Login fixes

2018-08-31 13:00:27 +09:30 · 2018-08-31 13:00:27 +09:30 · b2234ef4f2
parent f9b5a84fb8
commit b2234ef4f2
4 changed files with 14 additions and 3 deletions
--- a/lib/common.js
+++ b/lib/common.js
@ -65,6 +65,17 @@ exports.checkLogin = (req, res, next) => {
    res.redirect('/admin/login');
 };

+exports.mongoSanitize = (param) => {
+    if (param instanceof Object) {
+        for (const key in param) {
+            if (/^\$/.test(key)) {
+                delete param[key];
+            }
+        }
+    }
+    return param;
+};
+
 // Middleware to check for admin access for certain route
 exports.checkAccess = (req, res, next) => {
    const routeCheck = _.find(restrictedRoutes, {'route': req.route.path});
--- a/package.json
+++ b/package.json
@ -1,6 +1,6 @@
 {
  "name": "express-cart",
-  "version": "1.1.7",
+  "version": "1.1.8",
  "description": "A fully functioning Node.js shopping cart with Stripe, PayPal and Authorize.net payments.",
  "private": false,
  "scripts": {
--- a/routes/admin.js
+++ b/routes/admin.js
@ -58,7 +58,7 @@ router.get('/admin/login', (req, res) => {
 router.post('/admin/login_action', (req, res) => {
    let db = req.app.db;

-    db.users.findOne({userEmail: req.body.email}, (err, user) => {
+    db.users.findOne({userEmail: common.mongoSanitize(req.body.email)}, (err, user) => {
        if(err){
            res.status(400).json({message: 'A user with that email does not exist.'});
            return;
--- a/routes/customer.js
+++ b/routes/customer.js
@ -133,7 +133,7 @@ router.get('/admin/customers/filter/:search', common.restrict, (req, res, next)
 router.post('/customer/login_action', async (req, res) => {
    let db = req.app.db;

-    db.customers.findOne({email: req.body.loginEmail}, (err, customer) => { // eslint-disable-line
+    db.customers.findOne({email: common.mongoSanitize(req.body.loginEmail)}, (err, customer) => { // eslint-disable-line
        if(err){
            // An error accurred
            return res.status(400).json({