Username sanitazion update

NatLibFi · May 31, 2024 · 3f1acad · 3f1acad
1 parent 71e0ec9
commit 3f1acad
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 12 deletions.
diff --git a/src/auth/authRoute.js b/src/auth/authRoute.js
@@ -13,7 +13,7 @@ import {createLogger} from '@natlibfi/melinda-backend-commons';
 //import createClient from '@natlibfi/sru-client';
 //import {MARCXML} from '@natlibfi/marc-record-serializers';
 import {generateAuthorizationHeader} from '@natlibfi/melinda-commons';
-import {sanitaze} from './authService.js';
+import {sanitizeString} from './authService.js';
 
 // https://github.com/NatLibFi/marc-record-serializers
 
@@ -70,9 +70,14 @@ export default function (passport, jwtOptions) { // eslint-disable-line no-unuse
       res.status(500).json({error: 'username or password malformed or missing'});
       return;
     }
-    const cleanUserName = sanitaze(username);
-    const authToken = generateAuthorizationHeader(cleanUserName, password);
-    res.json({token: authToken});
+    try {
+      const cleanUserName = sanitizeString({value: username, options: {allowedPattern: 'a-zA-Z0-9_\\-äöåÄÖÅ'}});
+      const authToken = generateAuthorizationHeader(cleanUserName, password);
+
+      res.json({token: authToken});
+    } catch (error) {
+      res.status(500).json({error: 'Failed to either process user info or generate token.'});
+    }
   }
   //will use jwt to verification
   function verify(req, res) {

diff --git a/src/auth/authService.js b/src/auth/authService.js
@@ -1,9 +1,26 @@
-export function sanitaze(value) {
-  return value
-    .replace(/\r/gu, '')
-    .replace(/%0d/gu, '')
-    .replace(/%0D/gu, '')
-    .replace(/\n/gu, '')
-    .replace(/%0a/gu, '')
-    .replace(/%0A/gu, '');
+/**
+ * Used to sanitize strings like username, email or similar
+ * @param {object} param0
+ * @param {string} param0.value value to be mutated
+ * @param {object} param0.options options object
+ * @param {string} param0.options.allowedPattern allowed pattern for characters
+ * @param {boolean} [param0.options.useLengthCheck=true] should length be tested
+ * @param {boolean} [param0.options.min=1] min legth
+ * @param {boolean} [param0.options.max=12] max legth
+ *
+ * @returns {string}
+ */
+export function sanitizeString(param0) {
+  const {value, options = {allowedPattern: undefined, useLengthCheck: true, min: 1, max: 12}} = param0;
+  if (!options || !options?.allowedPattern) {
+    return value;
+  }
+
+  const cleanValue = value.replace(new RegExp(`[^${options.allowedPattern}]`, 'gu'), '');
+
+  if (options.useLengthCheck && (cleanValue.length < options.min || cleanValue.length > options.max)) {
+    throw new Error(`Value given to sanitaze must be between ${options.min} and ${options.max} characaters`);
+  }
+
+  return cleanValue;
 }