// AJAX methods to get, create, update or delete a user
-var router = require("express").Router();
-var UserModel = require('../models/User');
-var sendEmail = require('../utils/mailer');
-var genToken = require("../utils/tokenGenerator");
-var access = require("../utils/access");
-var params = require("../config/parameters");
+let router = require("express").Router();
+const UserModel = require('../models/User');
+const sendEmail = require('../utils/mailer');
+const genToken = require("../utils/tokenGenerator");
+const access = require("../utils/access");
+const params = require("../config/parameters");
// NOTE: this method is safe because the sessionToken must be guessed
router.get("/whoami", access.ajax, (req,res) => {
const anonymous = {name:"", email:"", id:0, notify:false};
if (!req.cookies.token)
return callback(anonymous);
+ if (!req.cookies.token.match(/^[a-z0-9]+$/))
+ return res.json({errmsg: "Bad token"});
UserModel.getOne("sessionToken", req.cookies.token, function(err, user) {
if (!!err || !user)
callback(anonymous);
// NOTE: this method is safe because only IDs and names are returned
router.get("/users", access.ajax, (req,res) => {
const ids = req.query["ids"];
+ if (!!ids && !ids.match(/^([0-9]+,?)+$/)) //NOTE: slightly too permissive
+ return res.json({errmsg: "Bad IDs array"});
UserModel.getByIds(ids, (err,users) => {
if (!!err)
return res.json({errmsg: err.toString()});
if (!!err)
return res.json({errmsg: err.toString()});
const body =
- "Hello " + to.name + "!\\n" +
+ "Hello " + to.name + "!" + `
+` +
"Access your account here: " +
- params.siteURL + "/#/authenticate/" + token + "\\n" +
+ params.siteURL + "/#/authenticate/" + token + `
+` +
"Token will expire in " + params.token.expire/(1000*60) + " minutes."
sendEmail(params.mail.noreply, to.email, subject, body, err => {
res.json(err || {});
});
router.get('/authenticate', access.unlogged, access.ajax, (req,res) => {
+ if (!req.query.token.match(/^[a-z0-9]+$/))
+ return res.json({errmsg: "Bad token"});
UserModel.getOne("loginToken", req.query.token, (err,user) => {
access.checkRequest(res, err, user, "Invalid token", () => {
// If token older than params.tokenExpire, do nothing