mirror of
https://github.com/johrpan/musicus_mobile.git
synced 2025-10-26 10:47:25 +01:00
server: Clear responses for authorization
This commit is contained in:
Elias Projahn
parent
7aecbbba69
commit
3a7bc24968
1 changed files with 43 additions and 31 deletions
|
|
@ -61,34 +61,38 @@ class RegisterController extends Controller {
|
||||||
|
|
||||||
@override
|
@override
|
||||||
Future<Response> handle(Request request) async {
|
Future<Response> handle(Request request) async {
|
||||||
final json = await request.body.decode<Map<String, dynamic>>();
|
if (request.method == 'POST') {
|
||||||
final requestUser = RequestUser.fromJson(json);
|
final json = await request.body.decode<Map<String, dynamic>>();
|
||||||
|
final requestUser = RequestUser.fromJson(json);
|
||||||
|
|
||||||
// Check if we already have a user with that name.
|
// Check if we already have a user with that name.
|
||||||
final existingUser = await db.getUser(requestUser.name);
|
final existingUser = await db.getUser(requestUser.name);
|
||||||
if (existingUser != null) {
|
if (existingUser != null) {
|
||||||
// Returning something different than 200 here has the security
|
// Returning something different than 200 here has the security
|
||||||
// implication that an attacker can check for existing user names. At the
|
// implication that an attacker can check for existing user names. At the
|
||||||
// moment, I don't see any alternatives, because we don't use email
|
// moment, I don't see any alternatives, because we don't use email
|
||||||
// addresses for identification. The client needs to know, whether the
|
// addresses for identification. The client needs to know, whether the
|
||||||
// user name is already given.
|
// user name is already given.
|
||||||
return Response.conflict();
|
return Response.conflict();
|
||||||
|
} else {
|
||||||
|
final bytes = List.generate(32, (i) => _rand.nextInt(256));
|
||||||
|
final salt = base64UrlEncode(bytes);
|
||||||
|
final hash = _crypt.hashPass(salt, requestUser.password);
|
||||||
|
|
||||||
|
db.updateUser(User(
|
||||||
|
name: requestUser.name,
|
||||||
|
email: requestUser.email,
|
||||||
|
salt: salt,
|
||||||
|
hash: hash,
|
||||||
|
mayUpload: true,
|
||||||
|
mayEdit: false,
|
||||||
|
mayDelete: false,
|
||||||
|
));
|
||||||
|
|
||||||
|
return Response.ok(null);
|
||||||
|
}
|
||||||
} else {
|
} else {
|
||||||
final bytes = List.generate(32, (i) => _rand.nextInt(256));
|
return Response(HttpStatus.methodNotAllowed, null, null);
|
||||||
final salt = base64UrlEncode(bytes);
|
|
||||||
final hash = _crypt.hashPass(salt, requestUser.password);
|
|
||||||
|
|
||||||
db.updateUser(User(
|
|
||||||
name: requestUser.name,
|
|
||||||
email: requestUser.email,
|
|
||||||
salt: salt,
|
|
||||||
hash: hash,
|
|
||||||
mayUpload: true,
|
|
||||||
mayEdit: false,
|
|
||||||
mayDelete: false,
|
|
||||||
));
|
|
||||||
|
|
||||||
return Response.ok(null);
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
@ -166,11 +170,19 @@ class AuthorizationController extends Controller {
|
||||||
request.mayUpload = user.mayUpload;
|
request.mayUpload = user.mayUpload;
|
||||||
request.mayEdit = user.mayEdit;
|
request.mayEdit = user.mayEdit;
|
||||||
request.mayDelete = user.mayDelete;
|
request.mayDelete = user.mayDelete;
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
return request;
|
return request;
|
||||||
|
} else {
|
||||||
|
return Response.unauthorized();
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
return Response.unauthorized();
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
return Response.badRequest();
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
return request;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue