juice-shop

1
/*
2
 * Copyright (c) 2014-2024 Bjoern Kimminich & the OWASP Juice Shop contributors.
3
 * SPDX-License-Identifier: MIT
4
 */
5

6
import { type Request, type Response, type NextFunction } from 'express'
7
import { ProductModel } from '../models/product'
8
import { BasketModel } from '../models/basket'
9
import challengeUtils = require('../lib/challengeUtils')
10

11
import * as utils from '../lib/utils'
12
import { challenges } from '../data/datacache'
13
const security = require('../lib/insecurity')
14

15
module.exports = function retrieveBasket () {
16
  return (req: Request, res: Response, next: NextFunction) => {
17
    const id = req.params.id
18
    BasketModel.findOne({ where: { id }, include: [{ model: ProductModel, paranoid: false, as: 'Products' }] })
19
      .then((basket: BasketModel | null) => {
20
        /* jshint eqeqeq:false */
21
        challengeUtils.solveIf(challenges.basketAccessChallenge, () => {
22
          const user = security.authenticatedUsers.from(req)
23
          return user && id && id !== 'undefined' && id !== 'null' && id !== 'NaN' && user.bid && user.bid != id // eslint-disable-line eqeqeq
24
        })
25
        if (((basket?.Products) != null) && basket.Products.length > 0) {
26
          for (let i = 0; i < basket.Products.length; i++) {
27
            basket.Products[i].name = req.__(basket.Products[i].name)
28
          }
29
        }
30

31
        res.json(utils.queryResultToJson(basket))
32
      }).catch((error: Error) => {
33
        next(error)
34
      })
35
  }
36
}
37