Update order endpoint for improved security
This commit is contained in:
parent
056ddff816
commit
2b2c3ba70e
2 changed files with 59 additions and 13 deletions
|
@ -15,6 +15,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
||||||
|
|
||||||
### Changed
|
### Changed
|
||||||
|
|
||||||
|
- Order endpoint updated to ensure orders belong to shop before adding to DB.
|
||||||
- MongoDB driver updated to support MongoDB 6.
|
- MongoDB driver updated to support MongoDB 6.
|
||||||
- Full validation of Sapling addresses to parser.
|
- Full validation of Sapling addresses to parser.
|
||||||
|
|
||||||
|
|
|
@ -590,6 +590,7 @@ routes pipe config = do
|
||||||
let nodeUser = c_nodeUser config
|
let nodeUser = c_nodeUser config
|
||||||
let nodePwd = c_nodePwd config
|
let nodePwd = c_nodePwd config
|
||||||
let nodeAddress = c_nodeAddress config
|
let nodeAddress = c_nodeAddress config
|
||||||
|
let dbName = c_dbName config
|
||||||
middleware $
|
middleware $
|
||||||
cors $
|
cors $
|
||||||
const $
|
const $
|
||||||
|
@ -1428,6 +1429,10 @@ routes pipe config = do
|
||||||
case cast' . Doc =<< user of
|
case cast' . Doc =<< user of
|
||||||
Nothing -> status unauthorized401
|
Nothing -> status unauthorized401
|
||||||
Just u -> do
|
Just u -> do
|
||||||
|
dbOrder <-
|
||||||
|
liftAndCatchIO $ run (findOrderById $ maybe "0" show (q_id q))
|
||||||
|
case cast' . Doc =<< dbOrder of
|
||||||
|
Nothing -> do
|
||||||
if uaddress u == qaddress q
|
if uaddress u == qaddress q
|
||||||
then do
|
then do
|
||||||
if qtoken q == ""
|
if qtoken q == ""
|
||||||
|
@ -1438,9 +1443,29 @@ routes pipe config = do
|
||||||
run (upsertOrder $ setOrderToken (T.pack t) q)
|
run (upsertOrder $ setOrderToken (T.pack t) q)
|
||||||
status created201
|
status created201
|
||||||
else do
|
else do
|
||||||
_ <- liftAndCatchIO $ run (upsertOrder q)
|
_ <-
|
||||||
|
liftAndCatchIO $ access pipe master dbName (upsertOrder q)
|
||||||
status created201
|
status created201
|
||||||
else status forbidden403
|
else status forbidden403
|
||||||
|
Just dbO -> do
|
||||||
|
if qaddress q == qaddress dbO && qsession q == qsession dbO
|
||||||
|
then do
|
||||||
|
if uaddress u == qaddress q
|
||||||
|
then do
|
||||||
|
if qtoken q == ""
|
||||||
|
then do
|
||||||
|
t <- liftIO generateToken
|
||||||
|
_ <-
|
||||||
|
liftAndCatchIO $
|
||||||
|
run (upsertOrder $ setOrderToken (T.pack t) q)
|
||||||
|
status created201
|
||||||
|
else do
|
||||||
|
_ <-
|
||||||
|
liftAndCatchIO $
|
||||||
|
access pipe master dbName (upsertOrder q)
|
||||||
|
status created201
|
||||||
|
else status forbidden403
|
||||||
|
else status forbidden403
|
||||||
--Delete order
|
--Delete order
|
||||||
Web.Scotty.delete "/api/order/:id" $ do
|
Web.Scotty.delete "/api/order/:id" $ do
|
||||||
oId <- param "id"
|
oId <- param "id"
|
||||||
|
@ -1505,6 +1530,26 @@ routes pipe config = do
|
||||||
Just tP -> do
|
Just tP -> do
|
||||||
status ok200
|
status ok200
|
||||||
Web.Scotty.json $ toJSON (tP :: LangComponent)
|
Web.Scotty.json $ toJSON (tP :: LangComponent)
|
||||||
|
where
|
||||||
|
saveOrder :: Pipe -> T.Text -> User -> ZGoOrder -> ActionM ()
|
||||||
|
saveOrder pipe dbName u q = do
|
||||||
|
if uaddress u == qaddress q
|
||||||
|
then do
|
||||||
|
if qtoken q == ""
|
||||||
|
then do
|
||||||
|
t <- liftIO generateToken
|
||||||
|
_ <-
|
||||||
|
liftAndCatchIO $
|
||||||
|
access
|
||||||
|
pipe
|
||||||
|
master
|
||||||
|
dbName
|
||||||
|
(upsertOrder $ setOrderToken (T.pack t) q)
|
||||||
|
status created201
|
||||||
|
else do
|
||||||
|
_ <- liftAndCatchIO $ access pipe master dbName (upsertOrder q)
|
||||||
|
status created201
|
||||||
|
else status forbidden403
|
||||||
{-post "/api/setlang" $ do-}
|
{-post "/api/setlang" $ do-}
|
||||||
{-langComp <- jsonData-}
|
{-langComp <- jsonData-}
|
||||||
{-_ <--}
|
{-_ <--}
|
||||||
|
|
Loading…
Reference in a new issue