juice-shop
69 строк · 3.2 Кб
1/*
2* Copyright (c) 2014-2024 Bjoern Kimminich & the OWASP Juice Shop contributors.
3* SPDX-License-Identifier: MIT
4*/
5
6import { type Request, type Response, type NextFunction } from 'express'
7import { UserModel } from '../models/user'
8import { WalletModel } from '../models/wallet'
9import { CardModel } from '../models/card'
10import challengeUtils = require('../lib/challengeUtils')
11import * as utils from '../lib/utils'
12import { challenges } from '../data/datacache'
13
14const security = require('../lib/insecurity')
15
16module.exports.upgradeToDeluxe = function upgradeToDeluxe () {
17return async (req: Request, res: Response, next: NextFunction) => {
18try {
19const user = await UserModel.findOne({ where: { id: req.body.UserId, role: security.roles.customer } })
20if (user == null) {
21res.status(400).json({ status: 'error', error: 'Something went wrong. Please try again!' })
22return
23}
24if (req.body.paymentMode === 'wallet') {
25const wallet = await WalletModel.findOne({ where: { UserId: req.body.UserId } })
26if ((wallet != null) && wallet.balance < 49) {
27res.status(400).json({ status: 'error', error: 'Insuffienct funds in Wallet' })
28return
29} else {
30await WalletModel.decrement({ balance: 49 }, { where: { UserId: req.body.UserId } })
31}
32}
33
34if (req.body.paymentMode === 'card') {
35const card = await CardModel.findOne({ where: { id: req.body.paymentId, UserId: req.body.UserId } })
36if ((card == null) || card.expYear < new Date().getFullYear() || (card.expYear === new Date().getFullYear() && card.expMonth - 1 < new Date().getMonth())) {
37res.status(400).json({ status: 'error', error: 'Invalid Card' })
38return
39}
40}
41
42user.update({ role: security.roles.deluxe, deluxeToken: security.deluxeToken(user.email) })
43.then(user => {
44challengeUtils.solveIf(challenges.freeDeluxeChallenge, () => { return security.verify(utils.jwtFrom(req)) && req.body.paymentMode !== 'wallet' && req.body.paymentMode !== 'card' })
45// @ts-expect-error FIXME some properties missing in user
46user = utils.queryResultToJson(user)
47const updatedToken = security.authorize(user)
48security.authenticatedUsers.put(updatedToken, user)
49res.status(200).json({ status: 'success', data: { confirmation: 'Congratulations! You are now a deluxe member!', token: updatedToken } })
50}).catch(() => {
51res.status(400).json({ status: 'error', error: 'Something went wrong. Please try again!' })
52})
53} catch (err: unknown) {
54res.status(400).json({ status: 'error', error: 'Something went wrong: ' + utils.getErrorMessage(err) })
55}
56}
57}
58
59module.exports.deluxeMembershipStatus = function deluxeMembershipStatus () {
60return (req: Request, res: Response, next: NextFunction) => {
61if (security.isCustomer(req)) {
62res.status(200).json({ status: 'success', data: { membershipCost: 49 } })
63} else if (security.isDeluxe(req)) {
64res.status(400).json({ status: 'error', error: 'You are already a deluxe member!' })
65} else {
66res.status(400).json({ status: 'error', error: 'You are not eligible for deluxe membership!' })
67}
68}
69}
70