Skip to content

Commit

Permalink
Merge pull request #179 from vtex-apps/fix/validate-shopperId
Browse files Browse the repository at this point in the history
validate shopperID Email or UserID
  • Loading branch information
cdcs0128 authored Aug 14, 2024
2 parents afa5383 + 1ee9e36 commit 47450a9
Show file tree
Hide file tree
Showing 2 changed files with 39 additions and 52 deletions.
4 changes: 4 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.

## [Unreleased]

### Fix

- validate shopperID Email or UserID

## [1.18.1] - 2024-08-05

### Added
Expand Down
87 changes: 35 additions & 52 deletions dotnet/Services/WishListService.cs
Original file line number Diff line number Diff line change
Expand Up @@ -103,7 +103,7 @@ public async Task<bool> SaveList(IList<ListItem> listItems, string shopperId, st
public async Task<int?> SaveItem(ListItem listItem, string shopperId, string listName, bool? isPublic)
{

string VtexIdclientAutCookieKey = this._httpContextAccessor.HttpContext.Request.Headers["VtexIdclientAutCookie"];
string VtexIdclientAutCookieKey = this._httpContextAccessor.HttpContext.Request.Headers["VtexIdclientAutCookie"];

if (string.IsNullOrEmpty(_context.Vtex.StoreUserAuthToken) && string.IsNullOrEmpty(_context.Vtex.AdminUserAuthToken) && string.IsNullOrEmpty(VtexIdclientAutCookieKey))
{
Expand All @@ -126,63 +126,47 @@ public async Task<bool> SaveList(IList<ListItem> listItems, string shopperId, st
return null;
}

if(VtexIdclientAutCookieKey != null) {
ValidatedEmailToken responseValidateEmailAuthToken = null;

try {
responseValidateEmailAuthToken = await ValidateEmailAuthToken(VtexIdclientAutCookieKey);
} catch (Exception ex)
{
_context.Vtex.Logger.Error("IsValidAuthUser", null, "Error fetching user", ex);
return null;
}

bool hasValidateEmail = responseValidateEmailAuthToken.User != null && responseValidateEmailAuthToken.User == shopperId && responseValidateEmailAuthToken.TokenType != "appkey";

if (!hasValidateEmail)
{
_context.Vtex.Logger.Warn("hasValidateEmail", null, "AuthToken is not valid for this ShopperId");
return null;
}
}

if(_context.Vtex.AdminUserAuthToken != null) {
ValidatedEmailToken responseValidateEmailAuthToken = null;
// Validation for PII
if (shopperId.ToLower().Contains('@')) {

if(_context.Vtex.StoreUserAuthToken != null) {
ValidatedEmailToken responseValidateEmailAuthToken = null;

try {
responseValidateEmailAuthToken = await ValidateEmailAuthToken(_context.Vtex.AdminUserAuthToken);
} catch (Exception ex)
{
_context.Vtex.Logger.Error("IsValidAuthUser", null, "Error fetching user", ex);
return null;
}
try {
responseValidateEmailAuthToken = await ValidateEmailAuthToken(_context.Vtex.StoreUserAuthToken);
} catch (Exception ex)
{
_context.Vtex.Logger.Error("IsValidAuthUser", null, "Error fetching user", ex);
return null;
}

bool hasValidateEmail = responseValidateEmailAuthToken.User != null && responseValidateEmailAuthToken.User == shopperId && responseValidateEmailAuthToken.TokenType != "appkey";
bool hasValidateEmail = responseValidateEmailAuthToken.User != null && responseValidateEmailAuthToken.User == shopperId && responseValidateEmailAuthToken.TokenType != "appkey";

if (!hasValidateEmail)
{
_context.Vtex.Logger.Warn("hasValidateEmail", null, "AuthToken is not valid for this ShopperId");
return null;
if (!hasValidateEmail)
{
_context.Vtex.Logger.Warn("hasValidateEmail", null, "AuthToken is not valid for this ShopperId");
return null;
}
}
}

if(_context.Vtex.StoreUserAuthToken != null) {
ValidatedEmailToken responseValidateEmailAuthToken = null;

if(VtexIdclientAutCookieKey != null) {
ValidatedEmailToken responseValidateEmailAuthToken = null;

try {
responseValidateEmailAuthToken = await ValidateEmailAuthToken(_context.Vtex.StoreUserAuthToken);
} catch (Exception ex)
{
_context.Vtex.Logger.Error("IsValidAuthUser", null, "Error fetching user", ex);
return null;
}
try {
responseValidateEmailAuthToken = await ValidateEmailAuthToken(VtexIdclientAutCookieKey);
} catch (Exception ex)
{
_context.Vtex.Logger.Error("IsValidAuthUser", null, "Error fetching user", ex);
return null;
}

bool hasValidateEmail = responseValidateEmailAuthToken.User != null && responseValidateEmailAuthToken.User == shopperId && responseValidateEmailAuthToken.TokenType != "appkey";
bool hasValidateEmail = responseValidateEmailAuthToken.User != null && responseValidateEmailAuthToken.User == shopperId && responseValidateEmailAuthToken.TokenType != "appkey";

if (!hasValidateEmail)
{
_context.Vtex.Logger.Warn("hasValidateEmail", null, "AuthToken is not valid for this ShopperId");
return null;
if (!hasValidateEmail)
{
_context.Vtex.Logger.Warn("hasValidateEmail", null, "AuthToken is not valid for this ShopperId");
return null;
}
}
}

Expand All @@ -191,7 +175,6 @@ public async Task<bool> SaveList(IList<ListItem> listItems, string shopperId, st
bool hasAdminPermission = validatedAdminUser != null && validatedAdminUser.AuthStatus.Equals("Success");
bool hasPermissionToken = validatedKeyApp != null && validatedKeyApp.AuthStatus.Equals("Success");


if (!hasPermission && !hasAdminPermission && !hasPermissionToken)
{
_context.Vtex.Logger.Warn("IsValidAuthUser", null, "User Does Not Have Permission");
Expand Down

0 comments on commit 47450a9

Please sign in to comment.