Nemcio/NodeBB
1
0
Fork 0
mirror of https://github.com/NodeBB/NodeBB.git synced 2025-10-27 17:16:14 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix: closes #13176, check if uid is number when creating tokens

Browse Source
This commit is contained in:
Barış Soner Uşaklı
2025-02-18 10:42:52 -05:00
parent 5e71d597a4
commit 80cc1d34b0
2 changed files with 9 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
src/api/utils.js
View File

@@ -52,6 +52,9 @@ utils.tokens.get = async (tokens) => {
}; };
utils.tokens.generate = async ({ uid, description }) => { utils.tokens.generate = async ({ uid, description }) => {
if (!srcUtils.isNumber(uid)) {
throw new Error('[[error:invalid-uid]]');
}
if (parseInt(uid, 10) !== 0) { if (parseInt(uid, 10) !== 0) {
const uidExists = await user.exists(uid); const uidExists = await user.exists(uid);
if (!uidExists) { if (!uidExists) {
@@ -66,7 +69,7 @@ utils.tokens.generate = async ({ uid, description }) => {
}; };
utils.tokens.add = async ({ token, uid, description = '', timestamp = Date.now() }) => { utils.tokens.add = async ({ token, uid, description = '', timestamp = Date.now() }) => {
if (!token || uid === undefined) { if (!token || uid === undefined || !srcUtils.isNumber(uid)) {
throw new Error('[[error:invalid-data]]'); throw new Error('[[error:invalid-data]]');
} }
@@ -80,6 +83,9 @@ utils.tokens.add = async ({ token, uid, description = '', timestamp = Date.now()
}; };
utils.tokens.update = async (token, { uid, description }) => { utils.tokens.update = async (token, { uid, description }) => {
if (!srcUtils.isNumber(uid)) {
throw new Error('[[error:invalid-uid]]');
}
await Promise.all([ await Promise.all([
db.setObject(`token:${token}`, { uid, description }), db.setObject(`token:${token}`, { uid, description }),
db.sortedSetAdd(`tokens:uid`, uid, token), db.sortedSetAdd(`tokens:uid`, uid, token),

4
src/views/admin/partials/edit-token-modal.tpl
View File

@@ -1,13 +1,13 @@
<form role="form"> <form role="form">
<div class="mb-3"> <div class="mb-3">
<label class="form-label" for="uid">[[admin/settings/api:uid]]</label> <label class="form-label" for="uid">[[admin/settings/api:uid]]</label>
<input type="text" inputmode="numeric" pattern="\d+" name="uid" class="form-control" placeholder="0" value="{./uid}" /> <input id="uid" type="number" inputmode="numeric" pattern="\d+" name="uid" class="form-control" placeholder="0" value="{./uid}" />
<p class="form-text"> <p class="form-text">
[[admin/settings/api:uid-help-text]] [[admin/settings/api:uid-help-text]]
</p> </p>
</div> </div>
<div class="mb-3"> <div class="mb-3">
<label class="form-label" for="description">[[admin/settings/api:description]]</label> <label class="form-label" for="description">[[admin/settings/api:description]]</label>
<input type="text" name="description" class="form-control" placeholder="Description" value="{./description}" /> <input id="description" type="text" name="description" class="form-control" placeholder="Description" value="{./description}" />
</div> </div>
</form> </form>