Skip to content

Commit 4e207d3

Browse files
bryandelflovilmart
bryandel
authored and
flovilmart
committed
Fix for unhandled undefined config in reset password pages (#4334)
* Fix for unhandled undefined config When an invalid application id is passed either for reset/change password or email verification, config.get returns undefined. This causes internal server. * Throwing a 403 exception instead of returning a 404 for an invalid app id Also, added a missing semicolon * Fix indent issues * Fix invalid colon to semicolon * Fix space and indent issues * Tests for the fix for unhandled undefined config
1 parent 72e20be commit 4e207d3

File tree

2 files changed

+73
-1
lines changed

2 files changed

+73
-1
lines changed

spec/PublicAPI.spec.js

Lines changed: 44 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -63,3 +63,47 @@ describe("public API without publicServerURL", () => {
6363
});
6464
});
6565
});
66+
67+
68+
describe("public API supplied with invalid application id", () => {
69+
beforeEach(done => {
70+
reconfigureServer({appName: "unused"})
71+
.then(done, fail);
72+
});
73+
74+
it("should get 403 on verify_email", (done) => {
75+
request('http://localhost:8378/1/apps/invalid/verify_email', (err, httpResponse) => {
76+
expect(httpResponse.statusCode).toBe(403);
77+
done();
78+
});
79+
});
80+
81+
it("should get 403 choose_password", (done) => {
82+
request('http://localhost:8378/1/apps/choose_password?id=invalid', (err, httpResponse) => {
83+
expect(httpResponse.statusCode).toBe(403);
84+
done();
85+
});
86+
});
87+
88+
it("should get 403 on get of request_password_reset", (done) => {
89+
request('http://localhost:8378/1/apps/invalid/request_password_reset', (err, httpResponse) => {
90+
expect(httpResponse.statusCode).toBe(403);
91+
done();
92+
});
93+
});
94+
95+
96+
it("should get 403 on post of request_password_reset", (done) => {
97+
request.post('http://localhost:8378/1/apps/invalid/request_password_reset', (err, httpResponse) => {
98+
expect(httpResponse.statusCode).toBe(403);
99+
done();
100+
});
101+
});
102+
103+
it("should get 403 on resendVerificationEmail", (done) => {
104+
request('http://localhost:8378/1/apps/invalid/resend_verification_email', (err, httpResponse) => {
105+
expect(httpResponse.statusCode).toBe(403);
106+
done();
107+
});
108+
});
109+
});

src/Routers/PublicAPIRouter.js

Lines changed: 29 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,10 @@ export class PublicAPIRouter extends PromiseRouter {
1515
const appId = req.params.appId;
1616
const config = Config.get(appId);
1717

18+
if(!config){
19+
this.invalidRequest();
20+
}
21+
1822
if (!config.publicServerURL) {
1923
return this.missingPublicServerURL();
2024
}
@@ -40,6 +44,10 @@ export class PublicAPIRouter extends PromiseRouter {
4044
const appId = req.params.appId;
4145
const config = Config.get(appId);
4246

47+
if(!config){
48+
this.invalidRequest();
49+
}
50+
4351
if (!config.publicServerURL) {
4452
return this.missingPublicServerURL();
4553
}
@@ -66,6 +74,11 @@ export class PublicAPIRouter extends PromiseRouter {
6674
changePassword(req) {
6775
return new Promise((resolve, reject) => {
6876
const config = Config.get(req.query.id);
77+
78+
if(!config){
79+
this.invalidRequest();
80+
}
81+
6982
if (!config.publicServerURL) {
7083
return resolve({
7184
status: 404,
@@ -89,6 +102,10 @@ export class PublicAPIRouter extends PromiseRouter {
89102

90103
const config = req.config;
91104

105+
if(!config){
106+
this.invalidRequest();
107+
}
108+
92109
if (!config.publicServerURL) {
93110
return this.missingPublicServerURL();
94111
}
@@ -114,6 +131,10 @@ export class PublicAPIRouter extends PromiseRouter {
114131

115132
const config = req.config;
116133

134+
if(!config){
135+
this.invalidRequest();
136+
}
137+
117138
if (!config.publicServerURL) {
118139
return this.missingPublicServerURL();
119140
}
@@ -135,7 +156,7 @@ export class PublicAPIRouter extends PromiseRouter {
135156
location: `${config.passwordResetSuccessURL}?${params}`
136157
});
137158
}, (err) => {
138-
const params = qs.stringify({username: username, token: token, id: config.applicationId, error:err, app:config.appName})
159+
const params = qs.stringify({username: username, token: token, id: config.applicationId, error:err, app:config.appName});
139160
return Promise.resolve({
140161
status: 302,
141162
location: `${config.choosePasswordURL}?${params}`
@@ -171,6 +192,13 @@ export class PublicAPIRouter extends PromiseRouter {
171192
});
172193
}
173194

195+
invalidRequest() {
196+
const error = new Error();
197+
error.status = 403;
198+
error.message = "unauthorized";
199+
throw error;
200+
}
201+
174202
setConfig(req) {
175203
req.config = Config.get(req.params.appId);
176204
return Promise.resolve();

0 commit comments

Comments
 (0)