From 1ee9e369fd2bf98db33d542f6df95773f9736a3b Mon Sep 17 00:00:00 2001 From: "cristian.cifuentes" Date: Tue, 13 Aug 2024 11:37:01 -0500 Subject: [PATCH] validate shopperID Email or UserID --- CHANGELOG.md | 4 ++ dotnet/Services/WishListService.cs | 87 ++++++++++++------------------ 2 files changed, 39 insertions(+), 52 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index df952da..41cd3db 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0. ## [Unreleased] +### Fix + +- validate shopperID Email or UserID + ## [1.18.1] - 2024-08-05 ### Added diff --git a/dotnet/Services/WishListService.cs b/dotnet/Services/WishListService.cs index 3233620..ae62a12 100644 --- a/dotnet/Services/WishListService.cs +++ b/dotnet/Services/WishListService.cs @@ -103,7 +103,7 @@ public async Task SaveList(IList listItems, string shopperId, st public async Task SaveItem(ListItem listItem, string shopperId, string listName, bool? isPublic) { - string VtexIdclientAutCookieKey = this._httpContextAccessor.HttpContext.Request.Headers["VtexIdclientAutCookie"]; + string VtexIdclientAutCookieKey = this._httpContextAccessor.HttpContext.Request.Headers["VtexIdclientAutCookie"]; if (string.IsNullOrEmpty(_context.Vtex.StoreUserAuthToken) && string.IsNullOrEmpty(_context.Vtex.AdminUserAuthToken) && string.IsNullOrEmpty(VtexIdclientAutCookieKey)) { @@ -126,63 +126,47 @@ public async Task SaveList(IList listItems, string shopperId, st return null; } - if(VtexIdclientAutCookieKey != null) { - ValidatedEmailToken responseValidateEmailAuthToken = null; - - try { - responseValidateEmailAuthToken = await ValidateEmailAuthToken(VtexIdclientAutCookieKey); - } catch (Exception ex) - { - _context.Vtex.Logger.Error("IsValidAuthUser", null, "Error fetching user", ex); - return null; - } - - bool hasValidateEmail = responseValidateEmailAuthToken.User != null && responseValidateEmailAuthToken.User == shopperId && responseValidateEmailAuthToken.TokenType != "appkey"; - - if (!hasValidateEmail) - { - _context.Vtex.Logger.Warn("hasValidateEmail", null, "AuthToken is not valid for this ShopperId"); - return null; - } - } - - if(_context.Vtex.AdminUserAuthToken != null) { - ValidatedEmailToken responseValidateEmailAuthToken = null; + // Validation for PII + if (shopperId.ToLower().Contains('@')) { + + if(_context.Vtex.StoreUserAuthToken != null) { + ValidatedEmailToken responseValidateEmailAuthToken = null; - try { - responseValidateEmailAuthToken = await ValidateEmailAuthToken(_context.Vtex.AdminUserAuthToken); - } catch (Exception ex) - { - _context.Vtex.Logger.Error("IsValidAuthUser", null, "Error fetching user", ex); - return null; - } + try { + responseValidateEmailAuthToken = await ValidateEmailAuthToken(_context.Vtex.StoreUserAuthToken); + } catch (Exception ex) + { + _context.Vtex.Logger.Error("IsValidAuthUser", null, "Error fetching user", ex); + return null; + } - bool hasValidateEmail = responseValidateEmailAuthToken.User != null && responseValidateEmailAuthToken.User == shopperId && responseValidateEmailAuthToken.TokenType != "appkey"; + bool hasValidateEmail = responseValidateEmailAuthToken.User != null && responseValidateEmailAuthToken.User == shopperId && responseValidateEmailAuthToken.TokenType != "appkey"; - if (!hasValidateEmail) - { - _context.Vtex.Logger.Warn("hasValidateEmail", null, "AuthToken is not valid for this ShopperId"); - return null; + if (!hasValidateEmail) + { + _context.Vtex.Logger.Warn("hasValidateEmail", null, "AuthToken is not valid for this ShopperId"); + return null; + } } - } - - if(_context.Vtex.StoreUserAuthToken != null) { - ValidatedEmailToken responseValidateEmailAuthToken = null; + + if(VtexIdclientAutCookieKey != null) { + ValidatedEmailToken responseValidateEmailAuthToken = null; - try { - responseValidateEmailAuthToken = await ValidateEmailAuthToken(_context.Vtex.StoreUserAuthToken); - } catch (Exception ex) - { - _context.Vtex.Logger.Error("IsValidAuthUser", null, "Error fetching user", ex); - return null; - } + try { + responseValidateEmailAuthToken = await ValidateEmailAuthToken(VtexIdclientAutCookieKey); + } catch (Exception ex) + { + _context.Vtex.Logger.Error("IsValidAuthUser", null, "Error fetching user", ex); + return null; + } - bool hasValidateEmail = responseValidateEmailAuthToken.User != null && responseValidateEmailAuthToken.User == shopperId && responseValidateEmailAuthToken.TokenType != "appkey"; + bool hasValidateEmail = responseValidateEmailAuthToken.User != null && responseValidateEmailAuthToken.User == shopperId && responseValidateEmailAuthToken.TokenType != "appkey"; - if (!hasValidateEmail) - { - _context.Vtex.Logger.Warn("hasValidateEmail", null, "AuthToken is not valid for this ShopperId"); - return null; + if (!hasValidateEmail) + { + _context.Vtex.Logger.Warn("hasValidateEmail", null, "AuthToken is not valid for this ShopperId"); + return null; + } } } @@ -191,7 +175,6 @@ public async Task SaveList(IList listItems, string shopperId, st bool hasAdminPermission = validatedAdminUser != null && validatedAdminUser.AuthStatus.Equals("Success"); bool hasPermissionToken = validatedKeyApp != null && validatedKeyApp.AuthStatus.Equals("Success"); - if (!hasPermission && !hasAdminPermission && !hasPermissionToken) { _context.Vtex.Logger.Warn("IsValidAuthUser", null, "User Does Not Have Permission");