juice-shop
44 строки · 1.8 Кб
1/*
2* Copyright (c) 2014-2024 Bjoern Kimminich & the OWASP Juice Shop contributors.
3* SPDX-License-Identifier: MIT
4*/
5
6import { type Request, type Response, type NextFunction } from 'express'
7import { UserModel } from '../models/user'
8import challengeUtils = require('../lib/challengeUtils')
9import * as utils from '../lib/utils'
10
11const security = require('../lib/insecurity')
12const cache = require('../data/datacache')
13const challenges = cache.challenges
14
15module.exports = function updateUserProfile () {
16return (req: Request, res: Response, next: NextFunction) => {
17const loggedInUser = security.authenticatedUsers.get(req.cookies.token)
18
19if (loggedInUser) {
20UserModel.findByPk(loggedInUser.data.id).then((user: UserModel | null) => {
21if (user != null) {
22challengeUtils.solveIf(challenges.csrfChallenge, () => {
23return ((req.headers.origin?.includes('://htmledit.squarefree.com')) ??
24(req.headers.referer?.includes('://htmledit.squarefree.com'))) &&
25req.body.username !== user.username
26})
27void user.update({ username: req.body.username }).then((savedUser: UserModel) => {
28// @ts-expect-error FIXME some properties missing in savedUser
29savedUser = utils.queryResultToJson(savedUser)
30const updatedToken = security.authorize(savedUser)
31security.authenticatedUsers.put(updatedToken, savedUser)
32res.cookie('token', updatedToken)
33res.location(process.env.BASE_PATH + '/profile')
34res.redirect(process.env.BASE_PATH + '/profile')
35})
36}
37}).catch((error: Error) => {
38next(error)
39})
40} else {
41next(new Error('Blocked illegal activity by ' + req.socket.remoteAddress))
42}
43}
44}
45