#58 check userId format in commands

Zuehlke · Jun 13, 2020 · 5ec3325 · 5ec3325
1 parent 6e94bd9
commit 5ec3325
Show file tree

Hide file tree

Showing 7 changed files with 57 additions and 29 deletions.
diff --git a/server/resources/validationSchemas/joinRoom.json b/server/resources/validationSchemas/joinRoom.json
@@ -16,7 +16,8 @@
               "format": "email"
             },
             "userId": {
-              "type": "string"
+              "type": "string",
+              "format": "uuidv4"
             }
           },
           "additionalProperties": false

diff --git a/server/resources/validationSchemas/kick.json b/server/resources/validationSchemas/kick.json
@@ -9,7 +9,8 @@
           "type": "object",
           "properties": {
             "userId": {
-              "type": "string"
+              "type": "string",
+              "format": "uuidv4"
             }
           },
           "required": [

diff --git a/server/src/commandSchemaValidator.js b/server/src/commandSchemaValidator.js
@@ -8,6 +8,10 @@ import getLogger from './getLogger';
 
 const LOGGER = getLogger('commandSchemaValidator');
 
+const EMAIL_REGEX = /^[-a-z0-9~!$%^&*_=+}{'?]+(\.[-a-z0-9~!$%^&*_=+}{'?]+)*@([a-z0-9_][-a-z0-9_]*(\.[-a-z0-9_]+)*\.(aero|arpa|biz|com|coop|edu|gov|info|int|mil|museum|name|net|org|pro|travel|mobi|[a-z][a-z])|([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}))(:[0-9]{1,5})?$/i;
+const ROOMID_REGEX = /^[-a-z0-9_]+$/;
+const UUIDv4_REGEX = /^[0-9A-F]{8}-[0-9A-F]{4}-4[0-9A-F]{3}-[89AB][0-9A-F]{3}-[0-9A-F]{12}$/i;
+
 const schemas = gatherSchemas();
 
 registerCustomFormats();
@@ -82,38 +86,35 @@ function parseSchemaFile(schemaFileContent, schemaFileName) {
   }
 }
 
-const EMAIL_REGEX = /^[-a-z0-9~!$%^&*_=+}{'?]+(\.[-a-z0-9~!$%^&*_=+}{'?]+)*@([a-z0-9_][-a-z0-9_]*(\.[-a-z0-9_]+)*\.(aero|arpa|biz|com|coop|edu|gov|info|int|mil|museum|name|net|org|pro|travel|mobi|[a-z][a-z])|([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}))(:[0-9]{1,5})?$/i;
-const ROOMID_REGEX = /^[-a-z0-9_]+$/;
-
 function registerCustomFormats() {
-  tv4.addFormat('email', validateEmail);
-  tv4.addFormat('roomId', validateRoomId);
-}
-
-function validateRoomId(data) {
-  if (!data) {
-    // allow empty string, undefined, null
-    return;
-  }
-
-  if (typeof data === 'string' && ROOMID_REGEX.test(data)) {
-    return null;
-  }
-
-  return 'must be a valid roomId: only the following characters are allowed: a-z 0-9 _ -';
+  tv4.addFormat(
+    'email',
+    validateStringFormat.bind(undefined, EMAIL_REGEX, 'must be a valid email-address')
+  );
+  tv4.addFormat(
+    'roomId',
+    validateStringFormat.bind(
+      undefined,
+      ROOMID_REGEX,
+      'must be a valid roomId: only the following characters are allowed: a-z 0-9 _ -'
+    )
+  );
+  tv4.addFormat(
+    'uuidv4',
+    validateStringFormat.bind(undefined, UUIDv4_REGEX, 'must be a valid uuid v4')
+  );
 }
 
-function validateEmail(data) {
+function validateStringFormat(formatRegex, errorMsg, data) {
   if (!data) {
-    // allow empty string, undefined, null
-    return;
+    return; // allow empty string, undefined, null
   }
 
-  if (typeof data === 'string' && EMAIL_REGEX.test(data)) {
+  if (typeof data === 'string' && formatRegex.test(data)) {
     return null;
   }
 
-  return 'must be a valid email-address';
+  return errorMsg;
 }
 
 function CommandValidationError(err, cmd) {

diff --git a/server/test/integration/commandProcessorPerformanceTest.js b/server/test/integration/commandProcessorPerformanceTest.js
@@ -14,7 +14,7 @@ import eventHandlers from '../../src/eventHandlers/eventHandlers';
 test('1000 "addStory" commands/events', async () => {
   const userId = uuid();
 
-  const roomId = 'customRoom_' + uuid();
+  const roomId = 'custom-room_' + uuid();
 
   const store = await roomStoreFactory(false);
   const processor = processorFactory(commandHandlers, eventHandlers, store);

diff --git a/server/test/integration/serverIntegrationTest.js b/server/test/integration/serverIntegrationTest.js
@@ -63,7 +63,6 @@ describe('websocket endpoint', () => {
 
       expect(msg.correlationId).toEqual(commandId);
       expect(msg.roomId).toBeDefined();
-      eventCount++;
 
       if (eventCount === 0) {
         expect(msg.name).toEqual('roomCreated');
@@ -75,13 +74,15 @@ describe('websocket endpoint', () => {
 
         done();
       }
+
+      eventCount++;
     });
 
     socket.on('connect', () =>
       socket.emit('command', {
         id: commandId,
         name: 'joinRoom',
-        roomId: 'myCustomRoom',
+        roomId: 'my-custom-room_' + uuid(),
         payload: {}
       })
     );

diff --git a/server/test/unit/commandSchemaValidatorTest.js b/server/test/unit/commandSchemaValidatorTest.js
@@ -62,3 +62,27 @@ test('throws on invalid roomId', () => {
     /Format validation failed \(must be a valid roomId: only the following characters are allowed: a-z 0-9 _ -\) in \/roomId/
   );
 });
+
+test('throws on invalid userId', () => {
+  expect(() =>
+    commandSchemaValidator({
+      id: uuid(),
+      roomId: 'custom-room-id',
+      name: 'joinRoom',
+      payload: {
+        userId: 'sdgdgkjslgjslkjglskgjdlksjgl'
+      }
+    })
+  ).toThrow(/Format validation failed \(must be a valid uuid v4\) in \/payload\/userId/);
+});
+
+test('works with valid userId', () => {
+  commandSchemaValidator({
+    id: uuid(),
+    roomId: 'custom-room-id',
+    name: 'joinRoom',
+    payload: {
+      userId: uuid()
+    }
+  });
+});
diff --git a/server/test/unit/commands/kickTest.js b/server/test/unit/commands/kickTest.js
@@ -74,7 +74,7 @@ describe('preconditions', () => {
           roomId,
           name: 'kick',
           payload: {
-            userId: 'unknown'
+            userId: uuid() // new random userId, not part of our room
           }
         },
         userIdOne