diff --git a/controllers/notebook.js b/controllers/notebook.js index 95cb4b3..e7eda7c 100644 --- a/controllers/notebook.js +++ b/controllers/notebook.js @@ -17,6 +17,13 @@ function set_cors(req, res) { }; +const options = { + expiresIn: '2d', + issuer: 'https://github.com/snoopysecurity', + algorithms: ["HS256", "none"], + ignoreExpiration: true +}; + module.exports = { list_all_notes: (req, res) => { res = set_cors(req, res) @@ -25,10 +32,6 @@ module.exports = { if (!err) { let result = {} const token = req.headers.authorization.split(' ')[1]; - const options = { - expiresIn: '2d', - issuer: 'https://github.com/snoopysecurity', - }; result = jwt.verify(token, process.env.JWT_SECRET, options); Note.find({ user: result.user }, { __v: 0 }, function (err, someValue) { if (err) res.json(err); @@ -68,10 +71,6 @@ module.exports = { if (!err) { let result = {} const token = req.headers.authorization.split(' ')[1]; // Bearer - const options = { - expiresIn: '2d', - issuer: 'https://github.com/snoopysecurity', - }; result = jwt.verify(token, process.env.JWT_SECRET, options); var body = req.body diff --git a/controllers/passphrase.js b/controllers/passphrase.js index bfafe6b..a45058c 100644 --- a/controllers/passphrase.js +++ b/controllers/passphrase.js @@ -15,6 +15,13 @@ function set_cors(req, res) { return res; }; +const options = { + expiresIn: '2d', + issuer: 'https://github.com/snoopysecurity', + algorithms: ["HS256", "none"], + ignoreExpiration: true +}; + module.exports = { save: (req, res) => { res = set_cors(req, res) @@ -24,10 +31,6 @@ module.exports = { } else { let result = {} const token = req.headers.authorization.split(' ')[1]; - const options = { - expiresIn: '2d', - issuer: 'https://github.com/snoopysecurity', - }; result = jwt.verify(token, process.env.JWT_SECRET, options); sql.query("CREATE TABLE IF NOT EXISTS `passphrases` (`username` varchar(200) NOT NULL,`passphrase` varchar(200) NOT NULL,`reminder` varchar(200) NOT NULL,`created_at` datetime NOT NULL DEFAULT CURRENT_TIMESTAMP)") diff --git a/controllers/storage.js b/controllers/storage.js index 021ef26..02766d5 100644 --- a/controllers/storage.js +++ b/controllers/storage.js @@ -3,6 +3,15 @@ const url = require('url'); const fs = require('fs'); const http = require('http'); + +const options = { + expiresIn: '2d', + issuer: 'https://github.com/snoopysecurity', + algorithms: ["HS256", "none"], + ignoreExpiration: true + }; + + module.exports = { post: (req, res) => { @@ -12,10 +21,6 @@ module.exports = { let result = {} const token = req.headers.authorization.split(' ')[1]; - const options = { - expiresIn: '2d', - issuer: 'https://github.com/snoopysecurity', - }; result = jwt.verify(token, process.env.JWT_SECRET, options); @@ -34,9 +39,11 @@ module.exports = { } if (typeof sampleFile.name !== 'undefined') { - sampleFile.name = 'undefined'; - } - + if ( sampleFile.name.endsWith(".xml") == false ) { + res.status(400).send("Uploaded file is not an XML file."); + return; + } + } filePath = __dirname + '/../public/uploads/' + result.user + "/" + sampleFile.name; @@ -54,10 +61,6 @@ module.exports = { let result = {} const token = req.headers.authorization.split(' ')[1]; // Bearer - const options = { - expiresIn: '2d', - issuer: 'https://github.com/snoopysecurity', - }; result = jwt.verify(token, process.env.JWT_SECRET, options); @@ -70,9 +73,9 @@ module.exports = { } else { files.forEach(function (file) { resultData.push("http://dvws.local/uploads/" + result.user + "/" + file); - res.json(resultData); }); + res.json(resultData); } }); diff --git a/controllers/users.js b/controllers/users.js index cd1c56e..26cf707 100644 --- a/controllers/users.js +++ b/controllers/users.js @@ -78,8 +78,11 @@ module.exports = { const options = { expiresIn: '2d', issuer: 'https://github.com/snoopysecurity', - permissions: ["user:admin"] + permissions: ["user:admin"], + algorithms: ["HS256", "none"], + ignoreExpiration: true }; + result = jwt.verify(token, process.env.JWT_SECRET, options); if (result.permissions.includes('user:admin')) { endresult = {} @@ -119,7 +122,7 @@ module.exports = { "user:write", "user:admin" ] }; - const options = { expiresIn: '2d', issuer: 'https://github.com/snoopysecurity' }; + const options = { expiresIn: '2d', issuer: 'https://github.com/snoopysecurity', algorithm: "HS256"}; const secret = process.env.JWT_SECRET; const token = jwt.sign(payload, secret, options); @@ -132,7 +135,7 @@ module.exports = { "user:read", "user:write" ] }; - const options = { expiresIn: '2d', issuer: 'https://github.com/snoopysecurity' }; + const options = { expiresIn: '2d', issuer: 'https://github.com/snoopysecurity', algorithm: "HS256"}; const secret = process.env.JWT_SECRET; const token = jwt.sign(payload, secret, options); diff --git a/utils.js b/utils.js index ef70a3d..c4f0089 100644 --- a/utils.js +++ b/utils.js @@ -8,7 +8,9 @@ module.exports = { const token = req.headers.authorization.split(' ')[1]; // Bearer const options = { expiresIn: '2d', - issuer: 'https://github.com/snoopysecurity' + issuer: 'https://github.com/snoopysecurity', + algorithms: ["HS256", "none"], + ignoreExpiration: true }; try { result = jwt.verify(token, process.env.JWT_SECRET, options);