krikkert/habitica
1
0
Fork 0
mirror of https://github.com/HabitRPG/habitica.git synced 2025-12-17 14:47:53 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix(controller): Validate params for register route in user controller

Browse Source
This commit is contained in:
Blade Barringer
2015-11-21 14:57:59 -06:00
parent 75cea0c810
commit 074b3f5079
1 changed files with 47 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files

84
website/src/controllers/api-v3/user.js
View File

@@ -20,7 +20,7 @@ let api = {};
* @apiParam {String} username Username of the new user
* @apiParam {String} email Email address of the new user
* @apiParam {String} password Password for the new user account
* @apiParam {String} passwordConfirmation Password confirmation
* @apiParam {String} confirmPassword Password confirmation
*
* @apiSuccess {Object} user The user object
*/
@@ -28,32 +28,19 @@ api.registerLocal = {
method: 'POST',
url: '/user/auth/local/register',
handler (req, res, next) {
let email = req.body.email && req.body.email.toLowerCase();
let username = req.body.username;
let { email, username, password, confirmPassword } = req.body;
// Validate required params
if (!username) return next(new NotAuthorized(res.t('missingUsername')));
if (!email) return next(new NotAuthorized(res.t('missingEmail')));
if (!validator.isEmail(email)) return next(new NotAuthorized(res.t('invalidEmail')));
if (!password) return next(new NotAuthorized(res.t('missingPassword')));
if (password !== confirmPassword) return next(new NotAuthorized(res.t('passwordConfirmationMatch')));
// Get the lowercase version of username to check that we do not have duplicates
// So we can search for it in the database and then reject the choosen username if 1 or more results are found
let lowerCaseUsername = username && username.toLowerCase();
let newUser = new User({
auth: {
local: {
username,
lowerCaseUsername, // Store the lowercase version of the username
email, // Store email as lowercase
salt: passwordUtils.makeSalt(),
password: req.body.password,
passwordConfirmation: req.body.passwordConfirmation,
},
},
preferences: {
language: req.language,
},
});
newUser.registeredThrough = req.headers['x-client']; // TODO is this saved somewhere?
let validationErrors = newUser.validateSync(); // Validate synchronously for speed, remove if we add any async validator
if (validationErrors) return next(validationErrors);
let lowerCaseUsername = username.toLowerCase();
email = email.toLowerCase();
// Search for duplicates using lowercase version of username
User.findOne({$or: [
@@ -65,25 +52,48 @@ api.registerLocal = {
if (user) {
if (email === user.auth.local.email) return next(new NotAuthorized(res.t('emailTaken')));
// Check that the lowercase username isn't already used
if (lowerCaseUsername === user.auth.local.lowerCaseUsername) return next(new NotAuthorized(res.t('usernameTaken')));
if (lowerCaseUsername === user.auth.local.lowerCaseUsername) {
return next(new NotAuthorized(res.t('usernameTaken')));
}
}
let salt = passwordUtils.makeSalt();
let hashed_password = passwordUtils.encrypt(password, salt); // eslint-disable-line camelcase
let newUser = new User({
auth: {
local: {
username,
lowerCaseUsername,
email,
salt,
hashed_password, // eslint-disable-line camelcase
},
},
preferences: {
language: req.language,
},
});
newUser.registeredThrough = req.headers['x-client']; // TODO is this saved somewhere?
return newUser.save();
})
.then((savedUser) => {
res.status(201).json(savedUser);
if (savedUser) {
res.status(201).json(savedUser);
// Clean previous email preferences
EmailUnsubscription
.remove({email: savedUser.auth.local.email})
.then(() => sendTxnEmail(savedUser, 'welcome'));
// Clean previous email preferences
EmailUnsubscription
.remove({email: savedUser.auth.local.email})
.then(() => sendTxnEmail(savedUser, 'welcome'));
res.analytics.track('register', {
category: 'acquisition',
type: 'local',
gaLabel: 'local',
uuid: savedUser._id,
});
res.analytics.track('register', {
category: 'acquisition',
type: 'local',
gaLabel: 'local',
uuid: savedUser._id,
});
}
})
.catch(next);
},