[BUG] Fixed mass_assignment vuln #566
Conversation
server/endpoints/invite.jsInstead of using console.error for logging errors, consider using a dedicated logging library like Winston or Bunyan. These libraries provide more control over log levels, formats, and destinations. They also handle JSON objects well, which can be useful when logging errors or other data structures. const logger = require('winston');
//...
} catch (e) {
logger.error(e);
response.sendStatus(500).end();
}Consider using HTTP status code constants instead of hardcoding the status codes. This will make the code more readable and maintainable. You can use the 'http-status-codes' npm package for this purpose. const HttpStatus = require('http-status-codes');
//...
response.status(HttpStatus.OK).json({ success: true, error: null });
//...
response.sendStatus(HttpStatus.INTERNAL_SERVER_ERROR).end();Consider validating the username and password before creating the user. This can help prevent SQL Injection attacks and ensure that the data is in the correct format before it is inserted into the database. You can use a library like 'joi' for input validation. const Joi = require('joi');
//...
const schema = Joi.object({
username: Joi.string().alphanum().min(3).max(30).required(),
password: Joi.string().pattern(new RegExp('^[a-zA-Z0-9]{3,30}$')).required(),
});
const { error } = schema.validate({ username, password });
if (error) {
response.status(400).json({ success: false, error: error.details[0].message });
return;
} |
Pull Request Type
What is in this change?
Path to invitation logic on backend permissions