Jackie/rentall-app
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

protect against sql injection, xss, csrf

Browse Source
This commit is contained in:
jackiettran
2025-09-16 12:27:15 -04:00
parent ce0b7bd0cc
commit a9fa579b6d
10 changed files with 1311 additions and 103 deletions
Download Patch File Download Diff File Expand all files Collapse all files

49
backend/routes/auth.js
View File

@@ -2,11 +2,17 @@ const express = require("express");
const jwt = require("jsonwebtoken");
const { OAuth2Client } = require("google-auth-library");
const { User } = require("../models"); // Import from models/index.js to get models with associations
const {
sanitizeInput,
validateRegistration,
validateLogin,
validateGoogleAuth
} = require("../middleware/validation");
const router = express.Router();
const googleClient = new OAuth2Client(process.env.GOOGLE_CLIENT_ID);
router.post("/register", async (req, res) => {
router.post("/register", sanitizeInput, validateRegistration, async (req, res) => {
try {
const { username, email, password, firstName, lastName, phone } = req.body;
@@ -17,7 +23,10 @@ router.post("/register", async (req, res) => {
});
if (existingUser) {
return res.status(400).json({ error: "User already exists" });
return res.status(400).json({
error: "Registration failed",
details: [{ field: "email", message: "An account with this email already exists" }]
});
}
const user = await User.create({
@@ -44,20 +53,40 @@ router.post("/register", async (req, res) => {
token,
});
} catch (error) {
res.status(500).json({ error: error.message });
console.error('Registration error:', error);
res.status(500).json({ error: "Registration failed. Please try again." });
}
});
router.post("/login", async (req, res) => {
router.post("/login", sanitizeInput, validateLogin, async (req, res) => {
try {
const { email, password } = req.body;
const user = await User.findOne({ where: { email } });
if (!user || !(await user.comparePassword(password))) {
if (!user) {
return res.status(401).json({ error: "Invalid credentials" });
}
// Check if account is locked
if (user.isLocked()) {
return res.status(423).json({
error: "Account is temporarily locked due to too many failed login attempts. Please try again later."
});
}
// Verify password
const isPasswordValid = await user.comparePassword(password);
if (!isPasswordValid) {
// Increment login attempts
await user.incLoginAttempts();
return res.status(401).json({ error: "Invalid credentials" });
}
// Reset login attempts on successful login
await user.resetLoginAttempts();
const token = jwt.sign({ id: user.id }, process.env.JWT_SECRET, {
expiresIn: "7d",
});
@@ -73,11 +102,12 @@ router.post("/login", async (req, res) => {
token,
});
} catch (error) {
res.status(500).json({ error: error.message });
console.error('Login error:', error);
res.status(500).json({ error: "Login failed. Please try again." });
}
});
router.post("/google", async (req, res) => {
router.post("/google", sanitizeInput, validateGoogleAuth, async (req, res) => {
try {
const { idToken } = req.body;
@@ -165,9 +195,8 @@ router.post("/google", async (req, res) => {
.status(400)
.json({ error: "Malformed Google token. Please try again." });
}
res
.status(500)
.json({ error: "Failed to authenticate with Google: " + error.message });
console.error('Google auth error:', error);
res.status(500).json({ error: "Google authentication failed. Please try again." });
}
});