From ba8221f03ad3c8aea8759f4654063197c93b31b7 Mon Sep 17 00:00:00 2001
From: Matt Henderson <matt_henderson@sil.org>
Date: Wed, 29 Apr 2020 14:55:58 -0400
Subject: [PATCH] Return 400 (instead of crashing) if no appId given in POST
 /u2f

---
 models/u2f.js | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/models/u2f.js b/models/u2f.js
index e5f0001..8e1e427 100644
--- a/models/u2f.js
+++ b/models/u2f.js
@@ -116,6 +116,11 @@ module.exports.createRegistration = (apiKeyValue, apiSecret, {appId} = {}, callb
       return;
     }
 
+    if ((!appId) || typeof appId !== 'string') {
+      response.returnError(400, 'appId is required', callback);
+      return;
+    }
+
     const registrationRequest = u2f.request(appId);
 
     const u2fUuid = uuid.v4();