adding customer to orders

added helper method to get user from request via auth token
oguzhalit · Oct 14, 2014 · c340c77 · c340c77
1 parent 25e5ed2
commit c340c77
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 2 deletions.
diff --git a/lib/insecurity.js b/lib/insecurity.js
@@ -49,5 +49,19 @@ exports.authenticatedUsers = {
  } else {
  return undefined;
  }
+ },
+ from: function(req) {
+ if (req.headers && req.headers.authorization) {
+ var parts = req.headers.authorization.split(' ');
+ if (parts.length == 2) {
+ var scheme = parts[0];
+ var token = parts[1];
+
+ if (/^Bearer$/i.test(scheme)) {
+ return this.get(token);
+ }
+ }
+ }
+ return undefined;
  }
 };
diff --git a/server.js b/server.js
@@ -97,7 +97,7 @@ var Challenge = sequelize.define('Challenges', {
 /* Challenges */
 var redirectChallenge, easterEggLevelOneChallenge, easterEggLevelTwoChallenge, directoryListingChallenge,
  loginAdminChallenge, loginJimChallenge, loginBenderChallenge, changeProductChallenge, csrfChallenge,
- errorHandlingChallenge, knownVulnerableComponentChallenge, negativeOrderChallenge
+ errorHandlingChallenge, knownVulnerableComponentChallenge, negativeOrderChallenge,
 
  localXssChallenge, persistedXssChallenge, basketChallenge, weakPasswordChallenge,
  adminSectionChallenge, scoreBoardChallenge, feedbackChallenge, unionSqlInjectionChallenge;
@@ -497,6 +497,7 @@ function createOrderPdf() {
  var id = req.params.id;
  Basket.find({where: {id: id}, include: [ Product ]})
  .success(function(data) {
+ var customer = insecurity.authenticatedUsers.from(req);
  var orderNo = insecurity.hash(new Date()+'_'+id);
  var pdfFile = 'order_' + orderNo + '.pdf';
  var doc = new PDFDocument;
@@ -505,8 +506,12 @@ function createOrderPdf() {
  doc.text('Juice-Shop - Order Confirmation');
  doc.moveDown();
  doc.moveDown();
+ doc.moveDown();
+ doc.text('Customer: ' + customer.data.email);
+ doc.moveDown();
  doc.text('Order #: ' + orderNo);
  doc.moveDown();
+ doc.moveDown();
  var totalPrice = 0;
  data.products.forEach(function(product) {
  var itemTotal = product.price*product.basketItem.quantity;
@@ -609,7 +614,6 @@ function loginUser() {
 function serveFiles() {
  return function(req, res, next) {
  var file = req.params.file;
- console.log(file);
  if (file && (utils.endsWith(file, '.md') || (utils.endsWith(file, '.pdf')))) {
  file = insecurity.cutOffPoisonNullByte(file);
  if (notSolved(easterEggLevelOneChallenge) && file.toLowerCase() === 'eastere.gg') {