diff --git a/spec/PublicAPI.spec.js b/spec/PublicAPI.spec.js index f34ea0af55..c28914e348 100644 --- a/spec/PublicAPI.spec.js +++ b/spec/PublicAPI.spec.js @@ -63,3 +63,47 @@ describe("public API without publicServerURL", () => { }); }); }); + + +describe("public API supplied with invalid application id", () => { + beforeEach(done => { + reconfigureServer({appName: "unused"}) + .then(done, fail); + }); + + it("should get 403 on verify_email", (done) => { + request('http://localhost:8378/1/apps/invalid/verify_email', (err, httpResponse) => { + expect(httpResponse.statusCode).toBe(403); + done(); + }); + }); + + it("should get 403 choose_password", (done) => { + request('http://localhost:8378/1/apps/choose_password?id=invalid', (err, httpResponse) => { + expect(httpResponse.statusCode).toBe(403); + done(); + }); + }); + + it("should get 403 on get of request_password_reset", (done) => { + request('http://localhost:8378/1/apps/invalid/request_password_reset', (err, httpResponse) => { + expect(httpResponse.statusCode).toBe(403); + done(); + }); + }); + + + it("should get 403 on post of request_password_reset", (done) => { + request.post('http://localhost:8378/1/apps/invalid/request_password_reset', (err, httpResponse) => { + expect(httpResponse.statusCode).toBe(403); + done(); + }); + }); + + it("should get 403 on resendVerificationEmail", (done) => { + request('http://localhost:8378/1/apps/invalid/resend_verification_email', (err, httpResponse) => { + expect(httpResponse.statusCode).toBe(403); + done(); + }); + }); +}); diff --git a/src/Routers/PublicAPIRouter.js b/src/Routers/PublicAPIRouter.js index 889c13a937..a126423cb0 100644 --- a/src/Routers/PublicAPIRouter.js +++ b/src/Routers/PublicAPIRouter.js @@ -15,6 +15,10 @@ export class PublicAPIRouter extends PromiseRouter { const appId = req.params.appId; const config = Config.get(appId); + if(!config){ + this.invalidRequest(); + } + if (!config.publicServerURL) { return this.missingPublicServerURL(); } @@ -40,6 +44,10 @@ export class PublicAPIRouter extends PromiseRouter { const appId = req.params.appId; const config = Config.get(appId); + if(!config){ + this.invalidRequest(); + } + if (!config.publicServerURL) { return this.missingPublicServerURL(); } @@ -66,6 +74,11 @@ export class PublicAPIRouter extends PromiseRouter { changePassword(req) { return new Promise((resolve, reject) => { const config = Config.get(req.query.id); + + if(!config){ + this.invalidRequest(); + } + if (!config.publicServerURL) { return resolve({ status: 404, @@ -89,6 +102,10 @@ export class PublicAPIRouter extends PromiseRouter { const config = req.config; + if(!config){ + this.invalidRequest(); + } + if (!config.publicServerURL) { return this.missingPublicServerURL(); } @@ -114,6 +131,10 @@ export class PublicAPIRouter extends PromiseRouter { const config = req.config; + if(!config){ + this.invalidRequest(); + } + if (!config.publicServerURL) { return this.missingPublicServerURL(); } @@ -135,7 +156,7 @@ export class PublicAPIRouter extends PromiseRouter { location: `${config.passwordResetSuccessURL}?${params}` }); }, (err) => { - const params = qs.stringify({username: username, token: token, id: config.applicationId, error:err, app:config.appName}) + const params = qs.stringify({username: username, token: token, id: config.applicationId, error:err, app:config.appName}); return Promise.resolve({ status: 302, location: `${config.choosePasswordURL}?${params}` @@ -171,6 +192,13 @@ export class PublicAPIRouter extends PromiseRouter { }); } + invalidRequest() { + const error = new Error(); + error.status = 403; + error.message = "unauthorized"; + throw error; + } + setConfig(req) { req.config = Config.get(req.params.appId); return Promise.resolve();