feat: append sensitive data when as admin

web-tech-tw · Nov 16, 2024 · 511f366 · 511f366
1 parent 707c6a2
commit 511f366
Show file tree

Hide file tree

Showing 3 changed files with 113 additions and 30 deletions.
diff --git a/src/routes/rooms.js b/src/routes/rooms.js
@@ -200,15 +200,20 @@ router.patch(
     }),
 );
 
-router.get("/:code",
-    middlewareValidator.param("code").isString().notEmpty(),
+router.get("/:roomCode",
+    middlewareValidator.param("roomCode").isString().notEmpty(),
     middlewareInspector,
     withAwait(async (req, res) => {
+        // Get user ID
+        const userId = req.auth.id;
+
         // Get room code
-        const code = req.params.code;
+        const roomCode = req.params.roomCode;
 
         // Find room
-        const room = await Room.findOne({code}).exec();
+        const room = await Room.findOne({
+            code: roomCode,
+        }).exec();
         if (!room) {
             res.
                 status(StatusCodes.NOT_FOUND).
@@ -218,31 +223,43 @@ router.get("/:code",
             return;
         }
 
+        // Define room data
+        const roomData = {};
+
+        // Append sensitive data
+        const isAdministrator = room.administrators.some(
+            (administrator) => administrator.toString() === userId,
+        );
+        if (isAdministrator) {
+            Object.assign(roomData, room.toObject());
+        } else {
+            const {
+                label, members, description, backgroundImage, pageUrl,
+            } = room;
+            Object.assign(roomData, {
+                label, members, description, backgroundImage, pageUrl,
+            });
+        }
+
         // Send response
-        res.send({
-            label: room.label,
-            members: room.members,
-            description: room.description,
-            backgroundImage: room.backgroundImage,
-            pageUrl: room.pageUrl,
-        });
+        res.send(roomData);
     }),
 );
 
-router.patch("/:code",
+router.patch("/:roomCode",
     middlewareAccess(null),
-    middlewareValidator.param("code").isString().notEmpty(),
+    middlewareValidator.param("roomCode").isString().notEmpty(),
     middlewareInspector,
     withAwait(async (req, res) => {
         // Get user ID
         const userId = req.auth.id;
 
         // Get room code
-        const code = req.params.code;
+        const roomCode = req.params.roomCode;
 
         // Find room
         const room = await Room.findOne({
-            code,
+            code: roomCode,
             administrators: {
                 $in: [userId],
             },
@@ -278,20 +295,20 @@ router.patch("/:code",
     }),
 );
 
-router.delete("/:code",
+router.delete("/:roomCode",
     middlewareAccess(null),
-    middlewareValidator.param("code").isString().notEmpty(),
+    middlewareValidator.param("roomCode").isString().notEmpty(),
     middlewareInspector,
     withAwait(async (req, res) => {
         // Get user ID
         const userId = req.auth.id;
 
         // Get room code
-        const code = req.params.code;
+        const roomCode = req.params.roomCode;
 
         // Find room
         const room = await Room.findOne({
-            code,
+            code: roomCode,
             creator: userId,
         }).exec();
         if (!room) {
@@ -378,14 +395,11 @@ router.post("/:roomCode/administrators",
     }),
 );
 
-router.patch("/invitations/:invitationId",
+router.get("/invitations/:invitationId",
     middlewareAccess(null),
     middlewareValidator.param("invitationId").isString().notEmpty(),
     middlewareInspector,
     withAwait(async (req, res) => {
-        // Get user ID
-        const userId = req.auth.id;
-
         // Get user email
         const userEmail = req.auth.metadata.profile.email;
 
@@ -404,11 +418,23 @@ router.patch("/invitations/:invitationId",
             return;
         }
 
+        // Check email
+        if (invitation.email !== userEmail) {
+            res.
+                status(StatusCodes.FORBIDDEN).
+                send({
+                    error: "Invalid email",
+                });
+            return;
+        }
+
         // Get room code
         const roomCode = invitation.roomCode;
 
         // Find room
-        const room = await Room.findOne({code: roomCode}).exec();
+        const room = await Room.findOne({
+            code: roomCode,
+        }).exec();
         if (!room) {
             res.
                 status(StatusCodes.NOT_FOUND).
@@ -418,6 +444,37 @@ router.patch("/invitations/:invitationId",
             return;
         }
 
+        // Send response
+        res.send({room, invitation});
+    }),
+);
+
+router.patch("/invitations/:invitationId",
+    middlewareAccess(null),
+    middlewareValidator.param("invitationId").isString().notEmpty(),
+    middlewareInspector,
+    withAwait(async (req, res) => {
+        // Get user ID
+        const userId = req.auth.id;
+
+        // Get user email
+        const userEmail = req.auth.metadata.profile.email;
+
+        // Get request data
+        const invitationId = req.params.invitationId;
+
+        // Fine invitation
+        const cache = useCache();
+        const invitation = cache.get(`invitation:${invitationId}`);
+        if (!invitation) {
+            res.
+                status(StatusCodes.NOT_FOUND).
+                send({
+                    error: "Invitation not found",
+                });
+            return;
+        }
+
         // Check email
         if (invitation.email !== userEmail) {
             res.
@@ -428,11 +485,30 @@ router.patch("/invitations/:invitationId",
             return;
         }
 
+        // Get room code
+        const roomCode = invitation.roomCode;
+
+        // Find room
+        const room = await Room.findOne({
+            code: roomCode,
+        }).exec();
+        if (!room) {
+            res.
+                status(StatusCodes.NOT_FOUND).
+                send({
+                    error: "Room not found",
+                });
+            return;
+        }
+
         // Remove invitation
         cache.del(`invitation:${invitationId}`);
 
         // Check if the user is an administrator
-        if (room.administrators.map((i) => i.toString()).includes(userId)) {
+        const isAdministrator = room.administrators.some(
+            (administrator) => administrator.toString() === userId,
+        );
+        if (isAdministrator) {
             res.
                 status(StatusCodes.CONFLICT).
                 send({

diff --git a/src/utils/sara_token.js b/src/utils/sara_token.js
@@ -2,7 +2,7 @@
 // Token utils of Sara.
 
 // Import config
-const {getMust} = require("../config");
+const {getMust, isProduction} = require("../config");
 
 // Import modules
 const axios = require("axios");
@@ -39,8 +39,11 @@ const verifyOptions = {
  * @return {Promise<boolean>}
  */
 async function isActivated(tokenId) {
-    const queryKey = ["sara_token", tokenId].join(":");
+    if (!isProduction()) {
+        return true;
+    }
 
+    const queryKey = ["sara_token", tokenId].join(":");
     const cache = useCache();
     if (cache.has(queryKey)) {
         return cache.get(queryKey);

diff --git a/src/utils/test_token.js b/src/utils/test_token.js
@@ -4,11 +4,15 @@
 // Import config
 const {isProduction} = require("../config");
 
+// Import utils
+const {sha256hex} = require("./native");
+
+// Default fake user
 const DEFAULT_FAKE_USER = {
     _id: "67345206787c5d2b9be61c37",
-    nickname: "The Fake User",
-    email: "the_fake_user@web-tech-tw.github.io",
-    avatar_hash: "fake_user",
+    nickname: "Fake User",
+    email: "fake_user@web-tech-tw.github.io",
+    avatar_hash: sha256hex("fake_user@web-tech-tw.github.io"),
     roles: [],
 };