k1nq/TREK
1
0
Fork 0
mirror of https://github.com/mauriceboe/TREK.git synced 2026-06-21 14:21:46 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(auth): trim username and email on all write paths

Browse Source 
Self-registration stored values verbatim, so trailing whitespace could
produce rows that lookup code (which trims input) silently misses.
Trim username and email before validation and INSERT in registerUser,
adminService.updateUser, and oidcService.findOrCreateUser. updateSettings
and adminService.createUser already trimmed correctly.

Adds a one-shot backfill migration (trimUserWhitespace) that trims
existing dirty rows; collisions are resolved by appending __migrated_<id>
to the value with a loud console.warn so operators can review affected
accounts.

18 new tests covering registration trim, duplicate detection, admin
update trim, trip-member lookup regression, and all migration branches.
This commit is contained in:
jubnl
2026-05-03 17:10:45 +02:00
parent e655a7a4e4
commit 6fd045e0c1
8 changed files with 302 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
server/tests/integration/admin.test.ts
+47
View File
@@ -368,6 +368,53 @@ describe('Admin user management', () => {
});
});
// ─────────────────────────────────────────────────────────────────────────────
// Admin user management — whitespace normalization
// ─────────────────────────────────────────────────────────────────────────────
describe('Admin user management — whitespace normalization', () => {
it('ADMIN-UPDATE-TRIM-1 — PUT /admin/users/:id trims username before storing', async () => {
const { user: admin } = createAdmin(testDb);
const { user } = createUser(testDb);
const res = await request(app)
.put(`/api/admin/users/${user.id}`)
.set('Cookie', authCookie(admin.id))
.send({ username: ' trimmedadmin ' });
expect(res.status).toBe(200);
const row = testDb.prepare('SELECT username FROM users WHERE id = ?').get(user.id) as { username: string };
expect(row.username).toBe('trimmedadmin');
});
it('ADMIN-UPDATE-TRIM-2 — PUT /admin/users/:id trims email before storing', async () => {
const { user: admin } = createAdmin(testDb);
const { user } = createUser(testDb);
const res = await request(app)
.put(`/api/admin/users/${user.id}`)
.set('Cookie', authCookie(admin.id))
.send({ email: ' newemail@example.com ' });
expect(res.status).toBe(200);
const row = testDb.prepare('SELECT email FROM users WHERE id = ?').get(user.id) as { email: string };
expect(row.email).toBe('newemail@example.com');
});
it('ADMIN-UPDATE-TRIM-3 — PUT /admin/users/:id with whitespace-padded username that trims to existing returns 409', async () => {
const { user: admin } = createAdmin(testDb);
const { user: existing } = createUser(testDb, { username: 'carol' });
const { user: target } = createUser(testDb);
const res = await request(app)
.put(`/api/admin/users/${target.id}`)
.set('Cookie', authCookie(admin.id))
.send({ username: ` ${existing.username} ` });
expect(res.status).toBe(409);
});
});
// ─────────────────────────────────────────────────────────────────────────────
// System stats
// ─────────────────────────────────────────────────────────────────────────────