diff --git a/lib/Pear/LocalLoop.pm b/lib/Pear/LocalLoop.pm index 965c5c1..a485cd0 100644 --- a/lib/Pear/LocalLoop.pm +++ b/lib/Pear/LocalLoop.pm @@ -150,8 +150,6 @@ sub startup { $api->post('/user')->to('api-user#post_account'); $api->post('/user/account')->to('api-user#post_account_update'); $api->post('/user/day')->to('api-user#post_day'); - $api->post('/edit')->to('api-api#post_edit'); - $api->post('/fetchuser')->to('api-api#post_fetchuser'); $api->post('/user-history')->to('api-user#post_user_history'); $api->post('/stats')->to('api-stats#post_index'); $api->post('/stats/leaderboard')->to('api-stats#post_leaderboards'); diff --git a/lib/Pear/LocalLoop/Controller/Api/Api.pm b/lib/Pear/LocalLoop/Controller/Api/Api.pm deleted file mode 100644 index 5b23cf0..0000000 --- a/lib/Pear/LocalLoop/Controller/Api/Api.pm +++ /dev/null @@ -1,59 +0,0 @@ -package Pear::LocalLoop::Controller::Api::Api; -use Mojo::Base 'Mojolicious::Controller'; -use Data::Dumper; - -sub post_edit { - my $self = shift; - - my $json = $self->req->json; - - my $account = $self->get_account_by_username( $json->{username} ); - - unless ( defined $account ) { - return $self->render( json => { - success => Mojo::JSON->false, - message => 'Username not recognised, has your token expired?', - }); -# PLUG SECURITY HOLE - } elsif ( $account->{keyused} ne 't' ) { - return $self->render( json => { - success => Mojo::JSON->false, - message => 'Token has not been used yet!', - }); - } - my $insert = $self->db->prepare("UPDATE accounts SET fullname = ?, postcode = ?, age = ?, gender = ?, WHERE username = ?"); - $insert->execute( - @{$json}{ qw/ fullname postcode age gender / }, $account->{username}, - ); - - $self->render( json => { success => Mojo::JSON->true } ); -} - - -sub post_fetchuser { - my $self = shift; - - my $json = $self->req->json; - - my $account = $self->get_account_by_username( $json->{username} ); - - unless ( defined $account ) { - return $self->render( json => { - success => Mojo::JSON->false, - message => 'Username not recognised, has your token expired?', - }); -# PLUG SECURITY HOLE - } elsif ( $account->{keyused} ne 't' ) { - return $self->render( json => { - success => Mojo::JSON->false, - message => 'Token has not been used yet!', - }); - } - -# Add stuff to send back to user below here! - $self->render( json => { - success => Mojo::JSON->true, - }); -} - -1; diff --git a/lib/Pear/LocalLoop/Controller/Api/User.pm b/lib/Pear/LocalLoop/Controller/Api/User.pm index 5efd10c..ef9ec89 100644 --- a/lib/Pear/LocalLoop/Controller/Api/User.pm +++ b/lib/Pear/LocalLoop/Controller/Api/User.pm @@ -11,10 +11,10 @@ has error_messages => sub { required => { message => 'No name sent or was blank.', status => 400 }, }, display_name => { - required => { message => 'No name sent or was blank.', status => 400 }, + required => { message => 'No display name sent or was blank.', status => 400 }, }, full_name => { - required => { message => 'No name sent or was blank.', status => 400 }, + required => { message => 'No full name sent or was blank.', status => 400 }, }, email => { required => { message => 'No email sent.', status => 400 }, @@ -56,7 +56,7 @@ sub post_account { my $c = shift; my $user = $c->stash->{api_user}; - my $user_result = $c->schema->resultset('User')->find({ user_id => $c->stash->{api_user}->id }); + my $user_result = $c->schema->resultset('User')->find({ id => $c->stash->{api_user}->id }); if ( defined $user_result ) { my $email = $user_result->email; @@ -77,7 +77,6 @@ sub post_account { return $c->render( json => { success => Mojo::JSON->true, - session_key => $session_key, full_name => $full_name, display_name => $display_name, email => $email, @@ -97,18 +96,35 @@ sub post_account_update { my $c = shift; my $user = $c->stash->{api_user}; + my $validation = $c->validation; $validation->input( $c->stash->{api_json} ); + $validation->required('password'); - my $user_result = $c->schema->resultset('User'); + return $c->api_validation_error if $validation->has_error; - $validation->required('email')->in_resultset( 'email', $user_result ); + if ( ! $user->check_password($validation->param('password')) ) { + return $c->render( + json => { + success => Mojo::JSON->false, + message => 'password is invalid.', + }, + status => 401 + ); + } + + my $user_rs = $c->schema->resultset('User')->search({ + id => { "!=" => $user->id }, + }); + + $validation->required('email')->not_in_resultset( 'email', $user_rs ); $validation->required('postcode')->postcode; + $validation->optional('new_password'); - if ( defined $user_result->customer_id) ) { + if ( defined $user->customer_id ) { $validation->required('display_name'); $validation->required('full_name'); - } elsif ( defined $user_result->customer_id ) { + } elsif ( defined $user->customer_id ) { $validation->required('name'); $validation->required('street_name'); $validation->required('town'); @@ -116,62 +132,38 @@ sub post_account_update { return $c->api_validation_error if $validation->has_error; - if ($usertype eq 'customer'){ + if ( defined $user->customer_id ){ $c->schema->txn_do( sub { - my $customer = $c->schema->resultset('Customer')->find({ - user_id => $c->stash->{api_user}->id - })->update({ + $user->customer->update({ full_name => $validation->param('full_name'), display_name => $validation->param('display_name'), postcode => $validation->param('postcode'), }); - $c->schema->resultset('User')->find({ - user_id => $c->stash->{api_user}->id - })->update({ - email => $validation->param('email'), - password => $validation->param('new_password') + $user->update({ + email => $validation->param('email'), + ( defined $validation->param('new_password') ? ( password => $validation->param('new_password') ) : () ), }); }); } - elsif ($usertype eq 'organisation') { + elsif ( defined $user->organisation_id ) { my $fullAddress = $validation->param('fulladdress'); $c->schema->txn_do( sub { - my $organisation = $c->schema->resultset('Organisation')->find({ - user_id => $c->stash->{api_user}->id - })->update({ + $user->organisation->update({ name => $validation->param('name'), street_name => $validation->param('street_name'), town => $validation->param('town'), postcode => $validation->param('postcode'), }); - $c->schema->resultset('User')->find({ - user_id => $c->stash->{api_user}->id - })->update({ - # customer => $customer, + $user->update({ email => $validation->param('email'), - password => $validation->param('new_password') + ( defined $validation->param('new_password') ? ( password => $validation->param('new_password') ) : () ), }); }); } - $c->schema->resultset('Customer')->find({ - user_id => $c->stash->{api_user}->id - })->update({ - full_name => $validation->param('full_name'), - display_name => $validation->param('display_name'), - postcode => $validation->param('postcode'), - }); - $c->schema->resultset('User')->find({ - user_id => $c->stash->{api_user}->id - })->update({ - # organisation => $organisation, - email => $validation->param('email'), - password => $validation->param('new_password') - }); - return $c->render( json => { success => Mojo::JSON->true, message => 'Edited Account Successfully', diff --git a/t/api/user.t b/t/api/user.t index 76eb6ee..a848e95 100644 --- a/t/api/user.t +++ b/t/api/user.t @@ -20,7 +20,7 @@ $schema->resultset('AccountToken')->create({ $framework->register_customer({ 'token' => $account_token, 'full_name' => 'Test User', - 'display_name' => 'Test User', + 'display_name' => 'Testing User', 'email' => $email, 'postcode' => 'LA1 1AA', 'password' => $password, @@ -34,7 +34,7 @@ my $session_key = $framework->login({ my $json_no_date = { session_key => $session_key }; $t->post_ok('/api/user/day', json => $json_no_date) - ->status_is(200) + ->status_is(200)->or($framework->dump_error) ->json_is('/success', Mojo::JSON->true); my $json_invalid_date = { @@ -54,4 +54,84 @@ $t->post_ok('/api/user/day', json => $json_valid_date) ->status_is(200)->or($framework->dump_error) ->json_is('/success', Mojo::JSON->true); +$t->post_ok('/api/user', json => { session_key => $session_key }) + ->status_is(200)->or($framework->dump_error) + ->json_is({ + success => Mojo::JSON->true, + full_name => 'Test User', + display_name => 'Testing User', + email => $email, + postcode => 'LA1 1AA', + }); + +#with wrong password +$t->post_ok('/api/user/account', json => { + session_key => $session_key, + full_name => 'Test User 2', + display_name => 'Testing User 2', + email => 'test50@example.com', + postcode => 'LA1 1AB', + password => 'abc12431', + }) + ->status_is(401)->or($framework->dump_error) + ->json_is({ + success => Mojo::JSON->false, + message => 'password is invalid.', + }); + +# With valid details +$t->post_ok('/api/user/account', json => { + session_key => $session_key, + full_name => 'Test User 2', + display_name => 'Testing User 2', + email => 'test50@example.com', + postcode => 'LA1 1AB', + password => $password, + }) + ->status_is(200)->or($framework->dump_error) + ->json_is({ + success => Mojo::JSON->true, + message => 'Edited Account Successfully', + }); + +$t->post_ok('/api/user', json => { session_key => $session_key }) + ->status_is(200)->or($framework->dump_error) + ->json_is({ + success => Mojo::JSON->true, + full_name => 'Test User 2', + display_name => 'Testing User 2', + email => 'test50@example.com', + postcode => 'LA1 1AB', + }); + +$t->post_ok('/api/user/account', json => { + session_key => $session_key, + full_name => 'Test User 3', + display_name => 'Testing User 3', + email => 'test60@example.com', + postcode => 'LA1 1AD', + password => $password, + new_password => 'abc124', + }) + ->status_is(200)->or($framework->dump_error) + ->json_is({ + success => Mojo::JSON->true, + message => 'Edited Account Successfully', + }); + +$t->post_ok('/api/user', json => { session_key => $session_key }) + ->status_is(200)->or($framework->dump_error) + ->json_is({ + success => Mojo::JSON->true, + full_name => 'Test User 3', + display_name => 'Testing User 3', + email => 'test60@example.com', + postcode => 'LA1 1AD', + }); + +$session_key = $framework->login({ + email => 'test60@example.com', + password => 'abc124', +}); + done_testing;