Skip to content

Commit 22e6d22

Browse files
myungwoomyungwoo
committed
Reject token when userdata has been updated
1 parent 4e8a031 commit 22e6d22

File tree

2 files changed

+25
-17
lines changed

2 files changed

+25
-17
lines changed

api/auth.js

Lines changed: 24 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -13,21 +13,18 @@ router.post('/login', (req, res) => {
1313
const secret = req.app.get('jwt-secret');
1414
const data = req.body;
1515
try{
16-
let users = await db.user.getByUsername(data.username);
17-
if (users.length !== 1) throw new Error('no_user');
18-
let user = users[0];
16+
let user = (await db.user.getByUsername(data.username))[0];
17+
if (!user) throw new Error('no_user');
1918
if (user.password !== hash_password(user.username, data.password) &&
2019
!TwinBcrypt.compareSync(data.password, user.password)) throw new Error('wrong_password');
21-
22-
let teams = await db.team.getByTeamId(user.teamid);
23-
if (teams.length !== 1) throw new Error('no_team');
24-
let team = teams[0];
20+
21+
let team = (await db.team.getByTeamId(user.teamid))[0];
22+
if (!team) throw new Error('no_team');
2523

2624
let contests = await db.contest.getListByTeam(team.teamid);
2725
if (contests.length === 0) throw new Error('no_contest');
2826

29-
let affils = await db.affiliation.getByAffilId(team.affilid);
30-
let affiliation = affils.length === 1 ? affils[0] : null;
27+
let affiliation = (await db.affiliation.getByAffilId(team.affilid))[0] || null;
3128
let userdata = {
3229
userid: user.userid,
3330
username: user.username,
@@ -75,14 +72,25 @@ router.get('/logout', (req, res) => {
7572
router.get('/user', (req, res) => {
7673
(async function(req, res){
7774
if (!req.user) throw Error();
78-
let users = await db.user.getByUsername(req.user.username);
79-
if (users.length !== 1) throw Error();
80-
let user = users[0];
75+
let user = (await db.user.getByUsername(req.user.username))[0];
76+
if (!user) throw Error();
77+
let team = (await db.team.getByTeamId(user.teamid))[0];
78+
if (!team) throw Error();
79+
let affiliation = (await db.affiliation.getByAffilId(team.affilid))[0] || null;
8180

82-
let teams = await db.team.getByTeamId(user.teamid);
83-
if (teams.length !== 1) throw Error();
84-
85-
res.json(req.user);
81+
let userdata = {
82+
userid: user.userid,
83+
username: user.username,
84+
name: user.name,
85+
teamname: team.name,
86+
teamid: team.teamid,
87+
affiliation: affiliation
88+
};
89+
// If userdata has been updated
90+
if (JSON.stringify(userdata) !== JSON.stringify(req.user))
91+
throw Error(); // reject the token
92+
93+
res.send(req.user);
8694
})(req, res)
8795
.catch(() => res.json(null));
8896
});

middlewares/auth.js

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@ module.exports = function(req, res, next) {
99
req.user = null;
1010
try {
1111
// eslint-disable-next-line no-unused-vars
12-
let {iat, exp, iss, ...rest} = jwt.verify(token, secret, {
12+
let {iat, exp, iss, sub, ...rest} = jwt.verify(token, secret, {
1313
issuer: req.app.get('jwt-issuer'),
1414
subject: req.app.get('jwt-subject'),
1515
});

0 commit comments

Comments
 (0)