add privateID username check

- bump AGPL to package-lock
2024-09-19 20:51:19 +02:00 · 2022-12-30 00:41:45 -05:00 · 2022-12-30 00:41:45 -05:00 · 90e5446078
commit 90e5446078
parent dc0bde0e36
3 changed files with 70 additions and 3 deletions
--- a/package-lock.json
+++ b/package-lock.json
@ -7,7 +7,7 @@
    "": {
      "name": "sponsor_block_server",
      "version": "0.1.0",
-      "license": "MIT",
+      "license": "AGPL-3.0-only",
      "dependencies": {
        "axios": "^1.1.3",
        "better-sqlite3": "^8.0.1",
--- a/src/routes/setUsername.ts
+++ b/src/routes/setUsername.ts
@ -32,6 +32,11 @@ export async function setUsername(req: Request, res: Response): Promise<Response
    // eslint-disable-next-line no-control-regex
    userName = userName.replace(/[\u0000-\u001F\u007F-\u009F]/g, "");

+    // check privateID against publicID
+    if (!await checkPrivateUsername(userName, userID)) {
+        return res.sendStatus(400);
+    }
+
    if (adminUserIDInput != undefined) {
        //this is the admin controlling the other users account, don't hash the controling account's ID
        adminUserIDInput = await getHashCache(adminUserIDInput);
@ -88,3 +93,13 @@ export async function setUsername(req: Request, res: Response): Promise<Response
        return res.sendStatus(500);
    }
 }
+
+async function checkPrivateUsername(username: string, userID: string): Promise<boolean> {
+    const userIDHash = await getHashCache(userID);
+    const userNameHash = await getHashCache(username);
+    if (userIDHash == userNameHash) return false;
+    const sponsorTimeRow = await db.prepare("get", `SELECT "userID" FROM "sponsorTimes" WHERE "userID" = ? LIMIT 1`, [userNameHash]);
+    const userNameRow = await db.prepare("get", `SELECT "userID" FROM "userNames" WHERE "userID" = ? LIMIT 1`, [userNameHash]);
+    if ((sponsorTimeRow || userNameRow)?.userID) return false;
+    return true;
+}
--- a/test/cases/setUsername.ts
+++ b/test/cases/setUsername.ts
@ -22,12 +22,22 @@ const user07PrivateUserID = "setUsername_07";
 const username07 = "Username 07";
 const user08PrivateUserID = "setUsername_08";

+// private = public cases
+// user09 - username === privateID
+const user09PrivateUserID = "setUsername_09";
+// user 10/11 - user 11 username === user 10 privateID
+const user10PrivateUserID = "setUsername_10_collision";
+const username10 = "setUsername_10";
+const user11PrivateUserID = "setUsername_11";
+const user12PrivateUserID = "setUsername_12";
+const username12 = "Username 12";
+
 async function addUsername(userID: string, userName: string, locked = 0) {
    await db.prepare("run", 'INSERT INTO "userNames" ("userID", "userName", "locked") VALUES(?, ?, ?)', [userID, userName, locked]);
    await addLogUserNameChange(userID, userName);
 }

-async function getUsernameInfo(userID: string): Promise<{ userName: string, locked: string }> {
+async function getUsernameInfo(userID: string): Promise<{ userName: string, locked: string}> {
    const row = await db.prepare("get", 'SELECT "userName", "locked" FROM "userNames" WHERE "userID" = ?', [userID]);
    if (!row) {
        return null;
@ -88,6 +98,10 @@ describe("setUsername", () => {
        await addUsername(getHash(user05PrivateUserID), username05, 0);
        await addUsername(getHash(user06PrivateUserID), username06, 0);
        await addUsername(getHash(user07PrivateUserID), username07, 1);
+        await addUsername(getHash(user07PrivateUserID), username07, 0);
+        await addUsername(getHash(user10PrivateUserID), username10, 0);
+        // user11 skipped
+        await addUsername(getHash(user12PrivateUserID), username12, 0);
    });

    it("Should be able to set username that has never been set", (done) => {
@ -240,6 +254,44 @@ describe("setUsername", () => {
                const usernameInfo = await getUsernameInfo(getHash(user08PrivateUserID));
                assert.strictEqual(usernameInfo, null);
                done();
-            });
+            })
+            .catch((err) => done(err));
+    });
+
+    it("Should return error if trying to set username to privateID", (done) => {
+        const privateID = user09PrivateUserID;
+        postSetUserName(privateID, privateID)
+            .then(async (res) => {
+                assert.strictEqual(res.status, 400);
+                const usernameInfo = await getUsernameInfo(getHash(privateID));
+                assert.strictEqual(usernameInfo, null);
+                done();
+            })
+            .catch((err) => done(err));
+    });
+
+    it("Should return error if trying to set username to someone else's privateID", (done) => {
+        const privateID = user11PrivateUserID;
+        postSetUserName(privateID, user10PrivateUserID)
+            .then(async (res) => {
+                assert.strictEqual(res.status, 400);
+                const usernameInfo = await getUsernameInfo(getHash(privateID)); // user 10's privateID
+                assert.strictEqual(usernameInfo, null);
+                done();
+            })
+            .catch((err) => done(err));
+    });
+
+    it("Should not return error if trying to set username to someone else's publicID", (done) => {
+        const privateID = user12PrivateUserID;
+        const user10PublicID = getHash(user10PrivateUserID);
+        postSetUserName(privateID, user10PublicID)
+            .then(async (res) => {
+                assert.strictEqual(res.status, 200);
+                const usernameInfo = await getUsernameInfo(getHash(privateID)); // user 10's publicID
+                assert.strictEqual(usernameInfo.userName, user10PublicID);
+                done();
+            })
+            .catch((err) => done(err));
    });
 });