fix: Server crashes if password is number

fixes #629: Property types in dashboard are sortable Adds class "locked" to list items that should not be sortable. fixes #633: Users collection not returning errors properly Returning error unless username is defined. Could not reproduce most described errors of #633, though. bugfix: Server crash if password is number Server was crashing with "TypeError: Not a string or buffer", caused by crypto.js. Fix: If password is a number, convert it to String before creating hash. Revert "fixes #633: Users collection not returning errors properly" This reverts commit a7d1c85. Was accidentaly pushed to PR Conflicts: lib/resources/user-collection.js Revert "bugfix: Server crash if password is number" This reverts commit 99d16ea. Accidentaly pushed to PR. Conflicts: lib/resources/user-collection.js fixes #629: Property types in dashboard are sortable Adds class "locked" to list items that should not be sortable. fix(user-collection): convert password to string if it's a Number - adds convertion of password to String before creating a password hash, so that crypto.js does not crash the application - changes user-collection unit test to test if app keeps running when posting a Number as password
deployd · Oct 16, 2015 · 5221242 · 5221242
1 parent ab7cec6
commit 5221242
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 1 deletion.
diff --git a/lib/resources/user-collection.js b/lib/resources/user-collection.js
@@ -145,7 +145,6 @@ UserCollection.prototype.handle = function (ctx) {
       if (!ctx.body && typeof ctx.body !== "object") {
         return ctx.done("Missing request body");
       }
-
       this.setPassword(ctx.body);
       var isSelf = ctx.session.user && ctx.session.user.id === ctx.query.id || (ctx.body && ctx.body.id);
       if ((ctx.query.id || ctx.body.id) && ctx.body && !isSelf && !ctx.session.isRoot && !ctx.req.internal) {
@@ -347,6 +346,9 @@ UserCollection.prototype.setPassword = function (body) {
  * @return {string}          The hash, as a hex digest.
  */
 UserCollection.prototype.hash = function (password, salt) {
+  if (password && !isNaN(password)){
+    password = password.toString();
+  }
   return crypto.createHmac('sha256', salt).update(password).digest('hex');
 };
 

diff --git a/test/user-collection.unit.js b/test/user-collection.unit.js
@@ -17,6 +17,34 @@ describe('UserCollection', function() {
 				}
 			};
 		});
+		it('should not crash when the posted password is a number', function(done) {
+			var test = this;
+			this.ctx.url = '/users';
+			this.ctx.query = {username: "Foo", password: Math.random()};
+
+			this.ctx.req.url = '/users';
+			this.ctx.req.method = 'POST';
+			this.ctx.req.body.username = 'foo@bar.com';
+			this.ctx.req.body.password = Math.random();
+			// hash the password so we can use it in our mocked loginFindUser function below
+			this.uc.setPassword(this.ctx.req.body);
+			var hashedPassword = this.ctx.req.body.password;
+			// reset it as plain test
+			this.ctx.req.body.password = Math.random();
+
+			this.uc.loginFindUser = function (ctx, fn) {
+			  expect(ctx.req.body).to.eql({ username: 'foo@bar.com', password: 'abcd' });
+			  fn(null, { id: '123', username: 'foo@bar.com', password: hashedPassword });
+			};
+
+			this.complete = function (err, res) {
+			  expect(err).to.equal("Missing request body")
+				done();
+			};
+
+			this.uc.handle(this.ctx);
+
+		})
 
 		it('should login a user when credentials are POSTed to "/login"', function(done) {
 			var test = this;