This may all be golden and I just don't know it. But before I go asking around, I wanted to do my due diligence and make sure that I wasn't missing something.
Does this look OK? If something is jacked up, what's lacking and how can I fix it?
Node.jsJavaScript
Last Comment
Bruce Gust
8/22/2022 - Mon
Bruce Gust
ASKER
I've gotten a little more feedback, but again, I want to try to figure this out using my own resources before I just start bellyaching...
The two lines of code that are specified in the ticket belong to two different files respectively. First is the "login.js" file and the line that's targeted as a problem is the "let redirect = (req.body.redirect != '') ? req.body.redirect : '/';" line.
router.post('/login/auth', async (req, res) => { if (typeof req.body.email == 'undefined' || typeof req.body.password == 'undefined') { flash.add(req, 'Please enter a valid email address and password before trying again.', 'danger'); return res.redirect('/login'); } let resp = await user.auth(req.body.email, req.body.password); if (resp.error) { flash.add(req, 'The provided email address and password combination is invalid. Please try again. If you need further assistance, please call 855.581.9910.', 'danger'); return res.redirect('/login'); } req.session.user = resp.data; await user.lastLogin();//Update lastLogin date let redirect = (req.body.redirect != '') ? req.body.redirect : '/'; res.redirect(redirect);});
I know that let redirect = (req.body.redirect != '') ? req.body.redirect : '/'; is a ternary IF statement, but what does it mean? I've seen this where the result is a Boolean value, but that doesn't make sense here. What is it asking / proving? And why is this a problem if the session variables have already been established? Why would my teammate raise the concern that it hasn't been "validated?"
Second scenario is line #19 in the "index.js" page:
// load the environmentapp.use((req, res, next) => { // set a global reference to the session so that we have some access outside // of the routers without having to pass it around everywhere if (typeof req.session != 'undefined' && typeof req.session.user != 'undefined') { // the object ids do not survey the serialization process, so we need to fix // that here for ease of use elsewhere let user = req.session.user; user._id = new ObjectId(user._id); user.account._id = new ObjectId(user.account._id); // assign the global reference global._user = user; // set the default timezone based on the user's settings moment.tz.setDefault(req.session.user.settings.timezone == 'undefined' ? 'America/Chicago' : req.session.user.settings.timezone); } else { if (!/^\/login/i.test(req.url)) { [b]return res.redirect('/login?redirect=' + encodeURIComponent(req.url));[/b] } moment.tz.setDefault('America/Chicago'); } // set the api key for use in templates global._googleAPIKey = process.env.GOOGLE_MAP_KEY; // add in the global object models for reference global._objectModels = require('./server/lib/object-models'); global._objectModels.company = require('./server/lib/model-company'); global._objectModels.proposal = require('./server/lib/model-proposal'); // set a reference to the root directory global._rootPath = __dirname; // set a global reference to the requested url global._url = req.url.replace(/(\?.*)$/, ''); // and wrap it up next();});
I got it figured out. I went back to my coworker after I was convinced I could sound intelligent, believing that he was concerned about the way in which the current syntax did not evaluate the URL the user was coming from and, sure enough, that was it.
I put the expected URL in the .env file and then build a simple IF statement to see if that's what where the user was coming from and, if so, BOOM!
The two lines of code that are specified in the ticket belong to two different files respectively. First is the "login.js" file and the line that's targeted as a problem is the "let redirect = (req.body.redirect != '') ? req.body.redirect : '/';" line.
Open in new window
I know that let redirect = (req.body.redirect != '') ? req.body.redirect : '/'; is a ternary IF statement, but what does it mean? I've seen this where the result is a Boolean value, but that doesn't make sense here. What is it asking / proving? And why is this a problem if the session variables have already been established? Why would my teammate raise the concern that it hasn't been "validated?"
Second scenario is line #19 in the "index.js" page:
Open in new window
What is this: if (!/^\/login/i.test(req.url
...and again, if I'm looking at "let user = req.session.user," why is there a concern that this hasn't been validated?