mirror of
https://github.com/ajayyy/SponsorBlockServer.git
synced 2024-11-10 01:02:30 +01:00
add privateID username check
- bump AGPL to package-lock
This commit is contained in:
parent
dc0bde0e36
commit
90e5446078
3 changed files with 70 additions and 3 deletions
2
package-lock.json
generated
2
package-lock.json
generated
|
@ -7,7 +7,7 @@
|
|||
"": {
|
||||
"name": "sponsor_block_server",
|
||||
"version": "0.1.0",
|
||||
"license": "MIT",
|
||||
"license": "AGPL-3.0-only",
|
||||
"dependencies": {
|
||||
"axios": "^1.1.3",
|
||||
"better-sqlite3": "^8.0.1",
|
||||
|
|
|
@ -32,6 +32,11 @@ export async function setUsername(req: Request, res: Response): Promise<Response
|
|||
// eslint-disable-next-line no-control-regex
|
||||
userName = userName.replace(/[\u0000-\u001F\u007F-\u009F]/g, "");
|
||||
|
||||
// check privateID against publicID
|
||||
if (!await checkPrivateUsername(userName, userID)) {
|
||||
return res.sendStatus(400);
|
||||
}
|
||||
|
||||
if (adminUserIDInput != undefined) {
|
||||
//this is the admin controlling the other users account, don't hash the controling account's ID
|
||||
adminUserIDInput = await getHashCache(adminUserIDInput);
|
||||
|
@ -88,3 +93,13 @@ export async function setUsername(req: Request, res: Response): Promise<Response
|
|||
return res.sendStatus(500);
|
||||
}
|
||||
}
|
||||
|
||||
async function checkPrivateUsername(username: string, userID: string): Promise<boolean> {
|
||||
const userIDHash = await getHashCache(userID);
|
||||
const userNameHash = await getHashCache(username);
|
||||
if (userIDHash == userNameHash) return false;
|
||||
const sponsorTimeRow = await db.prepare("get", `SELECT "userID" FROM "sponsorTimes" WHERE "userID" = ? LIMIT 1`, [userNameHash]);
|
||||
const userNameRow = await db.prepare("get", `SELECT "userID" FROM "userNames" WHERE "userID" = ? LIMIT 1`, [userNameHash]);
|
||||
if ((sponsorTimeRow || userNameRow)?.userID) return false;
|
||||
return true;
|
||||
}
|
|
@ -22,6 +22,16 @@ const user07PrivateUserID = "setUsername_07";
|
|||
const username07 = "Username 07";
|
||||
const user08PrivateUserID = "setUsername_08";
|
||||
|
||||
// private = public cases
|
||||
// user09 - username === privateID
|
||||
const user09PrivateUserID = "setUsername_09";
|
||||
// user 10/11 - user 11 username === user 10 privateID
|
||||
const user10PrivateUserID = "setUsername_10_collision";
|
||||
const username10 = "setUsername_10";
|
||||
const user11PrivateUserID = "setUsername_11";
|
||||
const user12PrivateUserID = "setUsername_12";
|
||||
const username12 = "Username 12";
|
||||
|
||||
async function addUsername(userID: string, userName: string, locked = 0) {
|
||||
await db.prepare("run", 'INSERT INTO "userNames" ("userID", "userName", "locked") VALUES(?, ?, ?)', [userID, userName, locked]);
|
||||
await addLogUserNameChange(userID, userName);
|
||||
|
@ -88,6 +98,10 @@ describe("setUsername", () => {
|
|||
await addUsername(getHash(user05PrivateUserID), username05, 0);
|
||||
await addUsername(getHash(user06PrivateUserID), username06, 0);
|
||||
await addUsername(getHash(user07PrivateUserID), username07, 1);
|
||||
await addUsername(getHash(user07PrivateUserID), username07, 0);
|
||||
await addUsername(getHash(user10PrivateUserID), username10, 0);
|
||||
// user11 skipped
|
||||
await addUsername(getHash(user12PrivateUserID), username12, 0);
|
||||
});
|
||||
|
||||
it("Should be able to set username that has never been set", (done) => {
|
||||
|
@ -240,6 +254,44 @@ describe("setUsername", () => {
|
|||
const usernameInfo = await getUsernameInfo(getHash(user08PrivateUserID));
|
||||
assert.strictEqual(usernameInfo, null);
|
||||
done();
|
||||
});
|
||||
})
|
||||
.catch((err) => done(err));
|
||||
});
|
||||
|
||||
it("Should return error if trying to set username to privateID", (done) => {
|
||||
const privateID = user09PrivateUserID;
|
||||
postSetUserName(privateID, privateID)
|
||||
.then(async (res) => {
|
||||
assert.strictEqual(res.status, 400);
|
||||
const usernameInfo = await getUsernameInfo(getHash(privateID));
|
||||
assert.strictEqual(usernameInfo, null);
|
||||
done();
|
||||
})
|
||||
.catch((err) => done(err));
|
||||
});
|
||||
|
||||
it("Should return error if trying to set username to someone else's privateID", (done) => {
|
||||
const privateID = user11PrivateUserID;
|
||||
postSetUserName(privateID, user10PrivateUserID)
|
||||
.then(async (res) => {
|
||||
assert.strictEqual(res.status, 400);
|
||||
const usernameInfo = await getUsernameInfo(getHash(privateID)); // user 10's privateID
|
||||
assert.strictEqual(usernameInfo, null);
|
||||
done();
|
||||
})
|
||||
.catch((err) => done(err));
|
||||
});
|
||||
|
||||
it("Should not return error if trying to set username to someone else's publicID", (done) => {
|
||||
const privateID = user12PrivateUserID;
|
||||
const user10PublicID = getHash(user10PrivateUserID);
|
||||
postSetUserName(privateID, user10PublicID)
|
||||
.then(async (res) => {
|
||||
assert.strictEqual(res.status, 200);
|
||||
const usernameInfo = await getUsernameInfo(getHash(privateID)); // user 10's publicID
|
||||
assert.strictEqual(usernameInfo.userName, user10PublicID);
|
||||
done();
|
||||
})
|
||||
.catch((err) => done(err));
|
||||
});
|
||||
});
|
||||
|
|
Loading…
Reference in a new issue