Merge pull request #488 from gibkigonzo/bugfix/sec-fixes

Tomasz Kostuch · web-flow · commit aead6d80c1e1 · 2020-07-16T16:01:33.000+02:00
add validation for user profile update, add `getToken`
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -10,6 +10,15 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 - Fix default value for `maxAgeForResponse` - @lauraseidler (#485)
 
+## [1.12.2] - UNRELEASED
+
+### Added
+
+- Added validation for user profile update.
+- add `getToken` to handle getting token from header
+
+### Fixed
+
 ## [1.12.1] - 2020.06.22
 
 ### Added
diff --git a/config/default.json b/config/default.json
@@ -12,6 +12,9 @@
     "invalidateCacheForwardUrl": "http://localhost:3000/invalidate?key=aeSu7aip&tag=",
     "showErrorStack": false
   },
+  "users": {
+    "tokenInHeader": false
+  },
   "orders": {
     "useServerQueue": false
   },
diff --git a/src/api/cart.ts b/src/api/cart.ts
@@ -1,4 +1,4 @@
-import { apiStatus, apiError } from '../lib/util';
+import { apiStatus, apiError, getToken } from '../lib/util';
 import { Router } from 'express';
 import PlatformFactory from '../platform/factory';
 
@@ -13,11 +13,12 @@ export default ({ config, db }) => {
 
   /**
    * POST create a cart
-   * req.query.token - user token
+   * req.query.token | req.headers.authorization - user token
    */
   cartApi.post('/create', (req, res) => {
     const cartProxy = _getProxy(req)
-    cartProxy.create(req.query.token).then((result) => {
+    const token = getToken(req)
+    cartProxy.create(token).then((result) => {
       apiStatus(res, result, 200);
     }).catch(err => {
       apiError(res, err);
@@ -26,18 +27,19 @@ export default ({ config, db }) => {
 
   /**
    * POST update or add the cart item
-   *   req.query.token - user token
+   *   req.query.token | req.headers.authorization - user token
    *   body.cartItem: {
    *    sku: orderItem.sku,
    *    qty: orderItem.qty,
    *   quoteId: cartKey}
    */
   cartApi.post('/update', (req, res) => {
     const cartProxy = _getProxy(req)
+    const token = getToken(req)
     if (!req.body.cartItem) {
       return apiStatus(res, 'No cartItem element provided within the request body', 500)
     }
-    cartProxy.update(req.query.token, req.query.cartId ? req.query.cartId : null, req.body.cartItem).then((result) => {
+    cartProxy.update(token, req.query.cartId ? req.query.cartId : null, req.body.cartItem).then((result) => {
       apiStatus(res, result, 200);
     }).catch(err => {
       apiError(res, err);
@@ -46,16 +48,17 @@ export default ({ config, db }) => {
 
   /**
    * POST apply the coupon code
-   *   req.query.token - user token
+   *   req.query.token | req.headers.authorization - user token
    *   req.query.cartId - cart Ids
    *   req.query.coupon - coupon
    */
   cartApi.post('/apply-coupon', (req, res) => {
     const cartProxy = _getProxy(req)
+    const token = getToken(req)
     if (!req.query.coupon) {
       return apiStatus(res, 'No coupon code provided', 500)
     }
-    cartProxy.applyCoupon(req.query.token, req.query.cartId ? req.query.cartId : null, req.query.coupon).then((result) => {
+    cartProxy.applyCoupon(token, req.query.cartId ? req.query.cartId : null, req.query.coupon).then((result) => {
       apiStatus(res, result, 200);
     }).catch(err => {
       apiError(res, err);
@@ -64,12 +67,13 @@ export default ({ config, db }) => {
 
   /**
    * POST remove the coupon code
-   *   req.query.token - user token
+   *   req.query.token | req.headers.authorization - user token
    *   req.query.cartId - cart Ids
    */
   cartApi.post('/delete-coupon', (req, res) => {
     const cartProxy = _getProxy(req)
-    cartProxy.deleteCoupon(req.query.token, req.query.cartId ? req.query.cartId : null).then((result) => {
+    const token = getToken(req)
+    cartProxy.deleteCoupon(token, req.query.cartId ? req.query.cartId : null).then((result) => {
       apiStatus(res, result, 200);
     }).catch(err => {
       apiError(res, err);
@@ -78,12 +82,13 @@ export default ({ config, db }) => {
 
   /**
    * GET get the applied coupon code
-   *   req.query.token - user token
+   *   req.query.token | req.headers.authorization - user token
    *   req.query.cartId - cart Ids
    */
   cartApi.get('/coupon', (req, res) => {
     const cartProxy = _getProxy(req)
-    cartProxy.getCoupon(req.query.token, req.query.cartId ? req.query.cartId : null).then((result) => {
+    const token = getToken(req)
+    cartProxy.getCoupon(token, req.query.cartId ? req.query.cartId : null).then((result) => {
       apiStatus(res, result, 200);
     }).catch(err => {
       apiError(res, err);
@@ -92,18 +97,19 @@ export default ({ config, db }) => {
 
   /**
    * POST delete the cart item
-   *   req.query.token - user token
+   *   req.query.token | req.headers.authorization - user token
    *   body.cartItem: {
    *    sku: orderItem.sku,
    *    qty: orderItem.qty,
    *   quoteId: cartKey}
    */
   cartApi.post('/delete', (req, res) => {
     const cartProxy = _getProxy(req)
+    const token = getToken(req)
     if (!req.body.cartItem) {
       return apiStatus(res, 'No cartItem element provided within the request body', 500)
     }
-    cartProxy.delete(req.query.token, req.query.cartId ? req.query.cartId : null, req.body.cartItem).then((result) => {
+    cartProxy.delete(token, req.query.cartId ? req.query.cartId : null, req.body.cartItem).then((result) => {
       apiStatus(res, result, 200);
     }).catch(err => {
       apiError(res, err);
@@ -112,13 +118,14 @@ export default ({ config, db }) => {
 
   /**
    * GET pull the whole cart as it's currently se server side
-   *   req.query.token - user token
+   *   req.query.token | req.headers.authorization - user token
    *   req.query.cartId - cartId
    */
   cartApi.get('/pull', (req, res) => {
     const cartProxy = _getProxy(req)
+    const token = getToken(req)
     res.setHeader('Cache-Control', 'no-cache, no-store');
-    cartProxy.pull(req.query.token, req.query.cartId ? req.query.cartId : null, req.body).then((result) => {
+    cartProxy.pull(token, req.query.cartId ? req.query.cartId : null, req.body).then((result) => {
       apiStatus(res, result, 200);
     }).catch(err => {
       apiError(res, err);
@@ -127,13 +134,14 @@ export default ({ config, db }) => {
 
   /**
    * GET totals the cart totals
-   *   req.query.token - user token
+   *   req.query.token | req.headers.authorization - user token
    *   req.query.cartId - cartId
    */
   cartApi.get('/totals', (req, res) => {
     const cartProxy = _getProxy(req)
+    const token = getToken(req)
     res.setHeader('Cache-Control', 'no-cache, no-store');
-    cartProxy.totals(req.query.token, req.query.cartId ? req.query.cartId : null, req.body).then((result) => {
+    cartProxy.totals(token, req.query.cartId ? req.query.cartId : null, req.body).then((result) => {
       apiStatus(res, result, 200);
     }).catch(err => {
       apiError(res, err);
@@ -142,17 +150,18 @@ export default ({ config, db }) => {
 
   /**
    * POST /shipping-methods - available shipping methods for a given address
-   *   req.query.token - user token
+   *   req.query.token | req.headers.authorization - user token
    *   req.query.cartId - cart ID if user is logged in, cart token if not
    *   req.body.address - shipping address object
    */
   cartApi.post('/shipping-methods', (req, res) => {
     const cartProxy = _getProxy(req)
+    const token = getToken(req)
     res.setHeader('Cache-Control', 'no-cache, no-store');
     if (!req.body.address) {
       return apiStatus(res, 'No address element provided within the request body', 500)
     }
-    cartProxy.getShippingMethods(req.query.token, req.query.cartId ? req.query.cartId : null, req.body.address).then((result) => {
+    cartProxy.getShippingMethods(token, req.query.cartId ? req.query.cartId : null, req.body.address).then((result) => {
       apiStatus(res, result, 200);
     }).catch(err => {
       apiError(res, err);
@@ -161,13 +170,14 @@ export default ({ config, db }) => {
 
   /**
    * GET /payment-methods - available payment methods
-   *   req.query.token - user token
+   *   req.query.token | req.headers.authorization - user token
    *   req.query.cartId - cart ID if user is logged in, cart token if not
    */
   cartApi.get('/payment-methods', (req, res) => {
     const cartProxy = _getProxy(req)
+    const token = getToken(req)
     res.setHeader('Cache-Control', 'no-cache, no-store');
-    cartProxy.getPaymentMethods(req.query.token, req.query.cartId ? req.query.cartId : null).then((result) => {
+    cartProxy.getPaymentMethods(token, req.query.cartId ? req.query.cartId : null).then((result) => {
       apiStatus(res, result, 200);
     }).catch(err => {
       apiError(res, err);
@@ -176,17 +186,18 @@ export default ({ config, db }) => {
 
   /**
    * POST /shipping-information - set shipping information for collecting cart totals after address changed
-   *   req.query.token - user token
+   *   req.query.token | req.headers.authorization - user token
    *   req.query.cartId - cart ID if user is logged in, cart token if not
    *   req.body.addressInformation - shipping address object
    */
   cartApi.post('/shipping-information', (req, res) => {
     const cartProxy = _getProxy(req)
+    const token = getToken(req)
     res.setHeader('Cache-Control', 'no-cache, no-store');
     if (!req.body.addressInformation) {
       return apiStatus(res, 'No address element provided within the request body', 500)
     }
-    cartProxy.setShippingInformation(req.query.token, req.query.cartId ? req.query.cartId : null, req.body).then((result) => {
+    cartProxy.setShippingInformation(token, req.query.cartId ? req.query.cartId : null, req.body).then((result) => {
       apiStatus(res, result, 200);
     }).catch(err => {
       apiError(res, err);
@@ -195,17 +206,18 @@ export default ({ config, db }) => {
 
   /**
    * POST /collect-totals - collect cart totals after shipping address changed
-   *   req.query.token - user token
+   *   req.query.token | req.headers.authorization - user token
    *   req.query.cartId - cart ID if user is logged in, cart token if not
    *   req.body.shippingMethod - shipping and payment methods object
    */
   cartApi.post('/collect-totals', (req, res) => {
     const cartProxy = _getProxy(req)
+    const token = getToken(req)
     res.setHeader('Cache-Control', 'no-cache, no-store');
     if (!req.body.methods) {
       return apiStatus(res, 'No shipping and payment methods element provided within the request body', 500)
     }
-    cartProxy.collectTotals(req.query.token, req.query.cartId ? req.query.cartId : null, req.body.methods).then((result) => {
+    cartProxy.collectTotals(token, req.query.cartId ? req.query.cartId : null, req.body.methods).then((result) => {
       apiStatus(res, result, 200);
     }).catch(err => {
       apiError(res, err);
diff --git a/src/api/user.ts b/src/api/user.ts
@@ -1,4 +1,4 @@
-import { apiStatus, encryptToken, decryptToken, apiError } from '../lib/util';
+import { apiStatus, encryptToken, decryptToken, apiError, getToken } from '../lib/util';
 import { Router } from 'express';
 import PlatformFactory from '../platform/factory';
 import jwt from 'jwt-simple';
@@ -21,6 +21,19 @@ function addUserGroupToken (config, result) {
   result.groupToken = jwt.encode(data, config.authHashSecret ? config.authHashSecret : config.objHashSecret)
 }
 
+function validateAddresses (currentAddresses = [], newAddresses = []) {
+  for (let address of newAddresses) {
+    if (!address.customer_id && !address.id) {
+      continue
+    } else {
+      const existingAddress = currentAddresses.find((existingAddress) => existingAddress.id === address.id && existingAddress.customer_id === address.customer_id)
+      if (!existingAddress) {
+        return 'Provided invalid address.id or address.customer_id'
+      }
+    }
+  }
+}
+
 export default ({config, db}) => {
   let userApi = Router();
 
@@ -139,7 +152,8 @@ export default ({config, db}) => {
    */
   userApi.get('/me', (req, res) => {
     const userProxy = _getProxy(req)
-    userProxy.me(req.query.token).then((result) => {
+    const token = getToken(req)
+    userProxy.me(token).then((result) => {
       addUserGroupToken(config, result)
       apiStatus(res, result, 200);
     }).catch(err => {
@@ -152,8 +166,9 @@ export default ({config, db}) => {
    */
   userApi.get('/order-history', (req, res) => {
     const userProxy = _getProxy(req)
+    const token = getToken(req)
     userProxy.orderHistory(
-      req.query.token,
+      token,
       req.query.pageSize || 20,
       req.query.currentPage || 1
     ).then((result) => {
@@ -166,12 +181,12 @@ export default ({config, db}) => {
   /**
    * POST for updating user
    */
-  userApi.post('/me', (req, res) => {
+  userApi.post('/me', async (req, res) => {
     const ajv = new Ajv();
-    const userProfileSchema = require('../models/userProfile.schema.json')
+    const userProfileSchema = require('../models/userProfileUpdate.schema.json')
     let userProfileSchemaExtension = {};
-    if (fs.existsSync(path.resolve(__dirname, '../models/userProfile.schema.extension.json'))) {
-      userProfileSchemaExtension = require('../models/userProfile.schema.extension.json');
+    if (fs.existsSync(path.resolve(__dirname, '../models/userProfileUpdate.schema.extension.json'))) {
+      userProfileSchemaExtension = require('../models/userProfileUpdate.schema.extension.json');
     }
     const validate = ajv.compile(merge(userProfileSchema, userProfileSchemaExtension))
 
@@ -186,20 +201,40 @@ export default ({config, db}) => {
     }
 
     const userProxy = _getProxy(req)
-    userProxy.update({token: req.query.token, body: req.body}).then((result) => {
+    const token = getToken(req)
+
+    try {
+      let { website_id, addresses } = await userProxy.me(token)
+      const { customer } = req.body
+
+      const validationMessage = validateAddresses(addresses, customer.addresses)
+      if (validationMessage) {
+        return apiStatus(res, validationMessage, 403)
+      }
+
+      const result = await userProxy.update({
+        token,
+        body: {
+          customer: {
+            ...customer,
+            website_id
+          }
+        }
+      })
       addUserGroupToken(config, result)
       apiStatus(res, result, 200)
-    }).catch(err => {
+    } catch (err) {
       apiStatus(res, err, 500)
-    })
+    }
   })
 
   /**
    * POST for changing user's password (old, keep for backward compatibility)
    */
   userApi.post('/changePassword', (req, res) => {
     const userProxy = _getProxy(req)
-    userProxy.changePassword({ token: req.query.token, body: req.body }).then((result) => {
+    const token = getToken(req)
+    userProxy.changePassword({ token, body: req.body }).then((result) => {
       apiStatus(res, result, 200)
     }).catch(err => {
       apiStatus(res, err, 500)
@@ -211,7 +246,8 @@ export default ({config, db}) => {
    */
   userApi.post('/change-password', (req, res) => {
     const userProxy = _getProxy(req)
-    userProxy.changePassword({token: req.query.token, body: req.body}).then((result) => {
+    const token = getToken(req)
+    userProxy.changePassword({token, body: req.body}).then((result) => {
       apiStatus(res, result, 200)
     }).catch(err => {
       apiStatus(res, err, 500)
diff --git a/src/lib/util.js b/src/lib/util.js
@@ -109,3 +109,9 @@ export function decryptToken (textToken, secret) {
   dec += decipher.final('utf8');
   return dec;
 }
+
+export function getToken (req) {
+  return config.users.tokenInHeader
+    ? (req.headers.authorization || '').replace('Bearer ', '')
+    : req.query.token
+}
diff --git a/src/models/userProfileUpdate.schema.extension.json b/src/models/userProfileUpdate.schema.extension.json
@@ -0,0 +1 @@
+{}
diff --git a/src/models/userProfileUpdate.schema.json b/src/models/userProfileUpdate.schema.json
diff --git a/src/platform/magento2/user.js b/src/platform/magento2/user.js
