Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Parameter validation for /account/password/confirmReset #515 #516

Merged
merged 24 commits into from
Dec 5, 2023
Merged

Parameter validation for /account/password/confirmReset #515 #516

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
24 commits
Select commit Hold shift + click to select a range
0fb0850
add redirect if either param is missing - working on flash
beckpaul Dec 3, 2023
f639adc
refactor to be more funcitonal - flashes are harder than ancicipated
beckpaul Dec 3, 2023
62dc98a
add .tool-versions to git ignore - this is used by asdf
beckpaul Dec 3, 2023
0bcd4c7
less verbose - turnary was being problematic
beckpaul Dec 3, 2023
0c1f04b
flashes work with this - however it does not confirm to other standards
beckpaul Dec 3, 2023
90497eb
found an example of this - working flashes following existing code co…
beckpaul Dec 3, 2023
ce71bd8
safe flash
beckpaul Dec 3, 2023
0d33d8b
fix flash persistence
beckpaul Dec 3, 2023
f1ef63c
linting
beckpaul Dec 3, 2023
64fe9fe
update unit tests
beckpaul Dec 3, 2023
6e186cc
lint again - sorry for wasting minutes my bad
beckpaul Dec 3, 2023
22cae7d
fix up testing
beckpaul Dec 3, 2023
2de4075
refactor to use express-validation
beckpaul Dec 4, 2023
e2adad7
lint
beckpaul Dec 4, 2023
91b1785
fix uppercase u
beckpaul Dec 4, 2023
4e5872f
user express validatior in routes for query params
beckpaul Dec 4, 2023
4065a4b
update tests, add secondary test
beckpaul Dec 4, 2023
4aba28d
add logging to docker - prints console.log into docker logs since the…
beckpaul Dec 4, 2023
02ccdee
merge
beckpaul Dec 5, 2023
27e2ad8
merge
beckpaul Dec 5, 2023
d60bf70
merge
beckpaul Dec 5, 2023
4959061
use new linting methodology - refactors
beckpaul Dec 5, 2023
2514fa6
comments and append to error for clarity
beckpaul Dec 5, 2023
fc0e862
organize setup a bit - fix tests
beckpaul Dec 5, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,3 +52,4 @@ public/js/*.js
sessions

dist
.tool-versions
4 changes: 3 additions & 1 deletion docker-compose.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,9 @@ services:
context: .
networks:
- faf-stack

logging:
driver: "json-file"
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is this still needed?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will check and remove in next pr if not.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

already removed it, so you need to add it again... sry :)


networks:
faf-stack:
name: faf-stack_faf
Expand Down
57 changes: 47 additions & 10 deletions src/backend/routes/views/account/get/confirmPasswordReset.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,16 +1,53 @@
const axios = require('axios')
const appConfig = require('../../../../config/app')
const { validationResult } = require('express-validator')
exports = module.exports = function (req, res) {
const locals = res.locals
const errors = validationResult(req)

// locals.section is used to set the currently selected
// item in the header navigation.
locals.section = 'account'
// A render/redirect ignores this if not async and renders the confirm
// Theres probably a better way to do this
if (!errors.isEmpty()) {
return renderRequestPasswordReset(req, res, errors)
}

locals.formData = req.body || {}
res.render('account/confirmPasswordReset', {
section: 'account',
formData: req.body || {},
username: req.query.username,
token: req.query.token
})
}

const renderRequestPasswordReset = async (req, res, errors) => {
axios.post(appConfig.apiUrl + '/users/buildSteamPasswordResetUrl', {}, { maxRedirects: 0 }).then(response => {
if (response.status !== 200) {
throw new Error('java-api error')

Check warning on line 24 in src/backend/routes/views/account/get/confirmPasswordReset.js

View check run for this annotation

Codecov / codecov/patch

src/backend/routes/views/account/get/confirmPasswordReset.js#L24 

Added line #L24 was not covered by tests
}

const flash = null
errors.errors[errors.errors.length - 1].msg += '. You may request a new link here'

// Render the view
locals.username = req.query.username
locals.token = req.query.token
res.render('account/confirmPasswordReset', { flash })
return res.render('account/requestPasswordReset', {
section: 'account',
errors: {
class: 'alert-danger',
messages: errors,
type: 'Error!'
},
steamReset: response.data.steamUrl,
formData: {},
recaptchaSiteKey: appConfig.recaptchaKey
})
}).catch(error => {
console.error(error.toString())
return res.render('account/requestPasswordReset', {

Check warning on line 42 in src/backend/routes/views/account/get/confirmPasswordReset.js

View check run for this annotation

Codecov / codecov/patch

src/backend/routes/views/account/get/confirmPasswordReset.js#L40-L42 

Added lines #L40 - L42 were not covered by tests
section: 'account',
errors: {
class: 'alert-danger',
messages: error.toString(),
type: 'Error!'
},
formData: {},
recaptchaSiteKey: appConfig.recaptchaKey
})
})
}
5 changes: 2 additions & 3 deletions src/backend/routes/views/account/get/requestPasswordReset.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,6 @@ exports = module.exports = async function (req, res) {

res.render('account/requestPasswordReset', {
section: 'account',
flash: {},
steamReset: response.data.steamUrl,
formData,
recaptchaSiteKey: appConfig.recaptchaKey
Expand All @@ -23,9 +22,9 @@ exports = module.exports = async function (req, res) {
console.error(error.toString())
res.render('account/requestPasswordReset', {
section: 'account',
flash: {
errors: {
class: 'alert-danger',
messages: 'issue resetting',
messages: error.toString,
type: 'Error!'
},
formData,
Expand Down
6 changes: 5 additions & 1 deletion src/backend/routes/views/accountRouter.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,7 @@
const express = require('../../ExpressApp')
const router = express.Router()

const { query } = require('express-validator')
const middlewares = require('../middleware')
const url = require('url')

Expand All @@ -18,7 +20,9 @@ router.post('/changeEmail', middlewares.isAuthenticated(), require('./account/po
router.get('/changeUsername', middlewares.isAuthenticated(), require('./account/get/changeUsername'))
router.post('/changeUsername', middlewares.isAuthenticated(), require('./account/post/changeUsername'))

router.get('/password/confirmReset', require('./account/get/confirmPasswordReset'))
router.get('/password/confirmReset', [query('token').notEmpty().withMessage('Missing token'),
query('username').notEmpty().withMessage('Missing username')],
require('./account/get/confirmPasswordReset'))
router.post('/password/confirmReset', require('./account/post/confirmPasswordReset'))

router.get('/requestPasswordReset', require('./account/get/requestPasswordReset'))
Expand Down
2 changes: 1 addition & 1 deletion src/backend/templates/views/account/confirmPasswordReset.pug
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ block content

.row
.col-md-offset-3.col-md-6
form(method='post',action="/account/password/confirmReset?username="+username+"&token="+token,data-toggle="validator")
form(method='post', action="/account/password/confirmReset?username="+username+"&token="+token, data-toggle="validator")
+confirm-password
.form-actions
button(type='submit').btn.btn-default.btn-lg.btn-outro.btn-danger Reset
8 changes: 4 additions & 4 deletions src/backend/templates/views/account/requestPasswordReset.pug
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
extends ../../layouts/default
include ../../mixins/flash-messages
include ../../mixins/flash-error
include ../../mixins/form/account
block bannerMixin
block bannerData
Expand All @@ -9,7 +9,7 @@ block bannerData
block content
.passResetContainer
.flashMessage.column12
+flash-messages(flash)
+flash-error(errors)
.passResetEmail.column12
h1 Reset password via email
p Enter your username or email below to reset your password.
Expand All @@ -27,11 +27,11 @@ block content
label.column12
.g-recaptcha(data-sitekey=recaptchaSiteKey)
.form-actions

button(type='submit').btn.btn-default.btn-lg.btn-outro.btn-danger Reset via email
br
br

br
br

Expand Down
20 changes: 19 additions & 1 deletion tests/integration/accountRouter.test.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,6 @@ beforeEach(async () => {
describe('Account Routes', function () {
const publicUrls = [
'/account/requestPasswordReset',
'/account/password/confirmReset',
'/account/register',
'/account/activate'
]
Expand All @@ -22,6 +21,25 @@ describe('Account Routes', function () {
expect(res.statusCode).toBe(200)
})

test('responds with OK to provided parameters', async () => {
const response = await testSession.get('/account/password/confirmReset?username=turbo2&token=XXXXX')
expect(response.statusCode).toBe(200)
})

test('render request content if missing username parameter with flash', async () => {
const response = await testSession.get('/account/password/confirmReset?token=XXXXX')

expect(response.statusCode).toBe(200)
expect(response.text).toContain('Missing username')
})

test('render request content if missing token parameter with flash', async () => {
const response = await testSession.get('/account/password/confirmReset?token=XXXXX')

expect(response.statusCode).toBe(200)
expect(response.text).toContain('Missing username')
})

test('redirect old pw-reset routes', async () => {
const response = await testSession.get('/account/password/reset')
expect(response.statusCode).toBe(302)
Expand Down
4 changes: 4 additions & 0 deletions tests/setup.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,10 @@ beforeEach(() => {
}
})

nock(appConfig.apiUrl)
.post('/users/buildSteamPasswordResetUrl')
.reply(200, { steamUrl: 'http://localhost/test-steam-reset' })

nock(appConfig.apiUrl)
.get('/data/clan?include=leader&fields[clan]=name,tag,description,leader,memberships,createTime&fields[player]=login&page[number]=1&page[size]=3000')
.reply(200, fs.readFileSync('tests/integration/testData/clan/clans.json', { encoding: 'utf8', flag: 'r' }))
Expand Down
Loading