From 781256c917b83d805144d6671a501b33a4eaf9ec Mon Sep 17 00:00:00 2001
From: Travis <thusman13@gmail.com>
Date: Sat, 24 Mar 2018 09:17:23 -0700
Subject: [PATCH]  fix: fix quest shop to not use string addition when buying
 quests (#10120)

* fix: fix quest shop to not use string addition when buying quests

fixes #10115

* Fixing quest purchase quantity interpretted as a string on the server side.

* Adjusting pull-request according to comments.

* Updating according to PR comments.
---
 test/common/ops/buy/buyQuest.js               | 37 +++++++++++++++++++
 test/common/ops/buy/purchase.js               | 13 +++++++
 .../components/shops/quests/buyQuestModal.vue |  2 +-
 website/common/locales/en/npc.json            |  1 +
 website/common/script/ops/buy/buyQuest.js     |  4 +-
 website/common/script/ops/buy/purchase.js     |  4 +-
 6 files changed, 58 insertions(+), 3 deletions(-)

diff --git a/test/common/ops/buy/buyQuest.js b/test/common/ops/buy/buyQuest.js
index 4a2c5b2b75..b75b86e93f 100644
--- a/test/common/ops/buy/buyQuest.js
+++ b/test/common/ops/buy/buyQuest.js
@@ -36,6 +36,43 @@ describe('shared.ops.buyQuest', () => {
     expect(analytics.track).to.be.calledOnce;
   });
 
+  it('buys a Quest scroll with the right quantity if a string is passed for quantity', () => {
+    user.stats.gp = 1000;
+    buyQuest(user, {
+      params: {
+        key: 'dilatoryDistress1',
+      },
+    }, analytics);
+    buyQuest(user, {
+      params: {
+        key: 'dilatoryDistress1',
+      },
+      quantity: '3',
+    }, analytics);
+
+    expect(user.items.quests).to.eql({
+      dilatoryDistress1: 4,
+    });
+  });
+
+  it('does not buy a Quest scroll when an invalid quantity is passed', (done) => {
+    user.stats.gp = 1000;
+    try {
+      buyQuest(user, {
+        params: {
+          key: 'dilatoryDistress1',
+        },
+        quantity: 'a',
+      }, analytics);
+    } catch (err) {
+      expect(err).to.be.an.instanceof(BadRequest);
+      expect(err.message).to.equal(i18n.t('invalidQuantity'));
+      expect(user.items.quests).to.eql({});
+      expect(user.stats.gp).to.equal(1000);
+      done();
+    }
+  });
+
   it('does not buy Quests without enough Gold', (done) => {
     user.stats.gp = 1;
     try {
diff --git a/test/common/ops/buy/purchase.js b/test/common/ops/buy/purchase.js
index ac099b087e..609d6d70c4 100644
--- a/test/common/ops/buy/purchase.js
+++ b/test/common/ops/buy/purchase.js
@@ -87,6 +87,19 @@ describe('shared.ops.purchase', () => {
       }
     });
 
+    it('prevents user from buying an invalid quantity', (done) => {
+      user.stats.gp = goldPoints;
+      user.purchased.plan.gemsBought = gemsBought;
+
+      try {
+        purchase(user, {params: {type: 'gems', key: 'gem'}, quantity: 'a'});
+      } catch (err) {
+        expect(err).to.be.an.instanceof(BadRequest);
+        expect(err.message).to.equal(i18n.t('invalidQuantity'));
+        done();
+      }
+    });
+
     it('returns error when unknown type is provided', (done) => {
       try {
         purchase(user, {params: {type: 'randomType', key: 'gem'}});
diff --git a/website/client/components/shops/quests/buyQuestModal.vue b/website/client/components/shops/quests/buyQuestModal.vue
index 483ee77717..26a5eae4a5 100644
--- a/website/client/components/shops/quests/buyQuestModal.vue
+++ b/website/client/components/shops/quests/buyQuestModal.vue
@@ -22,7 +22,7 @@
           .how-many-to-buy
             strong {{ $t('howManyToBuy') }}
           .box
-            input(type='number', min='0', v-model='selectedAmountToBuy')
+            input(type='number', min='0', v-model.number='selectedAmountToBuy')
           span.svg-icon.inline.icon-32(aria-hidden="true", v-html="(priceType  === 'gems') ? icons.gem : icons.gold")
           span.value(:class="priceType") {{ item.value }}
 
diff --git a/website/common/locales/en/npc.json b/website/common/locales/en/npc.json
index 033513630b..ee6ed35624 100644
--- a/website/common/locales/en/npc.json
+++ b/website/common/locales/en/npc.json
@@ -104,6 +104,7 @@
   "unlocked": "Items have been unlocked",
   "alreadyUnlocked": "Full set already unlocked.",
   "alreadyUnlockedPart": "Full set already partially unlocked.",
+  "invalidQuantity": "Quantity to purchase must be a number.",
 
   "USD": "(USD)",
   "newStuff": "New Stuff by Bailey",
diff --git a/website/common/script/ops/buy/buyQuest.js b/website/common/script/ops/buy/buyQuest.js
index f04504fdd3..59fd0dcd53 100644
--- a/website/common/script/ops/buy/buyQuest.js
+++ b/website/common/script/ops/buy/buyQuest.js
@@ -10,7 +10,9 @@ import get from 'lodash/get';
 // buy a quest with gold
 module.exports = function buyQuest (user, req = {}, analytics) {
   let key = get(req, 'params.key');
-  let quantity = req.quantity || 1;
+
+  let quantity = req.quantity ? Number(req.quantity) : 1;
+  if (isNaN(quantity)) throw new BadRequest(i18n.t('invalidQuantity', req.language));
 
   if (!key) throw new BadRequest(i18n.t('missingKeyParam', req.language));
 
diff --git a/website/common/script/ops/buy/purchase.js b/website/common/script/ops/buy/purchase.js
index 093fdfb59c..2fa5218c67 100644
--- a/website/common/script/ops/buy/purchase.js
+++ b/website/common/script/ops/buy/purchase.js
@@ -109,7 +109,9 @@ function purchaseItem (user, item, price, type, key) {
 module.exports = function purchase (user, req = {}, analytics) {
   let type = get(req.params, 'type');
   let key = get(req.params, 'key');
-  let quantity = req.quantity || 1;
+
+  let quantity = req.quantity ? Number(req.quantity) : 1;
+  if (isNaN(quantity)) throw new BadRequest(i18n.t('invalidQuantity', req.language));
 
   if (!type) {
     throw new BadRequest(i18n.t('typeRequired', req.language));