Mirror/SponsorBlockServer
1
0
Fork 0
mirror of https://github.com/ajayyy/SponsorBlockServer.git synced 2025-12-30 11:28:19 +03:00
Code Issues Packages Projects Releases Wiki Activity

hook up extra functions to the request validator

Browse Source
This commit is contained in:
mini-bomba
2025-04-25 21:10:24 +02:00
parent b2cd048909
commit 4db4e9458e
6 changed files with 102 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
src/routes/setUsername.ts
View File

@@ -5,6 +5,7 @@ import { getHashCache } from "../utils/getHashCache";
import { Request, Response } from "express";
import { isUserBanned } from "../utils/checkBan";
import { HashedUserID } from "../types/user.model";
import { isRequestInvalid } from "../utils/requestValidator";
function logUserNameChange(userID: string, newUserName: string, oldUserName: string, updatedByAdmin: boolean): Promise<Response> {
return privateDB.prepare("run",
@@ -15,7 +16,7 @@ function logUserNameChange(userID: string, newUserName: string, oldUserName: str
export async function setUsername(req: Request, res: Response): Promise<Response> {
const userIDInput = req.query.userID as string;
const adminUserIDInput = req.query.adminUserID as string;
const adminUserIDInput = req.query.adminUserID as string | undefined;
let userName = req.query.username as string;
let hashedUserID: HashedUserID;
@@ -29,16 +30,22 @@ export async function setUsername(req: Request, res: Response): Promise<Response
return res.sendStatus(200);
}
const timings = [Date.now()];
// remove unicode control characters from username (example: \n, \r, \t etc.)
// source: https://en.wikipedia.org/wiki/Control_character#In_Unicode
// eslint-disable-next-line no-control-regex
userName = userName.replace(/[\u0000-\u001F\u007F-\u009F]/g, "");
try {
timings.push(Date.now());
if (isRequestInvalid({
userAgentHeader: req.headers["user-agent"],
userID: adminUserIDInput ?? userIDInput,
newUsername: userName,
endpoint: "setUsername",
})) {
Logger.warn(`Username change rejected by request validator: ${userName} ${req.headers["user-agent"]}`);
return res.sendStatus(200);
}
try {
if (adminUserIDInput != undefined) {
//this is the admin controlling the other users account, don't hash the controling account's ID
hashedUserID = userIDInput as HashedUserID;
@@ -55,15 +62,11 @@ export async function setUsername(req: Request, res: Response): Promise<Response
//hash the userID
hashedUserID = await getHashCache(userIDInput) as HashedUserID;
timings.push(Date.now());
const row = await db.prepare("get", `SELECT count(*) as "userCount" FROM "userNames" WHERE "userID" = ? AND "locked" = 1`, [hashedUserID]);
if (row.userCount > 0) {
return res.sendStatus(200);
}
timings.push(Date.now());
if (await isUserBanned(hashedUserID)) {
return res.sendStatus(200);
}
@@ -80,8 +83,6 @@ export async function setUsername(req: Request, res: Response): Promise<Response
const locked = adminUserIDInput === undefined ? 0 : 1;
let oldUserName = "";
timings.push(Date.now());
if (row?.userName !== undefined) {
//already exists, update this row
oldUserName = row.userName;
@@ -95,14 +96,9 @@ export async function setUsername(req: Request, res: Response): Promise<Response
await db.prepare("run", `INSERT INTO "userNames"("userID", "userName", "locked") VALUES(?, ?, ?)`, [hashedUserID, userName, locked]);
}
timings.push(Date.now());
await logUserNameChange(hashedUserID, userName, oldUserName, adminUserIDInput !== undefined);
timings.push(Date.now());
return res.status(200).send(timings.join(", "));
return res.sendStatus(200);
} catch (err) /* istanbul ignore next */ {
Logger.error(err as string);
return res.sendStatus(500);