This commit is contained in:
syuilo 2017-02-22 19:39:34 +09:00
parent 060a31cce0
commit 45832e3de7
4 changed files with 32 additions and 4 deletions

View file

@ -8,9 +8,14 @@ const collection = db.get('users');
export default collection as any; // fuck type definition export default collection as any; // fuck type definition
export function validateUsername(username: string): boolean { export function validateUsername(username: string): boolean {
return /^[a-zA-Z0-9\-]{3,20}$/.test(username); return typeof username == 'string' && /^[a-zA-Z0-9\-]{3,20}$/.test(username);
}
export function validatePassword(password: string): boolean {
return typeof password == 'string' && password != '';
} }
export function isValidBirthday(birthday: string): boolean { export function isValidBirthday(birthday: string): boolean {
return /^([0-9]{4})\-([0-9]{2})-([0-9]{2})$/.test(birthday); return typeof birthday == 'string' && /^([0-9]{4})\-([0-9]{2})-([0-9]{2})$/.test(birthday);
}
} }

View file

@ -12,6 +12,16 @@ export default async (req: express.Request, res: express.Response) => {
const username = req.body['username']; const username = req.body['username'];
const password = req.body['password']; const password = req.body['password'];
if (typeof username != 'string') {
res.sendStatus(400);
return;
}
if (typeof password != 'string') {
res.sendStatus(400);
return;
}
// Fetch user // Fetch user
const user = await User.findOne({ const user = await User.findOne({
username_lower: username.toLowerCase() username_lower: username.toLowerCase()

View file

@ -3,7 +3,7 @@ import * as bcrypt from 'bcryptjs';
import rndstr from 'rndstr'; import rndstr from 'rndstr';
import recaptcha = require('recaptcha-promise'); import recaptcha = require('recaptcha-promise');
import User from '../models/user'; import User from '../models/user';
import { validateUsername } from '../models/user'; import { validateUsername, validatePassword } from '../models/user';
import serialize from '../serializers/user'; import serialize from '../serializers/user';
import config from '../../conf'; import config from '../../conf';
@ -34,7 +34,7 @@ export default async (req: express.Request, res: express.Response) => {
} }
// Validate password // Validate password
if (password == '') { if (!validatePassword(password)) {
res.sendStatus(400); res.sendStatus(400);
return; return;
} }

View file

@ -120,6 +120,19 @@ describe('API', () => {
}); });
})); }));
it('クエリをインジェクションできない', () => new Promise(async (done) => {
const me = await insertSakurako();
request('/signin', {
username: me.username,
password: {
$gt: ''
}
}).then(res => {
res.should.have.status(400);
done();
});
}));
it('正しい情報でサインインできる', () => new Promise(async (done) => { it('正しい情報でサインインできる', () => new Promise(async (done) => {
const me = await insertSakurako(); const me = await insertSakurako();
request('/signin', { request('/signin', {