Beginning validation middlewares

backend/apis/nodejs/src/routes/person_routes.js

@@ -11,7 +11,7 @@
     IN THE SOFTWARE.
 */
 
-const validator = require('../utils/validation');
+const validator = require('../utils/person_validator');
 const jwtUtils = require('../utils/middleware_utils');
 const bcrypt = require('bcrypt');
 const crypto = require('crypto');
@@ -29,23 +29,19 @@ const express = require('express');
  * @returns The activationlink identifier
  */
 async function registerPerson(req, res) {
+
+  const errors = validator.validationResult(req);
+
+  if (!errors.isEmpty()) {
+    return res.status(400).json({ errors: errors.array() });
+  }
+
   // Does this server allow users to register?
   if (process.env.ALLOW_USER_REGISTRATION === 'false') {
     return res.status(403).json({
       error: 'Users cannot register on this server'
     });
   }
-  // Ensure that the required fields are present before proceeding
-  if (!req.body.display_name || !req.body.email || !req.body.password) {
-    return res.status(400).json({
-      error: 'Some or all required fields are missing'
-    });
-  }
-  if (!validator.validateEmail(req.body.email)) {
-    return res.status(400).json({
-      error: 'The email is not in a valid format'
-    });
-  }
 
   // Generate activation link token
   const activationLink = crypto.randomBytes(16).toString('hex');
@@ -93,12 +89,6 @@ async function registerPerson(req, res) {
  * @returns The token
  */
 async function createTokenByEmailAndPassword(req, res) {
-  // Ensure that the required fields are present before proceeding
-  if (!req.body.email || !req.body.password) {
-    return res.status(400).json({
-      error: 'Invalid request'
-    });
-  }
 
   try {
     const person = await personModel.getPersonByEmailAndPassword(req.body.email, req.body.password);
@@ -312,8 +302,8 @@ async function confirmActivation(req, res) {
 }
 
 const publicRoutes = express.Router(); // Routes not requiring token
-publicRoutes.post('/persons', registerPerson);
+publicRoutes.post('/persons', validator.registerValidator, registerPerson);
-publicRoutes.post('/persons/me/token', createTokenByEmailAndPassword);
+publicRoutes.post('/persons/me/token', validator.getTokenValidator, createTokenByEmailAndPassword);
 publicRoutes.get('/persons/:id/details', getPerson);
 publicRoutes.get('/persons/me/activation', confirmActivation);
 

backend/apis/nodejs/src/utils/person_validator.js

@@ -0,0 +1,51 @@
+/*
+    This code is part of Blink
+    licensed under GPLv3
+
+    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+    IMPLIED,  INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+    THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+    LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+    FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
+    IN THE SOFTWARE.
+*/
+
+const {
+  check,
+  validationResult
+} = require("express-validator");
+
+const registerValidator = [
+  check('display_name').trim().notEmpty().escape().isLength({
+    max: 128
+  }),
+  check('email').isEmail().normalizeEmail().escape().isLength({
+    max: 128
+  }),
+  check('password').isLength({
+    min: 5
+  }).trim().escape().withMessage('Password must be at leat 5 characters long'),
+  check('date_of_birth').optional().isDate().withMessage('Invalid date format. Date must be YYYY-MM-DD'),
+  check('available').optional().isBoolean(),
+  check('place_of_living').isLength({
+    max: 128
+  }).escape(),
+  check('about_me').isLength({
+    max: 4096
+  }).escape(),
+  check('qualification').isLength({
+    max: 64
+  }).escape(),
+];
+
+const getTokenValidator = [
+  check('email').isEmail().normalizeEmail().escape(),
+  check('password').notEmpty().trim().escape()
+];
+
+module.exports = {
+  registerValidator,
+  getTokenValidator,
+  validationResult
+};

backend/apis/nodejs/src/utils/validation.js

@@ -1,38 +0,0 @@
-/*
-    This code is part of Blink
-    licensed under GPLv3
-
-    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-    IMPLIED,  INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
-    THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-    LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
-    FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
-    IN THE SOFTWARE.
-*/
-
-/**
- * Checks whether an e-mail is in a valid format
- * @param {*} email email to validate
- * @returns true or false
- */
-function validateEmail(email) {
-  const regex = /^[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}$/;
-  return regex.test(email);
-}
-
-/**
- * Checks whether a date is in a correct Postgres
- * format (YYYY-MM-DD)
- * @param {*} dateString the date to validate
- * @returns true or false
- */
-function isPostgresDateFormatValid(dateString) {
-  const regex = /^\d{4}-\d{2}-\d{2}$/;
-  return regex.test(dateString);
-}
-
-module.exports = {
-  validateEmail,
-  isPostgresDateFormatValid
-};