Add getUserTokenMinusSQLInjection to prevent SQL Injection in via the

cookies (that may be not possible, but it is a safety guard I want to add. (Chat: https://t3.chat/chat/c1883e6a-6c38-4af3-9818-0e927449c61c)
2025-06-23 13:04:23 +00:00 · 2025-06-10 09:39:11 +08:00 · 2025-06-10 09:39:11 +08:00 · 2895263e52
commit 2895263e52
parent bd3a81dfbc
10 changed files with 90 additions and 54 deletions
--- a/components/app/windows/news.vue
+++ b/components/app/windows/news.vue
@ -168,9 +168,11 @@ const jaccardSimilarity = (v1: any, v2: any) => {
  return intersection.size / union.size;
 };

-const findRel = async (title: string) => {
+/*
+const findRel =
+async (title: string) => {
  const req = await fetch("/api/sort");
-};
+};*/

 // Check words
 const checkIfEmptyArray = [];
--- a/components/app/windows/settings.vue
+++ b/components/app/windows/settings.vue
@ -99,6 +99,8 @@ const deleteAccount = async () => {
  const req = await fetch("/api/user/sendUserChanges", {
    method: "DELETE",
  });
+  const res = await res.json();
+  console.log(res);
 };

 const submitChangeAction = async (action: string) => {
--- a/i18n/locales/en.json
+++ b/i18n/locales/en.json
@ -138,7 +138,7 @@
    "opennewwindow": "This will open a new window",
    "similararticles": "Similar Articles",
    "similarity": "Similarity",
-    "nosimilararticles": "There isn't any similar articles.",
+    "nosimilararticles": "There aren't any similar articles.",
    "articleopenpart1": "This will open a open a new window about this new org",
    "articleopenpart2": ""
  }
--- a/server/api/user/delete.ts
+++ b/server/api/user/delete.ts
@ -1 +0,0 @@
-export default defineEventHandler(async (event) => {});
--- a/server/api/user/logout.ts
+++ b/server/api/user/logout.ts
@ -1,15 +1,16 @@
+import getUserTokenMinusSQLInjection from "~/server/components/getUserToken";
+
 export default defineEventHandler(async (event) => {
-  const loginCookie = getCookie(event, "session");
-  const lastCheckCookie = getCookie(event, "last_check");
-  const nowDate = new Date().toLocaleString();
+  const loginCookie = await getUserTokenMinusSQLInjection(event);
  try {
-    if (loginCookie) {
+    if (false) {
      deleteCookie(event, "token");
      return {
        success: true,
        error: null,
      };
    }
+    return "testing";
  } catch (e) {
    return {
      success: false,
--- a/server/api/user/sendUserChanges.delete.ts
+++ b/server/api/user/sendUserChanges.delete.ts
@ -1,6 +1,34 @@
+import sql from "~/server/components/postgres";
+import getUserTokenMinusSQLInjection from "~/server/components/getUserToken";
 export default defineEventHandler(async (event) => {
-  const userToken = getCookie(event, "token");
+  try {
+    const userToken = await getUserTokenMinusSQLInjection(event);
+    if (userToken.error.length !== 0) {
      return {
-    token: userToken,
+        error: userToken.error,
      };
+    }
+    // REMOVE OLD TOKENS
+    const removeToken = await sql`
+    DELETE FROM usertokens
+    WHERE username = ${userToken.user}
+    `;
+    console.log(removeToken);
+    // DELETE USER
+    const deleteUserAccount = await sql`
+    DELETE FROM users
+    WHERE username = ${userToken.user}
+    `;
+    console.log(deleteUserAccount);
+    deleteCookie(event, "token");
+    return {
+      success: true,
+    };
+  } catch (e) {
+    console.log(e);
+    return {
+      error: "INTERNAL_SERVER_ERROR",
+      e: e.message,
+    };
+  }
 });
--- a/server/api/user/sendUserChanges.post.ts
+++ b/server/api/user/sendUserChanges.post.ts
@ -1,17 +1,9 @@
 import sql from "~/server/components/postgres";
+import getUserTokenMinusSQLInjection from "~/server/components/getUserToken";
 export default defineEventHandler(async (event) => {
  // Check user data.
-  const userToken = getCookie(event, "token");
-  if (!userToken) {
-    return {
-      error: "ERR_NOT_ALLOWED",
-    };
-  }
-  const checkUserToken = await sql`
-    select * from usertokens
-    where token=${userToken}
-    `;
-  if (checkUserToken.length === 0) {
+  const token = await getUserTokenMinusSQLInjection(event);
+  if (token.error.length !== 0) {
    return {
      error: "ERR_NOT_ALLOWED",
    };
@ -37,26 +29,11 @@ export default defineEventHandler(async (event) => {
      `
      UPDATE user_other_data SET ${requestChange} = $1
      WHERE username = $2`,
-      [apiKeyqq[0], checkUserToken[0].username],
+      [apiKeyqq[0], token.user],
    );
-
-    /**
-     * // Example of how requestChange might be validated
-     const allowedColumns = ['groq_api_key', 'another_column_name'];
-
-     if (!allowedColumns.includes(requestChange)) {
-       throw new Error('Invalid column name provided');
-     }
-
-     const sqlC = await sql`
-           UPDATE user_other_data SET ${sql.identifier([requestChange])} = ${apiKeyqq[0]}
-           WHERE username = ${checkUserToken[0].username}`;
-     */
    return {
-      body: body,
-      allowed: allowed,
-      data: body.value.match(clearBadDataRegex),
      sqlC: sqlC,
+      success: true,
    };
  }
 });
--- a/server/api/user/submitGroqKey.ts
+++ b/server/api/user/submitGroqKey.ts
@ -1,19 +1,11 @@
 import sql from "~/server/components/postgres";
+import getUserTokenMinusSQLInjection from "~/server/components/getUserToken";
 export default defineEventHandler(async (event) => {
  // Check user data.
-  const userToken = getCookie(event, "token");
-  if (!userToken) {
+  const user = getUserTokenMinusSQLInjection(event);
+  if (user.error.length !== 0) {
    return {
-      error: "ERR_NOT_ALLOWED",
-    };
-  }
-  const checkUserToken = await sql`
-    select * from usertokens
-    where token=${userToken}
-    `;
-  if (checkUserToken.length === 0) {
-    return {
-      error: "ERR_NOT_ALLOWED",
+      error: user.error,
    };
  }
  // Actual function
@ -26,7 +18,7 @@ export default defineEventHandler(async (event) => {
    `
      UPDATE user_other_data SET ${requestChange} = $1
      WHERE username = $2`,
-    [apiKeyqq[0], checkUserToken[0].username],
+    [apiKeyqq[0], user.user],
  );
  return {
    body: body,
--- a/server/components/getUserToken.ts
+++ b/server/components/getUserToken.ts
@ -0,0 +1,35 @@
+import sql from "~/server/components/postgres";
+export default async function getUserTokenMinusSQLInjection(event) {
+  const userToken = await getCookie(event, "token");
+  if (!userToken) {
+    return {
+      token: null,
+      user: null,
+      error: "NO_TOKEN",
+    };
+  }
+  const uuidRegex =
+    /^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i;
+  if (!uuidRegex.test(userToken)) {
+    return {
+      token: null,
+      user: null,
+      error: "INVALID_TOKEN_FORMAT",
+    };
+  }
+  const getUser = await sql`
+    select * from usertokens
+    where token = ${userToken}`;
+  if (getUser.length === 0) {
+    return {
+      token: null,
+      user: null,
+      error: "NOT_AUTHED",
+    };
+  }
+  return {
+    token: userToken,
+    user: getUser[0].username,
+    error: "",
+  };
+}
--- a/server_fixes.md
+++ b/server_fixes.md
@ -17,7 +17,7 @@ And also I wrote a super stupid cron fix, which is below.
 ## My stupid cron fix:
 Cron Job:
 ```
-0 1 * * * "bun run /hardpushrevolvconf.ts" > /dev/null
+0 * * * * "bun run /hardpushrevolvconf.ts" > /dev/null
 ```

 Here is the script I used to force the change of my resolv.conf file:
				`@ -1 +0,0 @@`
				`export default defineEventHandler(async (event) => {});`