Merge pull request #462 from redpwn/fix/misc-type-fixes

chen-robert · web-flow · commit 163e25bc94f7 · 2020-08-06T20:16:56.000-07:00
misc type fixes
diff --git a/server/auth/token.ts b/server/auth/token.ts
@@ -14,21 +14,43 @@ export enum tokenKinds {
   ctftimeAuth = 4
 }
 
-export enum VerifyTokenKinds {
-  update = 'update',
-  register = 'register'
-}
+export type VerifyTokenKinds = 'update' | 'register' | 'recover'
 
 export type AuthTokenData = string
+
 export type TeamTokenData = string
-export interface VerifyTokenData {
+
+interface BaseVerifyTokenData {
   verifyId: string
   kind: VerifyTokenKinds
+}
+
+export interface RegisterVerifyTokenData extends BaseVerifyTokenData {
+  kind: 'register'
+  email: User['email']
+  name: User['name']
+  division: User['division']
+}
+
+export interface UpdateVerifyTokenData extends BaseVerifyTokenData {
+  kind: 'update'
   userId: User['id']
   email: User['email']
   division: User['division']
 }
-export type CtftimeAuthTokenData = string
+
+export interface RecoverTokenData extends BaseVerifyTokenData {
+  kind: 'recover'
+  userId: User['id']
+  email: User['email']
+}
+
+export type VerifyTokenData = RegisterVerifyTokenData | UpdateVerifyTokenData | RecoverTokenData
+
+export interface CtftimeAuthTokenData {
+  name: User['name']
+  ctftimeId: User['ctftimeId']
+}
 
 // Internal map of type definitions for typing purposes only -
 // this type does not describe a real data-structure
diff --git a/server/database/users.ts b/server/database/users.ts
@@ -6,9 +6,9 @@ import { DivisionACLError } from '../errors'
 export interface User {
   id: string;
   name: string;
-  email: string;
+  email?: string;
   division: keyof ServerConfig['divisions'];
-  ctftimeId: string;
+  ctftimeId?: string;
   perms: number;
 }
 
diff --git a/server/util/restrict.ts b/server/util/restrict.ts
@@ -1,6 +1,6 @@
 import config, { ServerConfig } from '../config/server'
 
-type ACLCheck = (email: string) => boolean
+type ACLCheck = (email: string | undefined) => boolean
 
 export interface ACL {
   match: string;
@@ -16,11 +16,11 @@ interface CompiledACL {
 let acls: CompiledACL[]
 
 const restrictionChecks: { [checkType: string]: (value: string) => ACLCheck } = {
-  domain: value => email => email.endsWith('@' + value),
+  domain: value => email => email?.endsWith('@' + value) ?? false,
   email: value => email => email === value,
   regex: value => {
     const re = new RegExp(value)
-    return email => re.test(email)
+    return email => email === undefined ? false : re.test(email)
   },
   any: value => email => true // eslint-disable-line @typescript-eslint/no-unused-vars
 }
@@ -45,7 +45,7 @@ export const compileACLs = (): void => {
 
 compileACLs()
 
-export const allowedDivisions = (email: string): string[] => {
+export const allowedDivisions = (email: string | undefined): string[] => {
   for (const acl of acls) {
     if (acl.check(email)) {
       return acl.divisions
@@ -54,6 +54,6 @@ export const allowedDivisions = (email: string): string[] => {
   return []
 }
 
-export const divisionAllowed = (email: string, division: string): boolean => {
+export const divisionAllowed = (email: string | undefined, division: string): boolean => {
   return allowedDivisions(email).includes(division)
 }
diff --git a/test/unit/restrict.js b/test/unit/restrict.js
@@ -85,3 +85,28 @@ test.serial('throws error on invalid matcher', t => {
   error = t.throws(restrict.compileACLs)
   t.is(error.message, 'Unrecognized ACL matcher "__proto__"')
 })
+
+test.serial('denies no email with all matchers except any', t => {
+  config.divisionACLs = [{
+    match: 'domain',
+    value: 'good-domain.com',
+    divisions: ['domain']
+  }, {
+    match: 'email',
+    value: 'allowed@test.com',
+    divisions: ['email']
+  }, {
+    match: 'regex',
+    value: '^regex-email(-[a-z]+)?@test.com$',
+    divisions: ['regex']
+  }, {
+    match: 'any',
+    value: '',
+    divisions: ['any']
+  }]
+  restrict.compileACLs()
+  t.false(restrict.divisionAllowed(undefined, 'domain'))
+  t.false(restrict.divisionAllowed(undefined, 'email'))
+  t.false(restrict.divisionAllowed(undefined, 'regex'))
+  t.true(restrict.divisionAllowed(undefined, 'any'))
+})
