Refactor user validation

Validate each user field for creation/modification via API and web UI
2025-09-15 18:57:04 +00:00 · 2021-01-03 21:20:21 -08:00 · 2021-01-03 21:20:21 -08:00 · e45cc2d2aa
commit e45cc2d2aa
parent 291bf96d15
40 changed files with 567 additions and 400 deletions
--- a/ui/form/settings.go
+++ b/ui/form/settings.go
@ -54,10 +54,6 @@ func (s *SettingsForm) Validate() error {
 		return errors.NewLocalizedError("error.settings_mandatory_fields")
 	}

-	if s.EntriesPerPage < 1 {
-		return errors.NewLocalizedError("error.entries_per_page_invalid")
-	}
-
 	if s.Confirmation == "" {
 		// Firefox insists on auto-completing the password field.
 		// If the confirmation field is blank, the user probably
@ -67,10 +63,6 @@ func (s *SettingsForm) Validate() error {
 		if s.Password != s.Confirmation {
 			return errors.NewLocalizedError("error.different_passwords")
 		}
-
-		if len(s.Password) < 6 {
-			return errors.NewLocalizedError("error.password_min_length")
-		}
 	}

 	return nil
--- a/ui/form/settings_test.go
+++ b/ui/form/settings_test.go
@ -61,21 +61,3 @@ func TestConfirmationIncorrect(t *testing.T) {
 		t.Error("Validate should return an error")
 	}
 }
-
-func TestEntriesPerPageNotValid(t *testing.T) {
-	settings := &SettingsForm{
-		Username:       "user",
-		Password:       "hunter2",
-		Confirmation:   "hunter2",
-		Theme:          "default",
-		Language:       "en_US",
-		Timezone:       "UTC",
-		EntryDirection: "asc",
-		EntriesPerPage: 0,
-	}
-
-	err := settings.Validate()
-	if err == nil {
-		t.Error("Validate should return an error")
-	}
-}
--- a/ui/form/user.go
+++ b/ui/form/user.go
@ -29,10 +29,6 @@ func (u UserForm) ValidateCreation() error {
 		return errors.NewLocalizedError("error.different_passwords")
 	}

-	if len(u.Password) < 6 {
-		return errors.NewLocalizedError("error.password_min_length")
-	}
-
 	return nil
 }

@ -55,15 +51,6 @@ func (u UserForm) ValidateModification() error {
 	return nil
 }

-// ToUser returns a User from the form values.
-func (u UserForm) ToUser() *model.User {
-	return &model.User{
-		Username: u.Username,
-		Password: u.Password,
-		IsAdmin:  u.IsAdmin,
-	}
-}
-
 // Merge updates the fields of the given user.
 func (u UserForm) Merge(user *model.User) *model.User {
 	user.Username = u.Username
--- a/ui/middleware.go
+++ b/ui/middleware.go
@ -177,10 +177,8 @@ func (m *middleware) handleAuthProxy(next http.Handler) http.Handler {
 			return
 		}

-		sess := session.New(m.store, request.SessionID(r))
 		clientIP := request.ClientIP(r)
-
-		logger.Info("[AuthProxy] Successful auth for %s", username)
+		logger.Info("[AuthProxy] [ClientIP=%s] Received authenticated requested for %q", clientIP, username)

 		user, err := m.store.UserByUsername(username)
 		if err != nil {
@ -189,16 +187,14 @@ func (m *middleware) handleAuthProxy(next http.Handler) http.Handler {
 		}

 		if user == nil {
+			logger.Error("[AuthProxy] [ClientIP=%s] %q doesn't exist", clientIP, username)
+
 			if !config.Opts.IsAuthProxyUserCreationAllowed() {
 				html.Forbidden(w, r)
 				return
 			}

-			user = model.NewUser()
-			user.Username = username
-			user.IsAdmin = false
-
-			if err := m.store.CreateUser(user); err != nil {
+			if user, err = m.store.CreateUser(&model.UserCreationRequest{Username: username}); err != nil {
 				html.ServerError(w, r, err)
 				return
 			}
@ -210,9 +206,11 @@ func (m *middleware) handleAuthProxy(next http.Handler) http.Handler {
 			return
 		}

-		logger.Info("[AuthProxy] username=%s just logged in", user.Username)
+		logger.Info("[AuthProxy] [ClientIP=%s] username=%s just logged in", clientIP, user.Username)

 		m.store.SetLastLogin(user.ID)
+
+		sess := session.New(m.store, request.SessionID(r))
 		sess.SetLanguage(user.Language)
 		sess.SetTheme(user.Theme)

--- a/ui/oauth2_callback.go
+++ b/ui/oauth2_callback.go
@ -103,12 +103,11 @@ func (h *handler) oauth2Callback(w http.ResponseWriter, r *http.Request) {
 			return
 		}

-		user = model.NewUser()
-		user.Username = profile.Username
-		user.IsAdmin = false
-		authProvider.PopulateUserWithProfileID(user, profile)
+		userCreationRequest := &model.UserCreationRequest{Username: profile.Username}
+		authProvider.PopulateUserCreationWithProfileID(userCreationRequest, profile)

-		if err := h.store.CreateUser(user); err != nil {
+		user, err = h.store.CreateUser(userCreationRequest)
+		if err != nil {
 			html.ServerError(w, r, err)
 			return
 		}
--- a/ui/settings_update.go
+++ b/ui/settings_update.go
@ -16,6 +16,7 @@ import (
 	"miniflux.app/ui/form"
 	"miniflux.app/ui/session"
 	"miniflux.app/ui/view"
+	"miniflux.app/validator"
 )

 func (h *handler) updateSettings(w http.ResponseWriter, r *http.Request) {
@ -51,8 +52,18 @@ func (h *handler) updateSettings(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	if h.store.AnotherUserExists(loggedUser.ID, settingsForm.Username) {
-		view.Set("errorMessage", "error.user_already_exists")
+	userModificationRequest := &model.UserModificationRequest{
+		Username:       model.OptionalString(settingsForm.Username),
+		Password:       model.OptionalString(settingsForm.Password),
+		Theme:          model.OptionalString(settingsForm.Theme),
+		Language:       model.OptionalString(settingsForm.Language),
+		Timezone:       model.OptionalString(settingsForm.Timezone),
+		EntryDirection: model.OptionalString(settingsForm.EntryDirection),
+		EntriesPerPage: model.OptionalInt(settingsForm.EntriesPerPage),
+	}
+
+	if validationErr := validator.ValidateUserModification(h.store, loggedUser.ID, userModificationRequest); validationErr != nil {
+		view.Set("errorMessage", validationErr.TranslationKey)
 		html.OK(w, r, view.Render("settings"))
 		return
 	}
--- a/ui/static_manifest.go
+++ b/ui/static_manifest.go
@ -54,9 +54,9 @@ func (h *handler) showWebManifest(w http.ResponseWriter, r *http.Request) {
 		ThemeColor:      themeColor,
 		BackgroundColor: themeColor,
 		Icons: []webManifestIcon{
-			webManifestIcon{Source: route.Path(h.router, "appIcon", "filename", "icon-120.png"), Sizes: "120x120", Type: "image/png"},
-			webManifestIcon{Source: route.Path(h.router, "appIcon", "filename", "icon-192.png"), Sizes: "192x192", Type: "image/png"},
-			webManifestIcon{Source: route.Path(h.router, "appIcon", "filename", "icon-512.png"), Sizes: "512x512", Type: "image/png"},
+			{Source: route.Path(h.router, "appIcon", "filename", "icon-120.png"), Sizes: "120x120", Type: "image/png"},
+			{Source: route.Path(h.router, "appIcon", "filename", "icon-192.png"), Sizes: "192x192", Type: "image/png"},
+			{Source: route.Path(h.router, "appIcon", "filename", "icon-512.png"), Sizes: "512x512", Type: "image/png"},
 		},
 		ShareTarget: webManifestShareTarget{
 			Action:  route.Path(h.router, "bookmarklet"),
--- a/ui/user_save.go
+++ b/ui/user_save.go
@ -11,9 +11,11 @@ import (
 	"miniflux.app/http/response/html"
 	"miniflux.app/http/route"
 	"miniflux.app/logger"
+	"miniflux.app/model"
 	"miniflux.app/ui/form"
 	"miniflux.app/ui/session"
 	"miniflux.app/ui/view"
+	"miniflux.app/validator"
 )

 func (h *handler) saveUser(w http.ResponseWriter, r *http.Request) {
@ -50,8 +52,19 @@ func (h *handler) saveUser(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	newUser := userForm.ToUser()
-	if err := h.store.CreateUser(newUser); err != nil {
+	userCreationRequest := &model.UserCreationRequest{
+		Username: userForm.Username,
+		Password: userForm.Password,
+		IsAdmin:  userForm.IsAdmin,
+	}
+
+	if validationErr := validator.ValidateUserCreationWithPassword(h.store, userCreationRequest); validationErr != nil {
+		view.Set("errorMessage", validationErr.TranslationKey)
+		html.OK(w, r, view.Render("create_user"))
+		return
+	}
+
+	if _, err := h.store.CreateUser(userCreationRequest); err != nil {
 		logger.Error("[UI:SaveUser] %v", err)
 		view.Set("errorMessage", "error.unable_to_create_user")
 		html.OK(w, r, view.Render("create_user"))
--- a/ui/user_update.go
+++ b/ui/user_update.go
@ -17,13 +17,13 @@ import (
 )

 func (h *handler) updateUser(w http.ResponseWriter, r *http.Request) {
-	user, err := h.store.UserByID(request.UserID(r))
+	loggedUser, err := h.store.UserByID(request.UserID(r))
 	if err != nil {
 		html.ServerError(w, r, err)
 		return
 	}

-	if !user.IsAdmin {
+	if !loggedUser.IsAdmin {
 		html.Forbidden(w, r)
 		return
 	}
@ -45,9 +45,9 @@ func (h *handler) updateUser(w http.ResponseWriter, r *http.Request) {
 	sess := session.New(h.store, request.SessionID(r))
 	view := view.New(h.tpl, r, sess)
 	view.Set("menu", "settings")
-	view.Set("user", user)
-	view.Set("countUnread", h.store.CountUnreadEntries(user.ID))
-	view.Set("countErrorFeeds", h.store.CountUserFeedsWithErrors(user.ID))
+	view.Set("user", loggedUser)
+	view.Set("countUnread", h.store.CountUnreadEntries(loggedUser.ID))
+	view.Set("countErrorFeeds", h.store.CountUserFeedsWithErrors(loggedUser.ID))
 	view.Set("selected_user", selectedUser)
 	view.Set("form", userForm)