Skip to content

Commit b868164

Browse files
Snehil-ShahSnehil-Shah
committed
Improve Server-Side Security
- Sanitize API requests - Add Error handling middleware Signed-off-by: Snehil Shah <[email protected]>
1 parent 7ffe89a commit b868164

File tree

6 files changed

+517
-347
lines changed

6 files changed

+517
-347
lines changed

Backend/index.js

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,7 @@ require("dotenv").config();
44
const cors = require("cors");
55
const routes_auth = require("./routes/auth");
66
const routes_general = require("./routes/route");
7+
const { handleBadRequests } = require("./middlewares");
78
const session = require("express-session");
89
const bodyParser = require("body-parser");
910
const { connectDB } = require("./db");
@@ -36,6 +37,8 @@ app.get("/", (_req, res) => {
3637
app.use("/", routes_general);
3738
app.use("/auth", routes_auth);
3839

40+
app.use(handleBadRequests);
41+
3942
// Start the server
4043
app.listen(process.env.PORT || 8000, () => {
4144
console.log(`connected to port ${process.env.PORT || 8000}`);

Backend/middlewares.js

Lines changed: 31 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -1,11 +1,11 @@
1-
const jwt_decode = require('jwt-decode');
1+
const jwt_decode = require("jwt-decode");
22

33
const ADMIN_ROLES = {
4-
PRESIDENT: '[email protected]',
5-
GENSEC_SCITECH: '[email protected]',
6-
GENSEC_ACADEMIC: '[email protected]',
7-
GENSEC_CULTURAL: '[email protected]',
8-
GENSEC_SPORTS: '[email protected]',
4+
PRESIDENT: "[email protected]",
5+
GENSEC_SCITECH: "[email protected]",
6+
GENSEC_ACADEMIC: "[email protected]",
7+
GENSEC_CULTURAL: "[email protected]",
8+
GENSEC_SPORTS: "[email protected]",
99
};
1010

1111
const ADMIN_CREDENTIALS = {
@@ -37,29 +37,33 @@ const authenticateAdmin = (req, res, next, expectedRole) => {
3737
const decoded = jwt_decode(jwtToken);
3838

3939
if (!jwtToken || !isAdmin(decoded, expectedRole)) {
40-
return res.status(401).json({ success: false, message: 'Unauthorized Admin' });
40+
return res
41+
.status(401)
42+
.json({ success: false, message: "Unauthorized Admin" });
4143
}
4244

4345
req.DB_credentials = ADMIN_CREDENTIALS[expectedRole];
4446
req.decoded = decoded;
4547
next();
4648
} catch (error) {
4749
console.error(error);
48-
return res.status(500).json({ success: false, message: 'Internal Server Error' });
50+
return res
51+
.status(500)
52+
.json({ success: false, message: "Internal Server Error" });
4953
}
5054
};
5155

5256
const isAdmin = (decoded, expectedRole) => {
5357
return (
5458
decoded.email === ADMIN_ROLES[expectedRole] &&
55-
decoded.iss === 'https://accounts.google.com' &&
59+
decoded.iss === "https://accounts.google.com" &&
5660
decoded.exp > Date.now() / 1000 &&
5761
decoded.aud === process.env.GOOGLE_CLIENT_ID
5862
);
5963
};
6064

6165
exports.restrictToPresident = (req, res, next) => {
62-
authenticateAdmin(req, res, next, 'PRESIDENT');
66+
authenticateAdmin(req, res, next, "PRESIDENT");
6367
};
6468

6569
exports.restrictToAdmin = (req, res, next) => {
@@ -71,22 +75,33 @@ const getAdminRole = (req) => {
7175
const userEmail = decoded.email;
7276

7377
if (userEmail === ADMIN_ROLES.GENSEC_SCITECH) {
74-
return 'GENSEC_SCITECH';
78+
return "GENSEC_SCITECH";
7579
} else if (userEmail === ADMIN_ROLES.GENSEC_ACADEMIC) {
76-
return 'GENSEC_ACADEMIC';
80+
return "GENSEC_ACADEMIC";
7781
} else if (userEmail === ADMIN_ROLES.GENSEC_CULTURAL) {
78-
return 'GENSEC_CULTURAL';
82+
return "GENSEC_CULTURAL";
7983
} else if (userEmail === ADMIN_ROLES.GENSEC_SPORTS) {
80-
return 'GENSEC_SPORTS';
84+
return "GENSEC_SPORTS";
8185
}
8286

83-
return ''; // Default case or handle as needed
87+
return ""; // Default case or handle as needed
8488
};
8589

8690
exports.isAuthenticated = (req, res, next) => {
8791
if (req.isAuthenticated()) {
8892
return next();
8993
} else {
90-
return res.status(401).json({ message: 'Unauthorized' });
94+
return res.status(401).json({ message: "Unauthorized" });
9195
}
9296
};
97+
98+
exports.handleBadRequests = function (err, req, res) {
99+
console.error(err.stack);
100+
res.status(500).send("Something broke!");
101+
};
102+
103+
exports.exceptionHandler = function (f) {
104+
return function (req, res, next) {
105+
Promise.resolve(f(req, res, next)).catch(next);
106+
};
107+
};

Backend/package-lock.json

Lines changed: 26 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

Backend/package.json

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -35,6 +35,7 @@
3535
"eslint-plugin-react": "^7.33.2",
3636
"express": "^4.18.2",
3737
"express-session": "^1.17.3",
38+
"express-validator": "^7.0.1",
3839
"jsonwebtoken": "^9.0.2",
3940
"jwt-decode": "^3.1.2",
4041
"mongodb": "^6.1.0",

0 commit comments

Comments
 (0)