Revert "⏪ Revert removing deprecated register/update avatar APIs and …

…CSRF" This reverts commit 56ef0a3.
likecoin · Apr 22, 2021 · 71b4a24 · 71b4a24
1 parent 56ef0a3
commit 71b4a24
Show file tree

Hide file tree

Showing 7 changed files with 22 additions and 168 deletions.
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -54,7 +54,6 @@
     "cookie-parser": "^1.4.3",
     "cors": "^2.8.5",
     "create-hash": "^1.2.0",
-    "csurf": "^1.9.0",
     "disposable-email-domains": "^1.0.56",
     "eth-sig-util": "^1.4.2",
     "express": "^4.17.0",

diff --git a/src/constant/index.js b/src/constant/index.js
@@ -119,11 +119,6 @@ export const BUTTON_COOKIE_OPTION = {
   sameSite: TEST_MODE ? false : 'none',
 };
 
-export const CSRF_COOKIE_OPTION = {
-  httpOnly: true,
-  secure: process.env.NODE_ENV === 'production',
-};
-
 // TODO: duplicate with ../../constant.js
 export const W3C_EMAIL_REGEX = /^[a-zA-Z0-9.!#$%&'*+/=?^_`{|}~-]+@[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(?:\.[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*$/;
 export const EMAIL_REGEX = IS_TESTNET ? /.*/ : W3C_EMAIL_REGEX;

diff --git a/src/middleware/errorHandler.js b/src/middleware/errorHandler.js
@@ -22,9 +22,6 @@ export default function errorHandler(err, req, res, next) {
     if (err.code === 'LIMIT_FILE_SIZE') {
       return res.status(400).send('FILE_TOO_LARGE');
     }
-    if (err.code === 'EBADCSRFTOKEN') {
-      return res.status(400).send('BAD_CSRF_TOKEN');
-    }
   }
   return res.sendStatus(500);
 }
diff --git a/src/routes/users/registerLogin.js b/src/routes/users/registerLogin.js
@@ -1,8 +1,5 @@
 import { Router } from 'express';
-import bodyParser from 'body-parser';
-import csrf from 'csurf';
 import {
-  CSRF_COOKIE_OPTION,
   PUBSUB_TOPIC_MISC,
   TEST_MODE,
 } from '../../constant';
@@ -24,10 +21,7 @@ import {
   normalizeUserEmail,
   getUserAgentIsApp,
 } from '../../util/api/users';
-import {
-  handleUserRegistration,
-  getAvatarUrl,
-} from '../../util/api/users/register';
+import { handleUserRegistration } from '../../util/api/users/register';
 import { handleAppReferrer, handleUpdateAppMetaData } from '../../util/api/users/app';
 import { ValidationError } from '../../util/ValidationError';
 import { handleAvatarUploadAndGetURL } from '../../util/fileupload';
@@ -69,36 +63,8 @@ const apiLimiter = new RateLimit({
 
 router.use(loginPlatforms);
 
-function csrfCheck(req, res, next) {
-  const { 'user-agent': userAgent = '' } = req.headers;
-  if (userAgent.includes('LikeCoinApp')) {
-    next();
-  } else {
-    csrf({ cookie: CSRF_COOKIE_OPTION })(req, res, next);
-  }
-}
-
-// deprecated
-function isJson(req) {
-  return !!req.is('application/json');
-}
-
-// deprecated
-function loadMiddlewareByContentType(req, res, next) {
-  if (!isJson(req)) {
-    csrfCheck(req, res, (csrfErr) => {
-      if (csrfErr) next(csrfErr);
-      bodyParser.urlencoded({ extended: false })(req, res, (bpErr) => {
-        if (bpErr) next(bpErr);
-        multer.single('avatarFile')(req, res, next);
-      });
-    });
-  } else next();
-}
-
 router.post(
   '/new',
-  loadMiddlewareByContentType, // deprecated
   apiLimiter,
   async (req, res, next) => {
     const {
@@ -226,7 +192,6 @@ router.post(
 router.post(
   '/update',
   jwtAuth('write'),
-  loadMiddlewareByContentType, // deprecated
   async (req, res, next) => {
     try {
       const { user } = req.user;
@@ -252,21 +217,12 @@ router.post(
         locale: oldLocale,
       } = oldUserObj.data();
 
-      // update avatar
       const updateObj = {
         displayName,
         isEmailEnabled,
         locale,
       };
 
-      // deprecated
-      let avatarUrl;
-      const isLegacyReq = !isJson(req);
-      if (isLegacyReq) {
-        avatarUrl = await getAvatarUrl(req, user);
-        updateObj.avatar = avatarUrl;
-      }
-
       if (!oldEmail && email) {
         await userByEmailQuery(user, email);
         updateObj.email = email;
@@ -299,7 +255,7 @@ router.post(
         email: email || oldEmail,
         displayName: displayName || oldDisplayName,
         wallet,
-        avatar: avatarUrl || avatar,
+        avatar,
         referrer,
         locale: locale || oldLocale,
         registerTime: timestamp,

diff --git a/src/util/api/users/register.js b/src/util/api/users/register.js
@@ -301,20 +301,3 @@ export async function handleUserRegistration({
     socialPayload,
   };
 }
-
-// deprecated
-export async function getAvatarUrl(req, user) {
-  const { file } = req;
-  const { avatarSHA256 } = req.body;
-  let avatarUrl;
-  if (file) {
-    try {
-      avatarUrl = await handleAvatarUploadAndGetURL(user, file, avatarSHA256);
-    } catch (err) {
-      console.error('Avatar file handling error:');
-      console.error(err);
-      throw new ValidationError('INVALID_AVATAR');
-    }
-  }
-  return avatarUrl;
-}
diff --git a/test/api/user.test.js b/test/api/user.test.js
@@ -53,7 +53,7 @@ test.serial('USER: Login user. Case: success', async (t) => {
   t.is(res.status, 200);
 });
 
-test.serial('USER: Edit user by JSON. Case: success', async (t) => {
+test.serial('USER: Edit user. Case: success', async (t) => {
   const user = testingUser1;
   const token = jwtSign({ user });
   const payload = {
@@ -72,7 +72,7 @@ test.serial('USER: Edit user by JSON. Case: success', async (t) => {
   t.is(res.status, 200);
 });
 
-test.serial('USER: Edit user by form-data. Case: success', async (t) => {
+test.serial('USER: Edit user by form-data. Case: invalid content type', async (t) => {
   const user = testingUser1;
   const token = jwtSign({ user });
   const payload = new FormData();
@@ -83,34 +83,13 @@ test.serial('USER: Edit user by form-data. Case: success', async (t) => {
   payload.append('email', '[email protected]');
   const res = await axiosist.post('/api/users/update', payload, {
     headers: {
-      Cookie: `likecoin_auth=${token}; _csrf=unit_test`,
-      'x-csrf-token': '73fb9061-W0SmQvlNKd0uKS4d2nKoZd0u7SA',
-      ...payload.getHeaders(),
-    },
-  });
-
-  t.is(res.status, 200);
-});
-
-test.serial('USER: Edit user by form-data. Case: invalid csrf token', async (t) => {
-  const user = testingUser1;
-  const token = jwtSign({ user });
-  const payload = new FormData();
-  payload.append('user', user);
-  payload.append('displayName', testingDisplayName1);
-  payload.append('ts', Date.now());
-  payload.append('wallet', testingWallet1);
-  payload.append('email', '[email protected]');
-  const res = await axiosist.post('/api/users/update', payload, {
-    headers: {
-      Cookie: `likecoin_auth=${token}; _csrf=unit_test`,
-      'x-csrf-token': 'invalid-token',
+      Cookie: `likecoin_auth=${token};`,
       ...payload.getHeaders(),
     },
   }).catch(err => err.response);
 
   t.is(res.status, 400);
-  t.is(res.data, 'BAD_CSRF_TOKEN');
+  t.is(res.data, 'INVALID_PAYLOAD');
 });
 
 test.serial('USER: Update avatar. Case: success', async (t) => {
@@ -324,11 +303,6 @@ for (let i = 0; i < userCases.length; i += 1) {
       payload: formatedPayload,
       sign,
       platform: 'wallet',
-    }, {
-      headers: {
-        Cookie: '_csrf=unit_test',
-        'x-csrf-token': '73fb9061-W0SmQvlNKd0uKS4d2nKoZd0u7SA',
-      },
     }).catch(err => err.response);
 
     t.is(res.status, 400);