msb-public
/
Web-Dev-For-Beginners
mirror of https://github.com/microsoft/Web-Dev-For-Beginners.git
1
0
Code Issues Projects Releases Wiki Activity

fix: the bank api has no authentication mechanism in server.js

Browse Source 
The bank API has no authentication mechanism
pull/1811/head
orbisai0security 1 week ago
parent 5f220217d3
commit c06955ee8c
1 changed files with 22 additions and 0 deletions
Show Stats Download Patch File Download Diff File

22
7-bank-project/api/server.js
Unescape View File

@ -64,12 +64,14 @@ router.post('/accounts', (req, res) => {
}
// Create account
const token = crypto.randomBytes(16).toString('hex');
const account = {
user: req.body.user,
currency: req.body.currency,
description: req.body.description || `${req.body.user}'s budget`,
balance: balance || 0,
transactions: [],
token,
};
db[req.body.user] = account;
@ -87,6 +89,11 @@ router.get('/accounts/:user', (req, res) => {
return res.status(404).json({ error: 'User does not exist' });
}
// Verify caller identity via token
if (req.headers.authorization !== account.token) {
return res.status(401).json({ error: 'Unauthorized' });
}
return res.json(account);
});
@ -101,6 +108,11 @@ router.delete('/accounts/:user', (req, res) => {
return res.status(404).json({ error: 'User does not exist' });
}
// Verify caller identity via token
if (req.headers.authorization !== account.token) {
return res.status(401).json({ error: 'Unauthorized' });
}
// Removed account
delete db[req.params.user];
@ -118,6 +130,11 @@ router.post('/accounts/:user/transactions', (req, res) => {
return res.status(404).json({ error: 'User does not exist' });
}
// Verify caller identity via token
if (req.headers.authorization !== account.token) {
return res.status(401).json({ error: 'Unauthorized' });
}
// Check mandatory requests parameters
if (!req.body.date || !req.body.object || !req.body.amount) {
return res.status(400).json({ error: 'Missing parameters' });
@ -171,6 +188,11 @@ router.delete('/accounts/:user/transactions/:id', (req, res) => {
return res.status(404).json({ error: 'User does not exist' });
}
// Verify caller identity via token
if (req.headers.authorization !== account.token) {
return res.status(401).json({ error: 'Unauthorized' });
}
const transactionIndex = account.transactions.findIndex(
(transaction) => transaction.id === req.params.id
);

Write Preview
Loading…
Cancel
Save