From f54fdd301b7c60ceaf95c33663ef22c70381e7b2 Mon Sep 17 00:00:00 2001 From: Wissam Date: Fri, 17 Mar 2017 17:51:26 -0400 Subject: [PATCH] Do not create user if username or password is empty --- spec/ParseServerRESTController.spec.js | 24 ++++++++++++++++++++++++ src/RestWrite.js | 4 ++-- 2 files changed, 26 insertions(+), 2 deletions(-) diff --git a/spec/ParseServerRESTController.spec.js b/spec/ParseServerRESTController.spec.js index ffbfa04077..06d5999a09 100644 --- a/spec/ParseServerRESTController.spec.js +++ b/spec/ParseServerRESTController.spec.js @@ -1,5 +1,7 @@ const ParseServerRESTController = require('../src/ParseServerRESTController').ParseServerRESTController; const ParseServer = require('../src/ParseServer').default; +const Parse = require('parse/node').Parse; + let RESTController; describe('ParseServerRESTController', () => { @@ -103,6 +105,28 @@ describe('ParseServerRESTController', () => { }); }); + it('ensures no user is created when passing an empty username', (done) => { + RESTController.request("POST", "/classes/_User", {username: "", password: "world"}).then(() => { + jfail(new Error('Success callback should not be called when passing an empty username.')); + done(); + }, (err) => { + expect(err.code).toBe(Parse.Error.USERNAME_MISSING); + expect(err.message).toBe('bad or missing username'); + done(); + }); + }); + + it('ensures no user is created when passing an empty password', (done) => { + RESTController.request("POST", "/classes/_User", {username: "hello", password: ""}).then(() => { + jfail(new Error('Success callback should not be called when passing an empty password.')); + done(); + }, (err) => { + expect(err.code).toBe(Parse.Error.PASSWORD_MISSING); + expect(err.message).toBe('password is required'); + done(); + }); + }); + it('ensures no session token is created on creating users', (done) => { RESTController.request("POST", "/classes/_User", {username: "hello", password: "world"}).then((user) => { expect(user.sessionToken).toBeUndefined(); diff --git a/src/RestWrite.js b/src/RestWrite.js index 43738ae388..0cdc88bca9 100644 --- a/src/RestWrite.js +++ b/src/RestWrite.js @@ -204,11 +204,11 @@ RestWrite.prototype.validateAuthData = function() { } if (!this.query && !this.data.authData) { - if (typeof this.data.username !== 'string') { + if (typeof this.data.username !== 'string' || _.isEmpty(this.data.username)) { throw new Parse.Error(Parse.Error.USERNAME_MISSING, 'bad or missing username'); } - if (typeof this.data.password !== 'string') { + if (typeof this.data.password !== 'string' || _.isEmpty(this.data.password)) { throw new Parse.Error(Parse.Error.PASSWORD_MISSING, 'password is required'); }