jd-apprentice · jd-apprentice · Feb 28, 2025 · Feb 28, 2025 · Feb 28, 2025
diff --git a/.vscode/settings.json b/.vscode/settings.json
@@ -1,3 +1,7 @@
 {
     "editor.formatOnSave": true,
+    "sonarlint.connectedMode.project": {
+        "connectionId": "dyallab",
+        "projectKey": "jd-apprentice_waifuland-api"
+    },
 }
diff --git a/src/image/image-repository.ts b/src/image/image-repository.ts
@@ -1,8 +1,12 @@
+// External Modules
+import { Types } from 'mongoose';
+
 // Internal Modules
 import Image from './schema/image-schema';
-import Tag from '../tag/schema/tag-schema';
-import { hasTag } from '../common/utils/ref';
+import Tag from 'src/tag/schema/tag-schema';
+import { hasTag } from 'src/common/utils/ref';
 import { ImageProp } from './interfaces/image-interface';
+import { rollbar } from 'src/app/config/rollbar';
 
 class ImageRepository {
   /**
@@ -11,11 +15,18 @@ class ImageRepository {
    * @return { Promise<ImageProp> } - A new image created
    */
   async create(image: ImageProp): Promise<ImageProp> {
-    const tagExists = await Tag.findOne({ tag_id: { $eq: image.tag } });
+    const sanitizedTagId = image.tag.toString().trim();
+    if (!Types.ObjectId.isValid(sanitizedTagId)) {
+      rollbar.error('Invalid tag id');
+      throw new Error('Invalid tag id');
+    }
+
+    const tagExists = await Tag.findOne({ tag_id: sanitizedTagId });
     const _idTag = tagExists?._id;
+
     return Image.create({
       ...image,
-      tag: _idTag ?? image.tag,
+      tag: _idTag ?? image.tag, // Use validated tag or fallback
     });
   }
 

diff --git a/src/user/user-middleware.ts b/src/user/user-middleware.ts
@@ -24,10 +24,11 @@ const userExists = async (
   res: Response,
   next: NextFunction,
 ): Promise<MiddlewareUser> => {
-  const { username } = req.body;
+  const { username } = req.body as { username: string };
+  const sanitizedUsername = username.toString();
 
   try {
-    const user = await User.findOne({ username: { $eq: username } });
+    const user = await User.findOne({ username: { $eq: sanitizedUsername } });
 
     if (user) {
       return res.status(409).json({ error: 'User already exists' });
@@ -52,10 +53,23 @@ const validateUser = async (
   next: NextFunction,
 ): Promise<MiddlewareUser> => {
   try {
-    const { username, password } = req.body;
-    const user = await User.findOne({ username: { $eq: username } });
+    const { username, password } = req.body as {
+      username: string;
+      password: string;
+    };
+    const [sanitizedUsername, sanitizedPassword] = [
+      username.toString(),
+      password.toString(),
+    ];
 
-    if (user?.password && (await bcrypt.compare(password, user.password))) {
+    const user = await User.findOne({
+      $expr: { $eq: ['$username', sanitizedUsername] },
+    });
+
+    if (
+      user?.password &&
+      (await bcrypt.compare(sanitizedPassword, user.password))
+    ) {
       return next();
     }
 
@@ -75,10 +89,13 @@ const isAdmin = async (
   res: Response,
   next: NextFunction,
 ): Promise<MiddlewareUser> => {
-  const { username } = req.body;
+  const { username } = req.body as { username: string };
+  const sanitizedUsername = username.toString();
 
   try {
-    const user = await User.findOne({ username: { $eq: username } });
+    const user = await User.findOne({
+      $expr: { $eq: ['$username', sanitizedUsername] },
+    });
 
     if (user?.isAdmin) {
       return next();
@@ -104,9 +121,10 @@ const validateToken = async (
   try {
     const { authorization } = req.headers;
     const token = authorization?.replace('Bearer ', '');
+    if (!token) return res.status(401).json(boom.unauthorized());
     if (secret) {
-      const decoded = jwt.verify(token as string, secret);
-      return decoded ? next() : res.json(boom.unauthorized());
+      const decoded = jwt.verify(token, secret);
+      return decoded ? next() : res.status(401).json(boom.unauthorized());
     }
   } catch (error) {
     return res.status(401).json(boom.unauthorized());

diff --git a/src/user/user-repository.ts b/src/user/user-repository.ts
@@ -1,5 +1,6 @@
 // Internal Modules
-import User from '../user/schema/user-schema';
+import { rollbar } from 'src/app/config/rollbar';
+import User from 'src/user/schema/user-schema';
 import { IUser, UserPicture } from './interfaces/user-interface';
 
 class UserRepository {
@@ -8,6 +9,14 @@ class UserRepository {
    * @param {Iuser} user - user to be created
    */
   async create(user: IUser) {
+    const sanitizedUsername = user.username.toString();
+    const userExists = await this.findUserByUsername(sanitizedUsername);
+
+    if (userExists) {
+      rollbar.error('User already exists');
+      throw new Error('User already exists');
+    }
+
     return User.create(user);
   }
 
@@ -24,15 +33,17 @@ class UserRepository {
    * @param {string} id - id of the user
    */
   async findUser(id: string): Promise<IUser | null> {
-    return User.findOne({ _id: { $eq: id } });
+    const sanitizedId = id.toString();
+    return User.findOne({ $expr: { $eq: ['$_id', sanitizedId] } });
   }
 
   /**
    * @description Find a user by username
    * @param {string} username - username of the user
    */
   async findUserByUsername(username: string): Promise<IUser | null> {
-    return User.findOne({ username: { $eq: username } });
+    const sanitizedUsername = username.toString();
+    return User.findOne({ $expr: { $eq: ['$username', sanitizedUsername] } });
   }
 
   /**