X-Git-Url: https://git.auder.net/?a=blobdiff_plain;f=models%2FUser.js;h=4b5c840a6730976a196b8b8f5c15edc5f370edc8;hb=badeb466c977ed9a8e1b464a2236001126decb9e;hp=171dc2c2d0fb816ef684bbfcd3e49c10acd43819;hpb=60d9063fdfcd4b7628fbc0e0fc594f083bda8761;p=vchess.git

diff --git a/models/User.js b/models/User.js
index 171dc2c2..4b5c840a 100644
--- a/models/User.js
+++ b/models/User.js
@@ -1,6 +1,6 @@
 var db = require("../utils/database");
 var maild = require("../utils/mailer.js");
-var TokenGen = require("../utils/tokenGenerator");
+var genToken = require("../utils/tokenGenerator");
 var params = require("../config/parameters");
 
 /*
@@ -14,10 +14,7 @@ var params = require("../config/parameters");
  *   notify: boolean (send email notifications for corr games)
  */
 
-// TODO: consider sanitizing http://www.unixwiz.net/techtips/sql-injection.html
-// But parameters are supposed to already be cleaned (in controller).
-
-// User creation
+// NOTE: parameters are already cleaned (in controller), thus no sanitization here
 exports.create = function(name, email, notify, callback)
 {
 	db.serialize(function() {
@@ -73,7 +70,7 @@ exports.trySetSessionToken = function(uid, cb)
 		db.get(querySessionToken, (err,ret) => {
 			if (!!err)
 				return cb(err);
-			const token = ret.sessionToken || TokenGen.generate(params.token.length);
+			const token = ret.sessionToken || genToken(params.token.length);
 			const queryUpdate =
 				"UPDATE Users " +
 				"SET loginToken = NULL" +