Skip to content

Commit 58a2ee3

Browse files
bamwangflovilmart
bamwang
authored and
flovilmart
committed
Validate username password type when logging in, and validate email when reseting password (#2679)
* Validate username password type when logging in, and validate email when reset password * Add test for validation
1 parent eb1cfcf commit 58a2ee3

File tree

2 files changed

+103
-0
lines changed

2 files changed

+103
-0
lines changed

spec/ParseUser.spec.js

Lines changed: 97 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -74,6 +74,58 @@ describe('Parse.User testing', () => {
7474
});
7575
});
7676

77+
it('user login with non-string username with REST API', (done) => {
78+
Parse.User.signUp('asdf', 'zxcv', null, {
79+
success: () => {
80+
return rp.post({
81+
url: 'http://localhost:8378/1/login',
82+
headers: {
83+
'X-Parse-Application-Id': Parse.applicationId,
84+
'X-Parse-REST-API-Key': 'rest',
85+
},
86+
json: {
87+
_method: 'GET',
88+
username: {'$regex':'^asd'},
89+
password: 'zxcv',
90+
}
91+
}).then((res) => {
92+
fail(`no request should succeed: ${JSON.stringify(res)}`);
93+
done();
94+
}).catch((err) => {
95+
expect(err.statusCode).toBe(404);
96+
expect(err.message).toMatch('{"code":101,"error":"Invalid username/password."}');
97+
done();
98+
});
99+
},
100+
});
101+
});
102+
103+
it('user login with non-string username with REST API', (done) => {
104+
Parse.User.signUp('asdf', 'zxcv', null, {
105+
success: () => {
106+
return rp.post({
107+
url: 'http://localhost:8378/1/login',
108+
headers: {
109+
'X-Parse-Application-Id': Parse.applicationId,
110+
'X-Parse-REST-API-Key': 'rest',
111+
},
112+
json: {
113+
_method: 'GET',
114+
username: 'asdf',
115+
password: {'$regex':'^zx'},
116+
}
117+
}).then((res) => {
118+
fail(`no request should succeed: ${JSON.stringify(res)}`);
119+
done();
120+
}).catch((err) => {
121+
expect(err.statusCode).toBe(404);
122+
expect(err.message).toMatch('{"code":101,"error":"Invalid username/password."}');
123+
done();
124+
});
125+
},
126+
});
127+
});
128+
77129
it("user login", (done) => {
78130
Parse.User.signUp("asdf", "zxcv", null, {
79131
success: function(user) {
@@ -2465,6 +2517,51 @@ describe('Parse.User testing', () => {
24652517
});
24662518
});
24672519

2520+
it('should not send email when email is not a string', (done) => {
2521+
let emailCalled = false;
2522+
let emailOptions;
2523+
var emailAdapter = {
2524+
sendVerificationEmail: (options) => {
2525+
emailOptions = options;
2526+
emailCalled = true;
2527+
},
2528+
sendPasswordResetEmail: () => Promise.resolve(),
2529+
sendMail: () => Promise.resolve()
2530+
}
2531+
reconfigureServer({
2532+
appName: 'unused',
2533+
verifyUserEmails: true,
2534+
emailAdapter: emailAdapter,
2535+
publicServerURL: 'http://localhost:8378/1',
2536+
});
2537+
var user = new Parse.User();
2538+
user.set('username', '[email protected]');
2539+
user.set('password', 'zxcv');
2540+
user.set('email', '[email protected]');
2541+
user.signUp(null, {
2542+
success: (user) => {
2543+
return rp.post({
2544+
url: 'http://localhost:8378/1/requestPasswordReset',
2545+
headers: {
2546+
'X-Parse-Application-Id': Parse.applicationId,
2547+
'X-Parse-Session-Token': user.sessionToken,
2548+
'X-Parse-REST-API-Key': 'rest',
2549+
},
2550+
json: {
2551+
email: {"$regex":"^asd"},
2552+
}
2553+
}).then((res) => {
2554+
fail('no request should succeed: ' + JSON.stringify(res));
2555+
done();
2556+
}).catch((err) => {
2557+
expect(err.statusCode).toBe(400);
2558+
expect(err.message).toMatch('{"code":125,"error":"you must provide a valid email string"}');
2559+
done();
2560+
});
2561+
},
2562+
});
2563+
});
2564+
24682565

24692566
it('should aftersave with full object', (done) => {
24702567
var hit = 0;

src/Routers/UsersRouter.js

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -79,6 +79,9 @@ export class UsersRouter extends ClassesRouter {
7979
if (!req.body.password) {
8080
throw new Parse.Error(Parse.Error.PASSWORD_MISSING, 'password is required.');
8181
}
82+
if (typeof req.body.username !== 'string' || typeof req.body.password !== 'string') {
83+
throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND, 'Invalid username/password.');
84+
}
8285

8386
let user;
8487
let isValidPassword = false;
@@ -190,6 +193,9 @@ export class UsersRouter extends ClassesRouter {
190193
if (!email) {
191194
throw new Parse.Error(Parse.Error.EMAIL_MISSING, "you must provide an email");
192195
}
196+
if (typeof email !== 'string') {
197+
throw new Parse.Error(Parse.Error.INVALID_EMAIL_ADDRESS, 'you must provide a valid email string');
198+
}
193199
let userController = req.config.userController;
194200
return userController.sendPasswordResetEmail(email).then(token => {
195201
return Promise.resolve({

0 commit comments

Comments
 (0)