Merge pull request #260 from supertokens/input-validation-fix

fix: Input validation fix for emailpassword APIs

Author: rishabhpoddar

CHANGELOG.md

@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [unreleased]
 
+## [0.10.6]
+
+-   Fixes panic issue in input validation for emailpassword APIs - https://github.com/supertokens/supertokens-golang/issues/254
+
 ## [0.10.5] - 2023-03-31
 
 -   Adds search APIs to the dashboard recipe

recipe/emailpassword/api/generatePasswordResetToken.go

@@ -39,7 +39,7 @@ func GeneratePasswordResetToken(apiImplementation epmodels.APIInterface, options
 		return err
 	}
 
-	formFields, err := validateFormFieldsOrThrowError(options.Config.ResetPasswordUsingTokenFeature.FormFieldsForGenerateTokenForm, formFieldsRaw["formFields"].([]interface{}))
+	formFields, err := validateFormFieldsOrThrowError(options.Config.ResetPasswordUsingTokenFeature.FormFieldsForGenerateTokenForm, formFieldsRaw["formFields"])
 	if err != nil {
 		return err
 	}

recipe/emailpassword/api/passwordReset.go

@@ -39,7 +39,7 @@ func PasswordReset(apiImplementation epmodels.APIInterface, options epmodels.API
 		return err
 	}
 
-	formFields, err := validateFormFieldsOrThrowError(options.Config.ResetPasswordUsingTokenFeature.FormFieldsForPasswordResetForm, formFieldsRaw["formFields"].([]interface{}))
+	formFields, err := validateFormFieldsOrThrowError(options.Config.ResetPasswordUsingTokenFeature.FormFieldsForPasswordResetForm, formFieldsRaw["formFields"])
 	if err != nil {
 		return err
 	}

recipe/emailpassword/api/signin.go

@@ -38,7 +38,7 @@ func SignInAPI(apiImplementation epmodels.APIInterface, options epmodels.APIOpti
 		return err
 	}
 
-	formFields, err := validateFormFieldsOrThrowError(options.Config.SignInFeature.FormFields, formFieldsRaw["formFields"].([]interface{}))
+	formFields, err := validateFormFieldsOrThrowError(options.Config.SignInFeature.FormFields, formFieldsRaw["formFields"])
 	if err != nil {
 		return err
 	}

recipe/emailpassword/api/signup.go

@@ -39,7 +39,7 @@ func SignUpAPI(apiImplementation epmodels.APIInterface, options epmodels.APIOpti
 		return err
 	}
 
-	formFields, err := validateFormFieldsOrThrowError(options.Config.SignUpFeature.FormFields, formFieldsRaw["formFields"].([]interface{}))
+	formFields, err := validateFormFieldsOrThrowError(options.Config.SignUpFeature.FormFields, formFieldsRaw["formFields"])
 	if err != nil {
 		return err
 	}

recipe/emailpassword/api/utils.go

@@ -24,17 +24,30 @@ import (
 	"github.com/supertokens/supertokens-golang/recipe/emailpassword/errors"
 )
 
-func validateFormFieldsOrThrowError(configFormFields []epmodels.NormalisedFormField, formFieldsRaw []interface{}) ([]epmodels.TypeFormField, error) {
+func validateFormFieldsOrThrowError(configFormFields []epmodels.NormalisedFormField, formFieldsRaw interface{}) ([]epmodels.TypeFormField, error) {
 	if formFieldsRaw == nil {
 		return nil, defaultErrors.New("Missing input param: formFields")
 	}
 
-	if len(formFieldsRaw) == 0 {
+	if _, ok := formFieldsRaw.([]interface{}); !ok {
 		return nil, defaultErrors.New("formFields must be an array")
 	}
 
 	var formFields []epmodels.TypeFormField
-	for _, rawFormField := range formFieldsRaw {
+	for _, rawFormField := range formFieldsRaw.([]interface{}) {
+
+		if _, ok := rawFormField.(map[string]interface{}); !ok {
+			return nil, defaultErrors.New("formFields must be an array of objects containing id and value of type string")
+		}
+
+		if _, ok := rawFormField.(map[string]interface{})["id"].(string); !ok {
+			return nil, defaultErrors.New("formFields must be an array of objects containing id and value of type string")
+		}
+
+		if _, ok := rawFormField.(map[string]interface{})["value"].(string); !ok {
+			return nil, defaultErrors.New("formFields must be an array of objects containing id and value of type string")
+		}
+
 		jsonformField, err := json.Marshal(rawFormField)
 		if err != nil {
 			return nil, err

recipe/emailpassword/formFieldValidator_test.go

@@ -17,9 +17,17 @@
 package emailpassword
 
 import (
+	"bytes"
+	"encoding/json"
+	"io/ioutil"
+	"net/http"
+	"net/http/httptest"
+	"strings"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
+	"github.com/supertokens/supertokens-golang/supertokens"
+	"github.com/supertokens/supertokens-golang/test/unittesting"
 )
 
 func TestDefaultEmailValidator(t *testing.T) {
@@ -56,3 +64,149 @@ func TestDefaultPasswordValidator(t *testing.T) {
 
 	assert.Equal(t, "Password must contain at least one alphabet", *defaultPasswordValidator("234235234523"))
 }
+
+func TestInvalidAPIInputForFormFields(t *testing.T) {
+	configValue := supertokens.TypeInput{
+		Supertokens: &supertokens.ConnectionInfo{
+			ConnectionURI: "http://localhost:8080",
+		},
+		AppInfo: supertokens.AppInfo{
+			APIDomain:     "api.supertokens.io",
+			AppName:       "SuperTokens",
+			WebsiteDomain: "supertokens.io",
+		},
+		RecipeList: []supertokens.Recipe{
+			Init(nil),
+		},
+	}
+
+	BeforeEach()
+	unittesting.StartUpST("localhost", "8080")
+	defer AfterEach()
+	err := supertokens.Init(configValue)
+	if err != nil {
+		t.Error(err.Error())
+	}
+	mux := http.NewServeMux()
+	testServer := httptest.NewServer(supertokens.Middleware(mux))
+	defer testServer.Close()
+
+	objToJson := func(obj interface{}) []byte {
+		jsonBytes, err := json.Marshal(obj)
+		assert.NoError(t, err)
+		return jsonBytes
+	}
+
+	testCases := []struct {
+		input    interface{}
+		expected string
+	}{
+		{
+			input:    map[string]interface{}{},
+			expected: "Missing input param: formFields",
+		},
+		{
+			input: map[string]interface{}{
+				"formFields": "abcd",
+			},
+			expected: "formFields must be an array",
+		},
+		{
+			input: map[string]interface{}{
+				"formFields": []string{"hello"},
+			},
+			expected: "formFields must be an array of objects containing id and value of type string",
+		},
+		{
+			input: map[string]interface{}{
+				"formFields": []map[string]interface{}{
+					{
+						"hello": "world",
+					},
+				},
+			},
+			expected: "formFields must be an array of objects containing id and value of type string",
+		},
+		{
+			input: map[string]interface{}{
+				"formFields": []map[string]interface{}{
+					{
+						"id": 1,
+					},
+				},
+			},
+			expected: "formFields must be an array of objects containing id and value of type string",
+		},
+		{
+			input: map[string]interface{}{
+				"formFields": []map[string]interface{}{
+					{
+						"id":    1,
+						"value": "world",
+					},
+				},
+			},
+			expected: "formFields must be an array of objects containing id and value of type string",
+		},
+		{
+			input: map[string]interface{}{
+				"formFields": []map[string]interface{}{
+					{
+						"id":    "hello",
+						"value": 1,
+					},
+				},
+			},
+			expected: "formFields must be an array of objects containing id and value of type string",
+		},
+		{
+			input: map[string]interface{}{
+				"formFields": []map[string]interface{}{
+					{
+						"value": 1,
+					},
+				},
+			},
+			expected: "formFields must be an array of objects containing id and value of type string",
+		},
+		{
+			input: map[string]interface{}{
+				"formFields": []map[string]interface{}{
+					{
+						"id": "hello",
+					},
+				},
+			},
+			expected: "formFields must be an array of objects containing id and value of type string",
+		},
+		{
+			input: map[string]interface{}{
+				"formFields": []map[string]interface{}{
+					{
+						"value": "world",
+					},
+				},
+			},
+			expected: "formFields must be an array of objects containing id and value of type string",
+		},
+	}
+
+	APIs := []string{
+		"/auth/signup",
+		"/auth/signin",
+		"/auth/user/password/reset/token",
+		"/auth/user/password/reset",
+	}
+
+	for _, testCase := range testCases {
+		for _, api := range APIs {
+			resp, err := http.Post(testServer.URL+api, "application/json", bytes.NewBuffer(objToJson(testCase.input)))
+			assert.NoError(t, err)
+			assert.Equal(t, 500, resp.StatusCode)
+			data, err := ioutil.ReadAll(resp.Body)
+			assert.NoError(t, err)
+			errorMessage := strings.Trim(string(data), "\n \t")
+			assert.Equal(t, testCase.expected, errorMessage)
+		}
+	}
+}

supertokens/constants.go

@@ -21,7 +21,7 @@ const (
 )
 
 // VERSION current version of the lib
-const VERSION = "0.10.5"
+const VERSION = "0.10.6"
 
 var (
 	cdiSupported = []string{"2.8", "2.9", "2.10", "2.11", "2.12", "2.13", "2.14", "2.15", "2.16", "2.17", "2.18", "2.19", "2.20"}