiscordIdentifyScopeUnsafe} = require("../utilities/discordhelper");
 
 router.get('/callback', async (req, res) => {
@@ -56,11 +56,11 @@ router.get('/callback', async (req, res) => {
         new Date().toISOString()); // current date time
     logger.info(`Added new user with userid - ${userid}`);
 
-    if (use_given) {
+    if (use_given_table) {
         result1 = await insertGivenUser(userObject.user.id, userid, 0);
     }
 
-    if (result && (!use_given || result1)) {
+    if (result && (!use_given_table || result1)) {
         res.status(200).sendFile(path.join(__dirname, '..', 'public', 'html', 'success.html'));
         return;
     }

utilities/cache_managing.js

@@ -1,6 +1,11 @@
 const {cache_update_timeout} = require('../configuration/config')
 const logger = require('./logger')
 
+const getUser = (cache, key) => {
+    const user = cache.get(key);
+
+}
+
 class CacheManager {
     constructor(maxSize = 5) {
         this.cacheMap = {};

utilities/tokenutils.js

@@ -4,4 +4,14 @@ const checkAccess = (api_token) => {
     return api_key === api_token;
 }
 
-module.exports = {checkAccess}
+const validateToken = (req, res, next) => {
+    if (!req.query.api_token)
+        return res.status(401).json({ error: "Unauthorized" })
+
+    if (!checkAccess(req.query.api_token))
+        return res.status(401).json({ error: "Unauthorized" })
+
+    next();
+}
+
+module.exports = {checkAccess, validateToken}

utilities/validation.js

@@ -0,0 +1,15 @@
+const guidRegex = /^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$/;
+const discordIdRegex = /^\d{17,19}$/;
+
+const validateGuid = async (guidStr) => {
+    return guidRegex.test(guidStr);
+}
+
+const validateDiscordId = async (discordId) => {
+    return discordIdRegex.test(discordId);
+}
+
+module.exports = {
+    validateGuid,
+    validateDiscordId,
+};