⏪ Revert removing deprecated register/update avatar APIs and CSRF

likecoin · Apr 19, 2021 · 56ef0a3 · 56ef0a3
1 parent ec95ee5
commit 56ef0a3
Show file tree

Hide file tree

Showing 7 changed files with 168 additions and 22 deletions.
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -54,6 +54,7 @@
     "cookie-parser": "^1.4.3",
     "cors": "^2.8.5",
     "create-hash": "^1.2.0",
+    "csurf": "^1.9.0",
     "disposable-email-domains": "^1.0.56",
     "eth-sig-util": "^1.4.2",
     "express": "^4.17.0",

diff --git a/src/constant/index.js b/src/constant/index.js
@@ -119,6 +119,11 @@ export const BUTTON_COOKIE_OPTION = {
   sameSite: TEST_MODE ? false : 'none',
 };
 
+export const CSRF_COOKIE_OPTION = {
+  httpOnly: true,
+  secure: process.env.NODE_ENV === 'production',
+};
+
 // TODO: duplicate with ../../constant.js
 export const W3C_EMAIL_REGEX = /^[a-zA-Z0-9.!#$%&'*+/=?^_`{|}~-]+@[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(?:\.[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*$/;
 export const EMAIL_REGEX = IS_TESTNET ? /.*/ : W3C_EMAIL_REGEX;

diff --git a/src/middleware/errorHandler.js b/src/middleware/errorHandler.js
@@ -22,6 +22,9 @@ export default function errorHandler(err, req, res, next) {
     if (err.code === 'LIMIT_FILE_SIZE') {
       return res.status(400).send('FILE_TOO_LARGE');
     }
+    if (err.code === 'EBADCSRFTOKEN') {
+      return res.status(400).send('BAD_CSRF_TOKEN');
+    }
   }
   return res.sendStatus(500);
 }
diff --git a/src/routes/users/registerLogin.js b/src/routes/users/registerLogin.js
@@ -1,5 +1,8 @@
 import { Router } from 'express';
+import bodyParser from 'body-parser';
+import csrf from 'csurf';
 import {
+  CSRF_COOKIE_OPTION,
   PUBSUB_TOPIC_MISC,
   TEST_MODE,
 } from '../../constant';
@@ -21,7 +24,10 @@ import {
   normalizeUserEmail,
   getUserAgentIsApp,
 } from '../../util/api/users';
-import { handleUserRegistration } from '../../util/api/users/register';
+import {
+  handleUserRegistration,
+  getAvatarUrl,
+} from '../../util/api/users/register';
 import { handleAppReferrer, handleUpdateAppMetaData } from '../../util/api/users/app';
 import { ValidationError } from '../../util/ValidationError';
 import { handleAvatarUploadAndGetURL } from '../../util/fileupload';
@@ -63,8 +69,36 @@ const apiLimiter = new RateLimit({
 
 router.use(loginPlatforms);
 
+function csrfCheck(req, res, next) {
+  const { 'user-agent': userAgent = '' } = req.headers;
+  if (userAgent.includes('LikeCoinApp')) {
+    next();
+  } else {
+    csrf({ cookie: CSRF_COOKIE_OPTION })(req, res, next);
+  }
+}
+
+// deprecated
+function isJson(req) {
+  return !!req.is('application/json');
+}
+
+// deprecated
+function loadMiddlewareByContentType(req, res, next) {
+  if (!isJson(req)) {
+    csrfCheck(req, res, (csrfErr) => {
+      if (csrfErr) next(csrfErr);
+      bodyParser.urlencoded({ extended: false })(req, res, (bpErr) => {
+        if (bpErr) next(bpErr);
+        multer.single('avatarFile')(req, res, next);
+      });
+    });
+  } else next();
+}
+
 router.post(
   '/new',
+  loadMiddlewareByContentType, // deprecated
   apiLimiter,
   async (req, res, next) => {
     const {
@@ -192,6 +226,7 @@ router.post(
 router.post(
   '/update',
   jwtAuth('write'),
+  loadMiddlewareByContentType, // deprecated
   async (req, res, next) => {
     try {
       const { user } = req.user;
@@ -217,12 +252,21 @@ router.post(
         locale: oldLocale,
       } = oldUserObj.data();
 
+      // update avatar
       const updateObj = {
         displayName,
         isEmailEnabled,
         locale,
       };
 
+      // deprecated
+      let avatarUrl;
+      const isLegacyReq = !isJson(req);
+      if (isLegacyReq) {
+        avatarUrl = await getAvatarUrl(req, user);
+        updateObj.avatar = avatarUrl;
+      }
+
       if (!oldEmail && email) {
         await userByEmailQuery(user, email);
         updateObj.email = email;
@@ -255,7 +299,7 @@ router.post(
         email: email || oldEmail,
         displayName: displayName || oldDisplayName,
         wallet,
-        avatar,
+        avatar: avatarUrl || avatar,
         referrer,
         locale: locale || oldLocale,
         registerTime: timestamp,

diff --git a/src/util/api/users/register.js b/src/util/api/users/register.js
@@ -301,3 +301,20 @@ export async function handleUserRegistration({
     socialPayload,
   };
 }
+
+// deprecated
+export async function getAvatarUrl(req, user) {
+  const { file } = req;
+  const { avatarSHA256 } = req.body;
+  let avatarUrl;
+  if (file) {
+    try {
+      avatarUrl = await handleAvatarUploadAndGetURL(user, file, avatarSHA256);
+    } catch (err) {
+      console.error('Avatar file handling error:');
+      console.error(err);
+      throw new ValidationError('INVALID_AVATAR');
+    }
+  }
+  return avatarUrl;
+}
diff --git a/test/api/user.test.js b/test/api/user.test.js
@@ -53,7 +53,7 @@ test.serial('USER: Login user. Case: success', async (t) => {
   t.is(res.status, 200);
 });
 
-test.serial('USER: Edit user. Case: success', async (t) => {
+test.serial('USER: Edit user by JSON. Case: success', async (t) => {
   const user = testingUser1;
   const token = jwtSign({ user });
   const payload = {
@@ -72,7 +72,7 @@ test.serial('USER: Edit user. Case: success', async (t) => {
   t.is(res.status, 200);
 });
 
-test.serial('USER: Edit user by form-data. Case: invalid content type', async (t) => {
+test.serial('USER: Edit user by form-data. Case: success', async (t) => {
   const user = testingUser1;
   const token = jwtSign({ user });
   const payload = new FormData();
@@ -83,13 +83,34 @@ test.serial('USER: Edit user by form-data. Case: invalid content type', async (t
   payload.append('email', '[email protected]');
   const res = await axiosist.post('/api/users/update', payload, {
     headers: {
-      Cookie: `likecoin_auth=${token};`,
+      Cookie: `likecoin_auth=${token}; _csrf=unit_test`,
+      'x-csrf-token': '73fb9061-W0SmQvlNKd0uKS4d2nKoZd0u7SA',
+      ...payload.getHeaders(),
+    },
+  });
+
+  t.is(res.status, 200);
+});
+
+test.serial('USER: Edit user by form-data. Case: invalid csrf token', async (t) => {
+  const user = testingUser1;
+  const token = jwtSign({ user });
+  const payload = new FormData();
+  payload.append('user', user);
+  payload.append('displayName', testingDisplayName1);
+  payload.append('ts', Date.now());
+  payload.append('wallet', testingWallet1);
+  payload.append('email', '[email protected]');
+  const res = await axiosist.post('/api/users/update', payload, {
+    headers: {
+      Cookie: `likecoin_auth=${token}; _csrf=unit_test`,
+      'x-csrf-token': 'invalid-token',
       ...payload.getHeaders(),
     },
   }).catch(err => err.response);
 
   t.is(res.status, 400);
-  t.is(res.data, 'INVALID_PAYLOAD');
+  t.is(res.data, 'BAD_CSRF_TOKEN');
 });
 
 test.serial('USER: Update avatar. Case: success', async (t) => {
@@ -303,6 +324,11 @@ for (let i = 0; i < userCases.length; i += 1) {
       payload: formatedPayload,
       sign,
       platform: 'wallet',
+    }, {
+      headers: {
+        Cookie: '_csrf=unit_test',
+        'x-csrf-token': '73fb9061-W0SmQvlNKd0uKS4d2nKoZd0u7SA',
+      },
     }).catch(err => err.response);
 
     t.is(res.status, 400);