Update order endpoint for improved security

This commit is contained in:
Rene Vergara 2023-10-16 14:57:24 -05:00
parent 056ddff816
commit 2b2c3ba70e
Signed by: pitmutt
GPG key ID: 65122AD495A7F5B2
2 changed files with 59 additions and 13 deletions

View file

@ -15,6 +15,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
### Changed ### Changed
- Order endpoint updated to ensure orders belong to shop before adding to DB.
- MongoDB driver updated to support MongoDB 6. - MongoDB driver updated to support MongoDB 6.
- Full validation of Sapling addresses to parser. - Full validation of Sapling addresses to parser.

View file

@ -590,6 +590,7 @@ routes pipe config = do
let nodeUser = c_nodeUser config let nodeUser = c_nodeUser config
let nodePwd = c_nodePwd config let nodePwd = c_nodePwd config
let nodeAddress = c_nodeAddress config let nodeAddress = c_nodeAddress config
let dbName = c_dbName config
middleware $ middleware $
cors $ cors $
const $ const $
@ -1428,20 +1429,44 @@ routes pipe config = do
case cast' . Doc =<< user of case cast' . Doc =<< user of
Nothing -> status unauthorized401 Nothing -> status unauthorized401
Just u -> do Just u -> do
if uaddress u == qaddress q dbOrder <-
then do liftAndCatchIO $ run (findOrderById $ maybe "0" show (q_id q))
if qtoken q == "" case cast' . Doc =<< dbOrder of
Nothing -> do
if uaddress u == qaddress q
then do then do
t <- liftIO generateToken if qtoken q == ""
_ <- then do
liftAndCatchIO $ t <- liftIO generateToken
run (upsertOrder $ setOrderToken (T.pack t) q) _ <-
status created201 liftAndCatchIO $
else do run (upsertOrder $ setOrderToken (T.pack t) q)
_ <- liftAndCatchIO $ run (upsertOrder q) status created201
status created201 else do
else status forbidden403 _ <-
--Delete order liftAndCatchIO $ access pipe master dbName (upsertOrder q)
status created201
else status forbidden403
Just dbO -> do
if qaddress q == qaddress dbO && qsession q == qsession dbO
then do
if uaddress u == qaddress q
then do
if qtoken q == ""
then do
t <- liftIO generateToken
_ <-
liftAndCatchIO $
run (upsertOrder $ setOrderToken (T.pack t) q)
status created201
else do
_ <-
liftAndCatchIO $
access pipe master dbName (upsertOrder q)
status created201
else status forbidden403
else status forbidden403
--Delete order
Web.Scotty.delete "/api/order/:id" $ do Web.Scotty.delete "/api/order/:id" $ do
oId <- param "id" oId <- param "id"
session <- param "session" session <- param "session"
@ -1505,6 +1530,26 @@ routes pipe config = do
Just tP -> do Just tP -> do
status ok200 status ok200
Web.Scotty.json $ toJSON (tP :: LangComponent) Web.Scotty.json $ toJSON (tP :: LangComponent)
where
saveOrder :: Pipe -> T.Text -> User -> ZGoOrder -> ActionM ()
saveOrder pipe dbName u q = do
if uaddress u == qaddress q
then do
if qtoken q == ""
then do
t <- liftIO generateToken
_ <-
liftAndCatchIO $
access
pipe
master
dbName
(upsertOrder $ setOrderToken (T.pack t) q)
status created201
else do
_ <- liftAndCatchIO $ access pipe master dbName (upsertOrder q)
status created201
else status forbidden403
{-post "/api/setlang" $ do-} {-post "/api/setlang" $ do-}
{-langComp <- jsonData-} {-langComp <- jsonData-}
{-_ <--} {-_ <--}