remeove password sanitization

manjushsh · Jan 5, 2025 · c78eeef · c78eeef
1 parent 802eb44
commit c78eeef
Show file tree

Hide file tree

Showing 3 changed files with 45 additions and 12 deletions.
diff --git a/server/controllers/controller.album.go b/server/controllers/controller.album.go
@@ -87,14 +87,16 @@ func GetAlbumByID(c *gin.Context) {
 		return
 	}
 
+	sanitizedUUID := services.SanitizeUUID(id)
+
 	mongoInstance, ok := getMongoService(c)
 	if !ok {
 		return
 	}
 	defer mongoInstance.Disconnect()
 
 	var album models.Album
-	filter := bson.M{"id": id}
+	filter := bson.M{"id": sanitizedUUID}
 	err := mongoInstance.FindOne("albums", filter).Decode(&album)
 	if err != nil {
 		c.IndentedJSON(http.StatusNotFound, gin.H{"message": "album not found"})
@@ -112,6 +114,7 @@ func UpdateAlbum(c *gin.Context) {
 		c.IndentedJSON(http.StatusBadRequest, gin.H{"message": "invalid album ID"})
 		return
 	}
+	sanitizedUUID := services.SanitizeUUID(id)
 
 	var updatedAlbum models.Album
 	if err := c.BindJSON(&updatedAlbum); err != nil {
@@ -125,7 +128,7 @@ func UpdateAlbum(c *gin.Context) {
 	}
 	defer mongoInstance.Disconnect()
 
-	filter := bson.M{"id": id}
+	filter := bson.M{"id": sanitizedUUID}
 	update := bson.M{"$set": updatedAlbum}
 
 	result, err := mongoInstance.Update("albums", filter, update)
@@ -150,14 +153,15 @@ func DeleteAlbum(c *gin.Context) {
 		c.IndentedJSON(http.StatusBadRequest, gin.H{"message": "invalid album ID"})
 		return
 	}
+	sanitizedUUID := services.SanitizeUUID(id)
 
 	mongoInstance, ok := getMongoService(c)
 	if !ok {
 		return
 	}
 	defer mongoInstance.Disconnect()
 
-	filter := bson.M{"id": id}
+	filter := bson.M{"id": sanitizedUUID}
 	update := bson.M{"$set": bson.M{"isdeleted": true}}
 
 	result, err := mongoInstance.Update("albums", filter, update)

diff --git a/server/controllers/controller.auth.go b/server/controllers/controller.auth.go
@@ -22,26 +22,29 @@ func Login(c *gin.Context) {
 		return
 	}
 
+	sanitizedUsername := services.SanitizeUsername(loginRequest.Username)
+	sanitizedPassword := services.SanitizePassword(loginRequest.Password)
+
 	mongoInstance, ok := services.ConnectToMongo(c)
 	if !ok {
 		return
 	}
 	defer mongoInstance.Disconnect()
 
 	var foundUser models.Auth
-	filter := bson.D{{Key: "username", Value: loginRequest.Username}, {Key: "isdeleted", Value: false}}
+	filter := bson.M{"username": sanitizedUsername, "isdeleted": false}
 	err := mongoInstance.FindOne("users", filter).Decode(&foundUser)
 	if err != nil {
-		services.HandleError(c, err, http.StatusInternalServerError, "Invalid credentials - No User Found")
+		services.HandleError(c, err, http.StatusUnauthorized, "Invalid credentials - No User Found")
 		return
 	}
 
-	if !services.CheckPasswordHash(loginRequest.Password, foundUser.Password) {
+	if !services.CheckPasswordHash(sanitizedPassword, foundUser.Password) {
 		c.JSON(http.StatusUnauthorized, gin.H{"error": "Invalid credentials"})
 		return
 	}
 
-	token, err := services.GenerateJWT(loginRequest.Username)
+	token, err := services.GenerateJWT(sanitizedUsername)
 	if err != nil {
 		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to generate token"})
 		return
@@ -62,14 +65,17 @@ func Register(c *gin.Context) {
 		return
 	}
 
+	sanitizedUsername := services.SanitizeUsername(registerRequest.Username)
+	sanitizedPassword := services.SanitizePassword(registerRequest.Password)
+
 	mongoInstance, ok := services.ConnectToMongo(c)
 	if !ok {
 		return
 	}
 	defer mongoInstance.Disconnect()
 
 	var existingUser models.Auth
-	err := mongoInstance.FindOne("users", bson.M{"username": registerRequest.Username}).Decode(&existingUser)
+	err := mongoInstance.FindOne("users", bson.M{"username": sanitizedUsername}).Decode(&existingUser)
 	if err == nil {
 		c.JSON(http.StatusConflict, gin.H{"error": "Username already exists"})
 		return
@@ -78,7 +84,7 @@ func Register(c *gin.Context) {
 		return
 	}
 
-	hashedPassword, err := services.HashPassword(registerRequest.Password)
+	hashedPassword, err := services.HashPassword(sanitizedPassword)
 	if err != nil {
 		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to hash password"})
 		return
@@ -119,6 +125,7 @@ func GetUsers(c *gin.Context) {
 
 func GetUser(c *gin.Context) {
 	username := c.Param("username")
+	sanitizedUsername := services.SanitizeUsername(username)
 
 	mongoInstance, ok := services.ConnectToMongo(c)
 	if !ok {
@@ -127,7 +134,7 @@ func GetUser(c *gin.Context) {
 	defer mongoInstance.Disconnect()
 
 	var user models.Auth
-	err := mongoInstance.FindOne("users", bson.M{"username": username}).Decode(&user)
+	err := mongoInstance.FindOne("users", bson.M{"username": sanitizedUsername}).Decode(&user)
 	if err != nil {
 		services.HandleError(c, err, http.StatusNotFound, "User not found")
 		return
@@ -138,6 +145,7 @@ func GetUser(c *gin.Context) {
 
 func UpdateUser(c *gin.Context) {
 	username := c.Param("username")
+
 	var updatedUser models.Auth
 	if err := c.ShouldBindJSON(&updatedUser); err != nil {
 		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request"})
@@ -149,13 +157,15 @@ func UpdateUser(c *gin.Context) {
 		return
 	}
 
+	sanitizedUsername := services.SanitizeUsername(username)
+
 	mongoInstance, ok := services.ConnectToMongo(c)
 	if !ok {
 		return
 	}
 	defer mongoInstance.Disconnect()
 
-	result, err := mongoInstance.Update("users", bson.M{"username": username}, bson.M{"$set": updatedUser})
+	result, err := mongoInstance.Update("users", bson.M{"username": sanitizedUsername}, bson.M{"$set": updatedUser})
 	if err != nil {
 		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to update user"})
 		return
@@ -176,13 +186,15 @@ func DeleteUser(c *gin.Context) {
 		return
 	}
 
+	sanitizedUsername := services.SanitizeUsername(username)
+
 	mongoInstance, ok := services.ConnectToMongo(c)
 	if !ok {
 		return
 	}
 	defer mongoInstance.Disconnect()
 
-	filter := bson.M{"username": username}
+	filter := bson.M{"username": sanitizedUsername}
 	result, err := mongoInstance.Delete("users", filter)
 	if err != nil {
 		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to delete user"})

diff --git a/server/services/service.validation.go b/server/services/service.validation.go
@@ -46,3 +46,20 @@ func IsValidUUID(uuidStr string) bool {
 	_, err := uuid.Parse(uuidStr)
 	return err == nil
 }
+
+func SanitizeUsername(input string) string {
+	// Use regex to remove any special characters except alphanumeric and underscore
+	re := regexp.MustCompile(`[^a-zA-Z0-9_]`)
+	return re.ReplaceAllString(input, "")
+}
+
+func SanitizePassword(password string) string {
+	// Return the password as is, without any modifications
+	return password
+}
+
+func SanitizeUUID(uuidStr string) string {
+	// Use regex to remove any special characters except alphanumeric and hyphen
+	re := regexp.MustCompile(`[^a-zA-Z0-9-]`)
+	return re.ReplaceAllString(uuidStr, "")
+}