juice-shop
41 строка · 1.7 Кб
1import {BasketModel} from "../../../models/basket";2
3module.exports = function login () {4function afterLogin (user: { data: User, bid: number }, res: Response, next: NextFunction) {5BasketModel.findOrCreate({ where: { UserId: user.data.id } })6.then(([basket]: [BasketModel, boolean]) => {7const token = security.authorize(user)8user.bid = basket.id // keep track of original basket9security.authenticatedUsers.put(token, user)10res.json({ authentication: { token, bid: basket.id, umail: user.data.email } })11}).catch((error: Error) => {12next(error)13})14}15
16return (req: Request, res: Response, next: NextFunction) => {17if (req.body.email.match(/.*['-;].*/) || req.body.password.match(/.*['-;].*/)) {18res.status(451).send(res.__('SQL Injection detected.'))19}20models.sequelize.query(`SELECT * FROM Users WHERE email = '${req.body.email || ''}' AND password = '${security.hash(req.body.password || '')}' AND deletedAt IS NULL`, { model: models.User, plain: true })21.then((authenticatedUser) => {22const user = utils.queryResultToJson(authenticatedUser)23if (user.data?.id && user.data.totpSecret !== '') {24res.status(401).json({25status: 'totp_token_required',26data: {27tmpToken: security.authorize({28userId: user.data.id,29type: 'password_valid_needs_second_factor_token'30})31}32})33} else if (user.data?.id) {34afterLogin(user, res, next)35} else {36res.status(401).send(res.__('Invalid email or password.'))37}38}).catch((error: Error) => {39next(error)40})41}