Update and improve the security

Nitro · Nitro · commit 9b8e7ba1cb9c · 2020-09-12T02:39:04.000+09:00
diff --git a/README.md b/README.md
@@ -143,6 +143,7 @@ Request: `/comment`
 ```json
 {
     "id":"ID from mongodb, ObjectID",
+    "email":"User Email, @avonoldfarms.com",
     "pw":"String, MD5 encrypted password"
 }
 ```
@@ -151,6 +152,7 @@ Request: `/comment`
 ```json
 {
     "id":"5f59080a5923552004a899f3",
+    "email":"test1@avonoldfarms.com",
     "pw":"4a7d1ed414474e4033ac29ccb8653d9b"
 }
 ```
diff --git a/src/database/comment.js b/src/database/comment.js
@@ -31,11 +31,12 @@ async function addComment(date, name, email, pw, meal, menu, like, comment) {
     }
 }
 
-async function deleteComment(id, pw) {
+async function deleteComment(id, email, pw) {
     const db = await getDB()
     let item = await db.collection(colName).findOne(
         {
             _id: id,
+            email: email,
             pw: pw,
         }
     )
diff --git a/src/index.js b/src/index.js
@@ -1,3 +1,5 @@
+// Backend Ver: v2.0.1
+
 // Importing Environmental Variables
 if (process.env.NODE_ENV !== 'production') {
   require('dotenv').config()
@@ -30,7 +32,7 @@ const {
   isComment
 } = require('./modules/valid')
 
-const debug = true
+const debug = false
 
 // Initializing App
 const app = express()
@@ -195,19 +197,31 @@ app.post('/comment', async (req, res) => {
 
 app.post('/delete_comment', async (req, res) => {
   let id = ObjectID(req.body.id) // Hexadecimal
+  let email = req.body.email
   let pw = req.body.pw // MD5
 
+  if (debug) {
+    console.log(id)
+    console.log(email)
+    console.log(pw)
+  }
+
   if (!isHexadecimal(id)) {
     callback(res, 400, 'POST Error: Invalid comment id.')
     return
   }
 
+  if (!isEmail(email)) {
+    callback(res, 400, 'POST Error: Invalid email.')
+    return
+  }
+
   if (!isMD5(pw)) {
     callback(res, 400, 'POST Error: Invalid password.')
     return
   }
 
-  const r = await deleteComment(id, pw).catch((error) => {
+  const r = await deleteComment(id, email, pw).catch((error) => {
     if (error === 403) {
       callback(res, 403, 'POST Error: Cannot find the comment to delete.')
     } else {
@@ -244,9 +258,9 @@ app.get('/comment', async (req, res) => {
 })
 
 function callback(res, code, text) {
-  if (debug) {
-    console.log(text)
-  }
+  //if (debug) {
+  console.log(text)
+  //}
   res.status(code).send({ message: text })
 }
 

Original file line number	Diff line number	Diff line change
@@ -143,6 +143,7 @@ Request: `/comment`
`143`	`143`	```json
`144`	`144`	`{`
`145`	`145`	`"id":"ID from mongodb, ObjectID",`
	`146`	`+ "email":"User Email, @avonoldfarms.com",`
`146`	`147`	`"pw":"String, MD5 encrypted password"`
`147`	`148`	`}`
`148`	`149`	```
@@ -151,6 +152,7 @@ Request: `/comment`
`151`	`152`	```json
`152`	`153`	`{`
`153`	`154`	`"id":"5f59080a5923552004a899f3",`
	`155`	`+ "email":"test1@avonoldfarms.com",`
`154`	`156`	`"pw":"4a7d1ed414474e4033ac29ccb8653d9b"`
`155`	`157`	`}`
`156`	`158`	```
Original file line number	Diff line number	Diff line change
`@@ -31,11 +31,12 @@ async function addComment(date, name, email, pw, meal, menu, like, comment) {`
`31`	`31`	`}`
`32`	`32`	`}`
`33`	`33`
`34`		`-async function deleteComment(id, pw) {`
	`34`	`+async function deleteComment(id, email, pw) {`
`35`	`35`	`const db = await getDB()`
`36`	`36`	`let item = await db.collection(colName).findOne(`
`37`	`37`	`{`
`38`	`38`	`_id: id,`
	`39`	`+ email: email,`
`39`	`40`	`pw: pw,`
`40`	`41`	`}`
`41`	`42`	`)`