Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
router.post('/accounts', koaBody, function*() {
if (rateLimitReq(this, this.req)) return;
const params = this.request.body;
const account =
typeof params === 'string' ? JSON.parse(params) : params;
if (!checkCSRF(this, account.csrf)) return;
logRequest('accounts', this, { account });
if ($STM_Config.disable_signups) {
this.body = JSON.stringify({
error: 'New signups are temporary disabled.',
});
this.status = 401;
return;
}
const user_id = this.session.user;
if (!user_id) {
// require user to sign in with identity provider
this.body = JSON.stringify({ error: 'Unauthorized' });
this.status = 401;
return;
}
router.post('/accounts', koaBody, function*() {
if (rateLimitReq(this, this.req)) return;
const params = this.request.body;
const account =
typeof params === 'string' ? JSON.parse(params) : params;
if (!checkCSRF(this, account.csrf)) return;
logRequest('accounts', this, { account });
if ($STM_Config.disable_signups) {
this.body = JSON.stringify({
error: 'New signups are temporary disabled.',
});
this.status = 401;
return;
}
const user_id = this.session.user;
if (!user_id) {
// require user to sign in with identity provider
this.body = JSON.stringify({ error: 'Unauthorized' });
this.status = 401;
return;
}
function* confirmMobileHandler(e) {
if (!checkCSRF(this, this.request.body.csrf)) return;
const confirmation_code = this.params && this.params.code
? this.params.code
: this.request.body.code;
console.log(
"-- /confirm_mobile -->",
this.session.uid,
this.session.user,
confirmation_code
);
const user = yield models.User.findOne({
attributes: ['id', 'account_status'],
where: { id: this.session.user }
});
if (!user) {
this.flash = { error: "User session not found, please make sure you have cookies enabled in your browser for this website" };
router.post('/notifications/register', koaBody, function*() {
this.body = '';
try {
const params = this.request.body;
const { csrf, account, webpush_params } =
typeof params === 'string' ? JSON.parse(params) : params;
if (!checkCSRF(this, csrf)) return;
console.log(
'-- POST /notifications/register -->',
this.session.uid,
account,
webpush_params
);
if (!account || account !== this.session.a) return;
if (
!webpush_params ||
!webpush_params.endpoint ||
!webpush_params.endpoint.match(
/^https:\/\/android\.googleapis\.com/
)
)
return;
if (!webpush_params.keys || !webpush_params.keys.auth) return;
router.post('/api/v1/request_account_recovery', koaBody, function *() {
if (rateLimitReq(this, this.req)) return;
let params = this.request.body;
params = typeof(params) === 'string' ? JSON.parse(params) : params;
if (!checkCSRF(this, params.csrf)) return;
try {
if (!this.session.arec) {
console.log('-- /request_account_recovery --> this.session.arec is empty', this.session.uid);
this.body = JSON.stringify({error: 'Unauthorized'});
this.status = 401;
return;
}
const account_recovery_record = yield models.AccountRecoveryRequest.findOne({
attributes: ['id', 'account_name', 'provider', 'status'],
where: {id: this.session.arec}
});
if (!account_recovery_record || account_recovery_record.account_name !== params.name) {
console.log('-- /request_account_recovery --> no arec found or wrong name', this.session.uid, params.name);
this.body = JSON.stringify({error: 'Unauthorized'});
router.post('/notifications/register', koaBody, function *() {
this.body = '';
try {
const params = this.request.body;
const {csrf, account, webpush_params} = typeof(params) === 'string' ? JSON.parse(params) : params;
if (!checkCSRF(this, csrf)) return;
console.log('-- POST /notifications/register -->', this.session.uid, account, webpush_params);
if (!account || account !== this.session.a) return;
if (!webpush_params || !webpush_params.endpoint || !webpush_params.endpoint.match(/^https:\/\/android\.googleapis\.com/)) return;
if (!webpush_params.keys || !webpush_params.keys.auth) return;
yield Tarantool.instance().call('webpush_subscribe', account, webpush_params);
} catch (error) {
console.error('-- POST /notifications/register error -->', this.session.uid, error.message);
}
});
router.post('/initiate_account_recovery', koaBody, function *() {
if (rateLimitReq(this, this.req)) return;
let params = this.request.body;
params = typeof(params) === 'string' ? JSON.parse(params) : params;
if (!checkCSRF(this, params.csrf)) return;
console.log('-- /initiate_account_recovery -->', this.session.uid, params);
this.session.recover_account = null;
if (!params.account_name) {
this.status = 500;
this.body = 'please provide account name';
return;
}
const attrs = {uid: this.session.uid, status: 'open', ...params};
attrs.remote_ip = getRemoteIp(this.req);
const request = yield models.AccountRecoveryRequest.create(escAttrs(attrs));
console.log('-- /initiate_account_recovery request id -->', this.session.uid, request.id);
this.session.arec = request.id;
this.redirect('/connect/' + params.provider);
});
function* confirmMobileHandler(e) {
if (!checkCSRF(this, this.request.body.csrf)) return;
const confirmation_code = this.params && this.params.code
? this.params.code
: this.request.body.code;
console.log(
"-- /confirm_mobile -->",
this.session.uid,
this.session.user,
confirmation_code
);
const user = yield models.User.findOne({
attributes: ['id', 'account_status'],
where: { id: this.session.user }
});
if (!user) {
this.flash = { error: "User session not found, please make sure you have cookies enabled in your browser for this website" };
router.post("/submit_mobile", koaBody, function*() {
if (!checkCSRF(this, this.request.body.csrf)) return;
const user_id = this.session.user;
if (!user_id) {
this.flash = { error: "Your session has been interrupted, please start over" };
this.redirect('/pick_account');
return;
}
const country = this.request.body.country;
const localPhone = this.request.body.phone;
const enterMobileUrl = `/enter_mobile?phone=${localPhone}&country=${country}`;
if (!country || country === "") {
this.flash = { error: "Please select a country code" };
this.redirect(enterMobileUrl);
return;
}
router.post("/submit_mobile", koaBody, function*() {
if (!checkCSRF(this, this.request.body.csrf)) return;
const user_id = this.session.user;
if (!user_id) {
this.flash = { error: "Your session has been interrupted, please start over" };
this.redirect('/pick_account');
return;
}
const country = this.request.body.country;
const localPhone = this.request.body.phone;
const enterMobileUrl = `/enter_mobile?phone=${localPhone}&country=${country}`;
if (!country || country === "") {
this.flash = { error: "Please select a country code" };
this.redirect(enterMobileUrl);
return;
}