added some middleware to reject bad things in the body

Author: david-rocca

src/controller/org.controller/index.js

@@ -1423,9 +1423,11 @@ router.post('/org/:shortname/user',
     .bail()
     .customSanitizer(toUpperCaseArray)
     .custom(isUserRole),
+  mw.rejectUnexpectedKeys(['username', 'org_uuid', 'uuid', 'name', 'authority']),
   parseError,
   parsePostParams,
   controller.USER_CREATE_SINGLE)
+
 router.get('/org/:shortname/user/:username',
   /*
   #swagger.tags = ['Users']

src/middleware/middleware.js

@@ -547,6 +547,27 @@ function containsNoInvalidCharacters (val) {
   return true
 }
 
+/**
+ * Middleware factory that rejects any keys in the request body
+ * that are not listed in the allowedKeys array.
+ *
+ * @param {Array<string>} allowedKeys - List of permitted keys in req.body
+ * @returns {function} Express middleware
+ */
+function rejectUnexpectedKeys (allowedKeys) {
+  return (req, res, next) => {
+    const bodyKeys = Object.keys(req.body || {})
+    const unexpected = bodyKeys.filter(k => !allowedKeys.includes(k))
+    if (unexpected.length > 0) {
+      return res.status(400).json({
+        error: 'Unexpected keys in request body',
+        unexpected
+      })
+    }
+    next()
+  }
+}
+
 module.exports = {
   setCacheControl,
   optionallyValidateUser,
@@ -572,5 +593,6 @@ module.exports = {
   toUpperCaseArray,
   toLowerCaseArray,
   containsNoInvalidCharacters,
-  trimJSONWhitespace
+  trimJSONWhitespace,
+  rejectUnexpectedKeys
 }