Use async bcrypt operations and clarify SQL placeholder construction

This commit is contained in:
copilot-swe-agent[bot] 2026-07-02 02:14:45 +00:00 committed by GitHub
parent 633b0a79a0
commit c46fc7960d
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 28 additions and 10 deletions

View file

@ -30,7 +30,12 @@ router.post('/register', (req, res) => {
return res.status(409).json({ success: false, message: "Username is already taken" }); return res.status(409).json({ success: false, message: "Username is already taken" });
} }
const hash = bcrypt.hashSync(password, 10); bcrypt.hash(password, 10, (err, hash) => {
if (err) {
console.error('Failed to hash password:', err.message);
return res.status(500).json({ success: false, message: "Internal server error" });
}
db.run(`INSERT INTO users (username, password) VALUES (?, ?)`, [username, hash], function (err) { db.run(`INSERT INTO users (username, password) VALUES (?, ?)`, [username, hash], function (err) {
if (err) { if (err) {
console.error('Failed to create user:', err.message); console.error('Failed to create user:', err.message);
@ -42,6 +47,7 @@ router.post('/register', (req, res) => {
res.json({ success: true, user: { id: this.lastID, username } }); res.json({ success: true, user: { id: this.lastID, username } });
}); });
}); });
});
}); });
router.post('/login', (req, res) => { router.post('/login', (req, res) => {
@ -57,7 +63,17 @@ router.post('/login', (req, res) => {
return res.status(500).json({ success: false, message: "Internal server error" }); return res.status(500).json({ success: false, message: "Internal server error" });
} }
if (!user || !bcrypt.compareSync(password, user.password)) { if (!user) {
return res.status(401).json({ success: false, message: "Invalid username or password" });
}
bcrypt.compare(password, user.password, (err, matches) => {
if (err) {
console.error('Failed to verify password:', err.message);
return res.status(500).json({ success: false, message: "Internal server error" });
}
if (!matches) {
return res.status(401).json({ success: false, message: "Invalid username or password" }); return res.status(401).json({ success: false, message: "Invalid username or password" });
} }
@ -65,6 +81,7 @@ router.post('/login', (req, res) => {
req.session.username = user.username; req.session.username = user.username;
res.json({ success: true, user: { id: user.id, username: user.username } }); res.json({ success: true, user: { id: user.id, username: user.username } });
}); });
});
}); });
router.post('/logout', (req, res) => { router.post('/logout', (req, res) => {

View file

@ -105,6 +105,7 @@ router.delete('/places/:placeId', loadOwnedPlace, (req, res) => {
const apIds = accessPoints.map(ap => ap.id); const apIds = accessPoints.map(ap => ap.id);
const deleteAclAndAp = (cb) => { const deleteAclAndAp = (cb) => {
if (apIds.length === 0) return cb(); if (apIds.length === 0) return cb();
// Build a `?` placeholder per id so all values stay parameterized; apIds never contains raw user input here.
const placeholders = apIds.map(() => '?').join(','); const placeholders = apIds.map(() => '?').join(',');
db.run(`DELETE FROM acl WHERE accessPoint IN (${placeholders})`, apIds, (err) => { db.run(`DELETE FROM acl WHERE accessPoint IN (${placeholders})`, apIds, (err) => {
if (err) return cb(err); if (err) return cb(err);