#61 Cleanup, check for injection attacks

2017-04-25 20:01:35 -04:00 · 2017-04-25 20:01:35 -04:00 · ea34e5b095
parent b390bd4a57
commit ea34e5b095
3 changed files with 28 additions and 34 deletions
--- a/config/routes/map.js
+++ b/config/routes/map.js
@ -13,7 +13,7 @@ router.get('/', mw.ensureAuth, (req,res)=>{

 // Show map
 router.get('/:slug?', (req,res,next)=>{
-
+	
 	User.findOne({slug:req.params.slug})
 	.then( (mapuser)=>{
 		if (!mapuser){ next(); } //404
--- a/config/routes/settings.js
+++ b/config/routes/settings.js
@ -44,18 +44,18 @@ router.route('/')
 					showStreetview: (req.body.showStreet)?true:false
 				};
 				
-				// Save user and send response
-				req.user.save()
-				.then( ()=>{
-					req.flash('success', 'Settings updated. ');
-					res.redirect('/settings');
-				})
-				.catch( (err)=>{
-					mw.throwErr(err,req);
-					res.redirect('/settings');
-				});
+			// Save user and send response
+			req.user.save()
+			.then( ()=>{
+				req.flash('success', 'Settings updated. ');
+				res.redirect('/settings');
+			})
+			.catch( (err)=>{
+				mw.throwErr(err,req);
+				res.redirect('/settings');
+			});
 			
-			}
+		}
 		
 		// Validations
 		if (req.body.slug==='') {
--- a/config/sockets.js
+++ b/config/sockets.js
@ -75,34 +75,28 @@ module.exports = {
 					
 					// Get loc.usr
 					User.findById(loc.usr)
+					.where('sk32').equals(loc.tok)
 					.then( (user)=>{
 						if (!user){
-							console.error("❌", new Error(`Recieved an update from ${socket.ip} for ${loc.usr}, but no such user was found in the db!`).message);
+							console.error("❌", new Error(`Recieved an update from ${socket.ip} for ${loc.usr} with tok of ${loc.tok}, but no such user was found in the db!`).message);
 						}
 						else {
 							
-							// Confirm sk32 token
-							if (loc.tok!=user.sk32) {
-								console.error("❌", new Error(`Recieved an update from ${socket.ip} for usr ${loc.usr} with tok of ${loc.tok}, but that user's sk32 is ${user.sk32}!`).message);
-							}
-							else {
+							// Broadcast location
+							io.to(loc.usr).emit('get', loc);
+							//console.log(`Broadcasting ${loc.lat}, ${loc.lon} to ${loc.usr}`);
+							
+							// Save in db as last seen
+							user.last = {
+								lat: parseFloat(loc.lat),
+								lon: parseFloat(loc.lon),
+								dir: parseFloat(loc.dir||0),
+								spd: parseFloat(loc.spd||0),
+								time: loc.time
+							};
+							user.save()
+							.catch( (err)=>{ console.error("❌", err.stack); });
 								
-								// Broadcast location
-								io.to(loc.usr).emit('get', loc);
-								//console.log(`Broadcasting ${loc.lat}, ${loc.lon} to ${loc.usr}`);
-								
-								// Save in db as last seen
-								user.last = {
-									lat: parseFloat(loc.lat),
-									lon: parseFloat(loc.lon),
-									dir: parseFloat(loc.dir||0),
-									spd: parseFloat(loc.spd||0),
-									time: loc.time
-								};
-								user.save()
-								.catch( (err)=>{ console.error("❌", err.stack); });
-								
-							}
 						}
 					})
 					.catch( (err)=>{ console.error("❌", err.stack); });