feat: validate loginId to be a valid id generated from whisper (#729)

Co-authored-by: _sameer <[email protected]> Co-authored-by: Dunsin <[email protected]>
Dun-sin · Nov 29, 2024 · b5dbcfc · b5dbcfc
1 parent f33a6a3
commit b5dbcfc
Show file tree

Hide file tree

Showing 4 changed files with 37 additions and 6 deletions.
diff --git a/client/src/context/AuthContext.jsx b/client/src/context/AuthContext.jsx
@@ -2,6 +2,7 @@ import { createContext, useContext, useMemo, useReducer } from 'react';
 import PropTypes from 'prop-types';
 
 import authReducer, { initialState } from './reducers/authReducer';
+import { validateUserID } from 'src/lib/utils';
 
 const AuthContext = createContext({
 	...initialState,
@@ -23,10 +24,10 @@ const initializeAuthState = (defaultState) => {
 			return defaultState;
 		}
 
-		/**
-		 * TODO: Validate loginId to be a valid uuid using the uuid
-		 *       library from npm
-		 */
+		if (!validateUserID(persistedState.loginId, persistedState.loginType)) {
+			// User is trying to hack app by manipulating localStorage
+			throw new Error('Invalid loginId! :(');
+		}
 		if (!persistedState.loginId && persistedState.isLoggedIn === true) {
 			// User is trying to hack app by manipulating localStorage
 			throw new Error('Gotcha! :D');

diff --git a/client/src/lib/utils.js b/client/src/lib/utils.js
@@ -46,3 +46,16 @@ export const decrypt = (encryptedText) => {
 
 	return originalText;
 };
+
+export const validateUserID = (userID, userType) => {
+	const userIDPattern = /^[a-z0-9]{12}$/;
+	const userHexIdPattern = /^[a-f0-9]{24}$/;
+
+	if (userType === 'email') {
+		// user id validation for hex pattern of email login
+		return userHexIdPattern.test(userID);
+	} else {
+		// user id validation for anonymous login
+		return userIDPattern.test(userID);
+	}
+};
diff --git a/server/controllers/userController.js b/server/controllers/userController.js
@@ -9,7 +9,7 @@ const storage = multer.memoryStorage();
 const imageUpload = multer({ storage: storage });
 
 const User = require('../models/UserModel');
-const { emailValidator, generateObjectId } = require('../utils/helper');
+const { emailValidator, generateObjectId, validateUserID } = require('../utils/helper');
 
 const { isUserBlocked, blockUser } = require('../utils/lib.js');
 const {
@@ -169,7 +169,7 @@ const blockUserHandler = async (req, res) => {
   }
 }
 
-UserRouter.route('/login').post(emailValidator, loginUser);
+UserRouter.route('/login').post(emailValidator, validateUserID, loginUser);
 UserRouter.route('/profile').post(
   imageUpload.single('profileImage'),
   emailValidator,

diff --git a/server/utils/helper.js b/server/utils/helper.js
@@ -1,4 +1,5 @@
 const crypto = require('crypto');
+const { NOT_ACCEPTABLE } = require('../httpStatusCodes');
 
 // Defining separate email validation middleware
 const validator = require('validator').default;
@@ -18,7 +19,23 @@ function generateObjectId() {
   return crypto.randomBytes(12).toString('hex');
 }
 
+const validateUserID = (req, res, next) => {
+  const { id } = req.body;
+  const userIDPattern = /^[a-z0-9]{12}$/;
+
+  // If id is required and not present or invalid, reject the request
+  if (!id || typeof id !== 'string' || !userIDPattern.test(id)) {
+    return res.status(406).json({
+      message: 'Invalid login Id.'
+    });
+  }
+
+  // If id is valid, proceed to the next middleware
+  next();
+}
+
 module.exports = {
   emailValidator,
   generateObjectId,
+  validateUserID,
 };