fix: improved pagination validation

2019-06-23 16:11:15 -07:00 · 2019-06-23 16:11:15 -07:00 · 0a8a685c12
parent 32f83311f6
commit 0a8a685c12
2 changed files with 78 additions and 7 deletions
--- a/server/api/middlewares/pagination.js
+++ b/server/api/middlewares/pagination.js
@ -10,24 +10,39 @@ export default function pagination(options?: Object) {
  ) {
    const opts = {
      defaultLimit: 15,
+      defaultOffset: 0,
      maxLimit: 100,
      ...options,
    };

    let query = ctx.request.query;
-    let body = ctx.request.body;
-    // $FlowFixMe
-    let limit = parseInt(query.limit || body.limit, 10);
-    // $FlowFixMe
-    let offset = parseInt(query.offset || body.offset, 10);
-    limit = isNaN(limit) ? opts.defaultLimit : limit;
-    offset = isNaN(offset) ? 0 : offset;
+    let body: Object = ctx.request.body;
+    let limit = query.limit || body.limit;
+    let offset = query.offset || body.offset;
+
+    if (limit && isNaN(limit)) {
+      throw new InvalidRequestError(`Pagination limit must be a valid number`);
+    }
+    if (offset && isNaN(offset)) {
+      throw new InvalidRequestError(`Pagination offset must be a valid number`);
+    }
+
+    limit = parseInt(limit || opts.defaultLimit, 10);
+    offset = parseInt(offset || opts.defaultOffset, 10);

    if (limit > opts.maxLimit) {
      throw new InvalidRequestError(
        `Pagination limit is too large (max ${opts.maxLimit})`
      );
    }
+    if (limit <= 0) {
+      throw new InvalidRequestError(`Pagination limit must be greater than 0`);
+    }
+    if (offset < 0) {
+      throw new InvalidRequestError(
+        `Pagination offset must be greater than or equal to 0`
+      );
+    }

    ctx.state.pagination = {
      limit: limit,
--- a/server/api/middlewares/pagination.test.js
+++ b/server/api/middlewares/pagination.test.js
@ -0,0 +1,56 @@
+/* eslint-disable flowtype/require-valid-file-annotation */
+import TestServer from 'fetch-test-server';
+import app from '../../app';
+import { flushdb, seed } from '../../test/support';
+
+const server = new TestServer(app.callback());
+
+beforeEach(flushdb);
+afterAll(server.close);
+
+describe('#pagination', async () => {
+  it('should allow offset and limit', async () => {
+    const { user } = await seed();
+    const res = await server.post('/api/users.list', {
+      body: { token: user.getJwtToken(), limit: 1, offset: 1 },
+    });
+
+    expect(res.status).toEqual(200);
+  });
+
+  it('should not allow negative limit', async () => {
+    const { user } = await seed();
+    const res = await server.post('/api/users.list', {
+      body: { token: user.getJwtToken(), limit: -1 },
+    });
+
+    expect(res.status).toEqual(400);
+  });
+
+  it('should not allow non-integer limit', async () => {
+    const { user } = await seed();
+    const res = await server.post('/api/users.list', {
+      body: { token: user.getJwtToken(), limit: 'blah' },
+    });
+
+    expect(res.status).toEqual(400);
+  });
+
+  it('should not allow negative offset', async () => {
+    const { user } = await seed();
+    const res = await server.post('/api/users.list', {
+      body: { token: user.getJwtToken(), offset: -1 },
+    });
+
+    expect(res.status).toEqual(400);
+  });
+
+  it('should not allow non-integer offset', async () => {
+    const { user } = await seed();
+    const res = await server.post('/api/users.list', {
+      body: { token: user.getJwtToken(), offset: 'blah' },
+    });
+
+    expect(res.status).toEqual(400);
+  });
+});