From 3f1acad62925c91c25f6c8ea96ae0e834e869920 Mon Sep 17 00:00:00 2001
From: natlibfi-kmskuusi <118263770+natlibfi-kmskuusi@users.noreply.github.com>
Date: Fri, 31 May 2024 13:28:00 +0300
Subject: [PATCH] Username sanitazion update

---
 src/auth/authRoute.js   | 13 +++++++++----
 src/auth/authService.js | 33 +++++++++++++++++++++++++--------
 2 files changed, 34 insertions(+), 12 deletions(-)

diff --git a/src/auth/authRoute.js b/src/auth/authRoute.js
index d3fadfe36..53e89d491 100644
--- a/src/auth/authRoute.js
+++ b/src/auth/authRoute.js
@@ -13,7 +13,7 @@ import {createLogger} from '@natlibfi/melinda-backend-commons';
 //import createClient from '@natlibfi/sru-client';
 //import {MARCXML} from '@natlibfi/marc-record-serializers';
 import {generateAuthorizationHeader} from '@natlibfi/melinda-commons';
-import {sanitaze} from './authService.js';
+import {sanitizeString} from './authService.js';
 
 // https://github.com/NatLibFi/marc-record-serializers
 
@@ -70,9 +70,14 @@ export default function (passport, jwtOptions) { // eslint-disable-line no-unuse
       res.status(500).json({error: 'username or password malformed or missing'});
       return;
     }
-    const cleanUserName = sanitaze(username);
-    const authToken = generateAuthorizationHeader(cleanUserName, password);
-    res.json({token: authToken});
+    try {
+      const cleanUserName = sanitizeString({value: username, options: {allowedPattern: 'a-zA-Z0-9_\\-äöåÄÖÅ'}});
+      const authToken = generateAuthorizationHeader(cleanUserName, password);
+
+      res.json({token: authToken});
+    } catch (error) {
+      res.status(500).json({error: 'Failed to either process user info or generate token.'});
+    }
   }
   //will use jwt to verification
   function verify(req, res) {
diff --git a/src/auth/authService.js b/src/auth/authService.js
index 9c9445b8e..b2bfd88b2 100644
--- a/src/auth/authService.js
+++ b/src/auth/authService.js
@@ -1,9 +1,26 @@
-export function sanitaze(value) {
-  return value
-    .replace(/\r/gu, '')
-    .replace(/%0d/gu, '')
-    .replace(/%0D/gu, '')
-    .replace(/\n/gu, '')
-    .replace(/%0a/gu, '')
-    .replace(/%0A/gu, '');
+/**
+ * Used to sanitize strings like username, email or similar
+ * @param {object} param0
+ * @param {string} param0.value value to be mutated
+ * @param {object} param0.options options object
+ * @param {string} param0.options.allowedPattern allowed pattern for characters
+ * @param {boolean} [param0.options.useLengthCheck=true] should length be tested
+ * @param {boolean} [param0.options.min=1] min legth
+ * @param {boolean} [param0.options.max=12] max legth
+ *
+ * @returns {string}
+ */
+export function sanitizeString(param0) {
+  const {value, options = {allowedPattern: undefined, useLengthCheck: true, min: 1, max: 12}} = param0;
+  if (!options || !options?.allowedPattern) {
+    return value;
+  }
+
+  const cleanValue = value.replace(new RegExp(`[^${options.allowedPattern}]`, 'gu'), '');
+
+  if (options.useLengthCheck && (cleanValue.length < options.min || cleanValue.length > options.max)) {
+    throw new Error(`Value given to sanitaze must be between ${options.min} and ${options.max} characaters`);
+  }
+
+  return cleanValue;
 }