diff --git a/back/api/auth.js b/back/api/auth.js index d137163..3a739cc 100644 --- a/back/api/auth.js +++ b/back/api/auth.js @@ -7,6 +7,11 @@ const router = express.Router(); router.post('/login', async (req, res) => { const { username, password } = req.body; + + if (!username || !password) { + return res.status(400).send({ error: 'Invalid username or password' }); + } + const connection = await getConnection(); const user = await getUserByUsername(connection, username); connection.end(); @@ -25,6 +30,11 @@ router.post('/register', async (req, res) => { const { username, password } = req.body; const connection = await getConnection(); + if (!username || !password) { + connection.end(); + return res.status(400).send({ error: 'Invalid username or password' }); + } + const user = await getUserByUsername(connection, username); if (user[0]) { connection.end(); @@ -44,7 +54,17 @@ router.post('/register', async (req, res) => { router.post('/me', async (req, res) => { const { token } = req.body; + + if (!token) { + return res.status(400).send({ error: 'Invalid token' }); + } + const decoded = jwt.verify(token, process.env.JWT_SECRET); + + if (!decoded.id) { + return res.status(400).send({ error: 'Invalid token' }); + } + const connection = await getConnection(); const users = await getUser(connection, decoded.id); connection.end(); diff --git a/back/api/channels.js b/back/api/channels.js index 11a1c5d..912b044 100644 --- a/back/api/channels.js +++ b/back/api/channels.js @@ -62,6 +62,11 @@ router.post('/:name/messages/send', async (req, res) => { router.post('/:name/messages/delete', async (req, res) => { const { token, message_id } = req.body; const name = req.params.name; + + if (!message_id || !token) { + return res.status(400).send({ error: 'Missing parameters' }); + } + const connection = await getConnection(); const decoded = jwt.verify(token, process.env.JWT_SECRET); @@ -89,6 +94,11 @@ router.post('/:name/messages/delete', async (req, res) => { router.post('/add', async (req, res) => { const { name, description, token } = req.body; + + if (!name || !description || !token) { + return res.status(400).send({ error: 'Missing parameters' }); + } + const connection = await getConnection(); const decoded = jwt.verify(token, process.env.JWT_SECRET); diff --git a/back/libs/mysql.js b/back/libs/mysql.js index 60b452a..16a3262 100644 --- a/back/libs/mysql.js +++ b/back/libs/mysql.js @@ -12,7 +12,8 @@ function getConnection() { function getUser(connection, id) { return new Promise((resolve, reject) => { connection.query( - `SELECT * FROM users WHERE id = ${id}`, + `SELECT * FROM users WHERE id = ?`, + [id], // Use parameterized query (error, result) => { if (error) { reject(new Error(error)); @@ -24,23 +25,25 @@ function getUser(connection, id) { } function getUserByUsername(connection, username) { - return new Promise((resolve, reject) => { - connection.query( - `SELECT * FROM users WHERE username = '${username}'`, - (error, result) => { - if (error) { - reject(new Error(error)); - } - resolve(result); + return new Promise((resolve, reject) => { + connection.query( + `SELECT * FROM users WHERE username = ?`, + [username], // Use parameterized query + (error, result) => { + if (error) { + reject(new Error(error)); } - ); - }); + resolve(result); + } + ); + }); } function addUser(connection, username, password) { return new Promise((resolve, reject) => { connection.query( - `INSERT INTO users (username, password) VALUES ('${username}', '${password}')`, + `INSERT INTO users (username, password) VALUES (?, ?)`, + [username, password], // Use parameterized query (error, result) => { if (error) { reject(new Error(error)); @@ -52,17 +55,23 @@ function addUser(connection, username, password) { } function getUserLastMessages(connection, username) { - return new Promise((resolve, reject) => { - connection.query( - `SELECT messages.id, user_id, username, content, date, channels.name AS channel_name FROM messages JOIN users ON messages.user_id = users.id JOIN channels ON messages.channel_id = channels.id WHERE username = "${username}" ORDER BY date DESC LIMIT 5`, - (error, result) => { - if (error) { - reject(new Error(error)); - } - resolve(result); + return new Promise((resolve, reject) => { + connection.query( + `SELECT messages.id, user_id, username, content, date, channels.name AS channel_name + FROM messages + JOIN users ON messages.user_id = users.id + JOIN channels ON messages.channel_id = channels.id + WHERE username = ? + ORDER BY date DESC LIMIT 5`, + [username], // Use parameterized query + (error, result) => { + if (error) { + reject(new Error(error)); } - ); - }); + resolve(result); + } + ); + }); } function getChannels(connection) { @@ -82,7 +91,11 @@ function getChannels(connection) { function getChannel(connection, name) { return new Promise((resolve, reject) => { connection.query( - `SELECT channels.id, name, description, owner_id, username AS owner_username FROM channels JOIN users ON channels.owner_id = users.id WHERE name = "${name}"`, + `SELECT channels.id, name, description, owner_id, username AS owner_username + FROM channels + JOIN users ON channels.owner_id = users.id + WHERE name = ?`, + [name], // Use parameterized query (error, result) => { if (error) { reject(new Error(error)); @@ -94,73 +107,86 @@ function getChannel(connection, name) { } function addChannel(connection, name, description, owner_id) { - return new Promise((resolve, reject) => { - connection.query( - `INSERT INTO channels (name, description, owner_id) VALUES ('${name}', '${description}', ${owner_id})`, - (error, result) => { - if (error) { - reject(new Error(error)); - } - resolve(result); + return new Promise((resolve, reject) => { + connection.query( + `INSERT INTO channels (name, description, owner_id) VALUES (?, ?, ?)`, + [name, description, owner_id], // Use parameterized query + (error, result) => { + if (error) { + reject(new Error(error)); } - ); - }); + resolve(result); + } + ); + }); } function getMessages(connection, channel_id) { - return new Promise((resolve, reject) => { - connection.query( - `SELECT messages.id, user_id, username, content, date, channels.name AS channel_name FROM messages JOIN users ON messages.user_id = users.id JOIN channels ON messages.channel_id = channels.id WHERE channel_id = ${channel_id} ORDER BY date DESC`, - (error, result) => { - if (error) { - reject(new Error(error)); - } - resolve(result); + return new Promise((resolve, reject) => { + connection.query( + `SELECT messages.id, user_id, username, content, date, channels.name AS channel_name + FROM messages + JOIN users ON messages.user_id = users.id + JOIN channels ON messages.channel_id = channels.id + WHERE channel_id = ? + ORDER BY date DESC`, + [channel_id], // Use parameterized query + (error, result) => { + if (error) { + reject(new Error(error)); } - ); - }); + resolve(result); + } + ); + }); } function getLastMessages(connection) { - return new Promise((resolve, reject) => { - connection.query( - `SELECT messages.id, user_id, username, content, date, channels.name AS channel_name FROM messages JOIN users ON messages.user_id = users.id JOIN channels ON messages.channel_id = channels.id ORDER BY date DESC LIMIT 5`, - (error, result) => { - if (error) { - reject(new Error(error)); - } - resolve(result); + return new Promise((resolve, reject) => { + connection.query( + `SELECT messages.id, user_id, username, content, date, channels.name AS channel_name + FROM messages + JOIN users ON messages.user_id = users.id + JOIN channels ON messages.channel_id = channels.id + ORDER BY date DESC LIMIT 5`, + (error, result) => { + if (error) { + reject(new Error(error)); } - ); - }); + resolve(result); + } + ); + }); } function addMessage(connection, channel_id, user_id, message) { - return new Promise((resolve, reject) => { - connection.query( - `INSERT INTO messages (channel_id, user_id, content, date) VALUES (${channel_id}, ${user_id}, "${message}", ${Math.floor(Date.now() / 1000)})`, - (error, result) => { - if (error) { - reject(new Error(error)); - } - resolve(result); + return new Promise((resolve, reject) => { + connection.query( + `INSERT INTO messages (channel_id, user_id, content, date) VALUES (?, ?, ?, ?)`, + [channel_id, user_id, message, Math.floor(Date.now() / 1000)], // Use parameterized query + (error, result) => { + if (error) { + reject(new Error(error)); } - ); - }); + resolve(result); + } + ); + }); } function deleteMessage(connection, message_id) { - return new Promise((resolve, reject) => { - connection.query( - `DELETE FROM messages WHERE id = ${message_id}`, - (error, result) => { - if (error) { - reject(new Error(error)); - } - resolve(result); + return new Promise((resolve, reject) => { + connection.query( + `DELETE FROM messages WHERE id = ?`, + [message_id], // Use parameterized query + (error, result) => { + if (error) { + reject(new Error(error)); } - ); - }); + resolve(result); + } + ); + }); } module.exports = {