juice-shop

1
/*
2
 * Copyright (c) 2014-2024 Bjoern Kimminich & the OWASP Juice Shop contributors.
3
 * SPDX-License-Identifier: MIT
4
 */
5

6
import { type Request, type Response, type NextFunction } from 'express'
7
import { UserModel } from '../models/user'
8
import challengeUtils = require('../lib/challengeUtils')
9
import * as utils from '../lib/utils'
10

11
const security = require('../lib/insecurity')
12
const cache = require('../data/datacache')
13
const challenges = cache.challenges
14

15
module.exports = function updateUserProfile () {
16
  return (req: Request, res: Response, next: NextFunction) => {
17
    const loggedInUser = security.authenticatedUsers.get(req.cookies.token)
18

19
    if (loggedInUser) {
20
      UserModel.findByPk(loggedInUser.data.id).then((user: UserModel | null) => {
21
        if (user != null) {
22
          challengeUtils.solveIf(challenges.csrfChallenge, () => {
23
            return ((req.headers.origin?.includes('://htmledit.squarefree.com')) ??
24
              (req.headers.referer?.includes('://htmledit.squarefree.com'))) &&
25
              req.body.username !== user.username
26
          })
27
          void user.update({ username: req.body.username }).then((savedUser: UserModel) => {
28
            // @ts-expect-error FIXME some properties missing in savedUser
29
            savedUser = utils.queryResultToJson(savedUser)
30
            const updatedToken = security.authorize(savedUser)
31
            security.authenticatedUsers.put(updatedToken, savedUser)
32
            res.cookie('token', updatedToken)
33
            res.location(process.env.BASE_PATH + '/profile')
34
            res.redirect(process.env.BASE_PATH + '/profile')
35
          })
36
        }
37
      }).catch((error: Error) => {
38
        next(error)
39
      })
40
    } else {
41
      next(new Error('Blocked illegal activity by ' + req.socket.remoteAddress))
42
    }
43
  }
44
}
45