Sanitize inputs on server side

[vchess.git] / server / routes / users.js

diff --git a/server/routes/users.js b/server/routes/users.js
index b657920..1d553db 100644 (file)
--- a/server/routes/users.js
+++ b/server/routes/users.js
@@ -7,6 +7,7 @@ var genToken = require("../utils/tokenGenerator");
 var access = require("../utils/access");
 var params = require("../config/parameters");
 
+// NOTE: this method is safe because the sessionToken must be guessed
 router.get("/whoami", access.ajax, (req,res) => {
   const callback = (user) => {
     return res.json({
@@ -22,11 +23,21 @@ router.get("/whoami", access.ajax, (req,res) => {
   UserModel.getOne("sessionToken", req.cookies.token, function(err, user) {
     if (!!err || !user)
       callback(anonymous);
-    else (!!user)
+    else
       callback(user);
   });
 });
 
+// NOTE: this method is safe because only IDs and names are returned
+router.get("/users", access.ajax, (req,res) => {
+  const ids = req.query["ids"];
+  UserModel.getByIds(ids, (err,users) => {
+    if (!!err)
+      return res.json({errmsg: err.toString()});
+    return res.json({users:users});
+  });
+});
+
 // to: object user (to who we send an email)
 function setAndSendLoginToken(subject, to, res)
 {
@@ -36,7 +47,7 @@ function setAndSendLoginToken(subject, to, res)
                if (!!err)
                        return res.json({errmsg: err.toString()});
                const body =
-                       "Hello " + to.name + "!\n" +
+                       "Hello " + to.name + "!\\n" +
                        "Access your account here: " +
                        params.siteURL + "/#/authenticate/" + token + "\\n" +
                        "Token will expire in " + params.token.expire/(1000*60) + " minutes."