Merge pull request #530 from mchangrh/privateIDUsername

add privateID username check
This commit is contained in:
Ajay Ramachandran 2022-12-30 00:44:51 -05:00 committed by GitHub
commit 5a6ba891f9
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 70 additions and 3 deletions

2
package-lock.json generated
View file

@ -7,7 +7,7 @@
"": {
"name": "sponsor_block_server",
"version": "0.1.0",
"license": "MIT",
"license": "AGPL-3.0-only",
"dependencies": {
"axios": "^1.1.3",
"better-sqlite3": "^8.0.1",

View file

@ -32,6 +32,11 @@ export async function setUsername(req: Request, res: Response): Promise<Response
// eslint-disable-next-line no-control-regex
userName = userName.replace(/[\u0000-\u001F\u007F-\u009F]/g, "");
// check privateID against publicID
if (!await checkPrivateUsername(userName, userID)) {
return res.sendStatus(400);
}
if (adminUserIDInput != undefined) {
//this is the admin controlling the other users account, don't hash the controling account's ID
adminUserIDInput = await getHashCache(adminUserIDInput);
@ -88,3 +93,13 @@ export async function setUsername(req: Request, res: Response): Promise<Response
return res.sendStatus(500);
}
}
async function checkPrivateUsername(username: string, userID: string): Promise<boolean> {
const userIDHash = await getHashCache(userID);
const userNameHash = await getHashCache(username);
if (userIDHash == userNameHash) return false;
const sponsorTimeRow = await db.prepare("get", `SELECT "userID" FROM "sponsorTimes" WHERE "userID" = ? LIMIT 1`, [userNameHash]);
const userNameRow = await db.prepare("get", `SELECT "userID" FROM "userNames" WHERE "userID" = ? LIMIT 1`, [userNameHash]);
if ((sponsorTimeRow || userNameRow)?.userID) return false;
return true;
}

View file

@ -22,12 +22,22 @@ const user07PrivateUserID = "setUsername_07";
const username07 = "Username 07";
const user08PrivateUserID = "setUsername_08";
// private = public cases
// user09 - username === privateID
const user09PrivateUserID = "setUsername_09";
// user 10/11 - user 11 username === user 10 privateID
const user10PrivateUserID = "setUsername_10_collision";
const username10 = "setUsername_10";
const user11PrivateUserID = "setUsername_11";
const user12PrivateUserID = "setUsername_12";
const username12 = "Username 12";
async function addUsername(userID: string, userName: string, locked = 0) {
await db.prepare("run", 'INSERT INTO "userNames" ("userID", "userName", "locked") VALUES(?, ?, ?)', [userID, userName, locked]);
await addLogUserNameChange(userID, userName);
}
async function getUsernameInfo(userID: string): Promise<{ userName: string, locked: string }> {
async function getUsernameInfo(userID: string): Promise<{ userName: string, locked: string}> {
const row = await db.prepare("get", 'SELECT "userName", "locked" FROM "userNames" WHERE "userID" = ?', [userID]);
if (!row) {
return null;
@ -88,6 +98,10 @@ describe("setUsername", () => {
await addUsername(getHash(user05PrivateUserID), username05, 0);
await addUsername(getHash(user06PrivateUserID), username06, 0);
await addUsername(getHash(user07PrivateUserID), username07, 1);
await addUsername(getHash(user07PrivateUserID), username07, 0);
await addUsername(getHash(user10PrivateUserID), username10, 0);
// user11 skipped
await addUsername(getHash(user12PrivateUserID), username12, 0);
});
it("Should be able to set username that has never been set", (done) => {
@ -240,6 +254,44 @@ describe("setUsername", () => {
const usernameInfo = await getUsernameInfo(getHash(user08PrivateUserID));
assert.strictEqual(usernameInfo, null);
done();
});
})
.catch((err) => done(err));
});
it("Should return error if trying to set username to privateID", (done) => {
const privateID = user09PrivateUserID;
postSetUserName(privateID, privateID)
.then(async (res) => {
assert.strictEqual(res.status, 400);
const usernameInfo = await getUsernameInfo(getHash(privateID));
assert.strictEqual(usernameInfo, null);
done();
})
.catch((err) => done(err));
});
it("Should return error if trying to set username to someone else's privateID", (done) => {
const privateID = user11PrivateUserID;
postSetUserName(privateID, user10PrivateUserID)
.then(async (res) => {
assert.strictEqual(res.status, 400);
const usernameInfo = await getUsernameInfo(getHash(privateID)); // user 10's privateID
assert.strictEqual(usernameInfo, null);
done();
})
.catch((err) => done(err));
});
it("Should not return error if trying to set username to someone else's publicID", (done) => {
const privateID = user12PrivateUserID;
const user10PublicID = getHash(user10PrivateUserID);
postSetUserName(privateID, user10PublicID)
.then(async (res) => {
assert.strictEqual(res.status, 200);
const usernameInfo = await getUsernameInfo(getHash(privateID)); // user 10's publicID
assert.strictEqual(usernameInfo.userName, user10PublicID);
done();
})
.catch((err) => done(err));
});
});