diff --git a/src/api/endpoints/i/appdata/get.ts b/src/api/endpoints/i/appdata/get.ts index ccd8202531..47e1b8d202 100644 --- a/src/api/endpoints/i/appdata/get.ts +++ b/src/api/endpoints/i/appdata/get.ts @@ -1,6 +1,7 @@ /** * Module dependencies */ +import $ from 'cafy'; import Appdata from '../../../models/appdata'; /** @@ -14,10 +15,8 @@ import Appdata from '../../../models/appdata'; */ module.exports = (params, user, app, isSecure) => new Promise(async (res, rej) => { // Get 'key' parameter - let key = params.key; - if (key === undefined) { - key = null; - } + const [key = null, keyError] = $(params.key).optional.nullable.string().match(/[a-z_]+/).$; + if (keyError) return rej('invalid key param'); if (isSecure) { if (!user.data) { @@ -38,7 +37,9 @@ module.exports = (params, user, app, isSecure) => new Promise(async (res, rej) = const appdata = await Appdata.findOne({ app_id: app._id, user_id: user._id - }, select); + }, { + fields: select + }); if (appdata) { res(appdata.data); diff --git a/src/api/endpoints/i/appdata/set.ts b/src/api/endpoints/i/appdata/set.ts index 354935cb4c..6ba91cd804 100644 --- a/src/api/endpoints/i/appdata/set.ts +++ b/src/api/endpoints/i/appdata/set.ts @@ -1,6 +1,7 @@ /** * Module dependencies */ +import $ from 'cafy'; import Appdata from '../../../models/appdata'; import User from '../../../models/user'; import serialize from '../../../serializers/user'; @@ -16,17 +17,37 @@ import event from '../../../event'; * @return {Promise} */ module.exports = (params, user, app, isSecure) => new Promise(async (res, rej) => { - const data = params.data; - if (data == null) { - return rej('data is required'); + // Get 'set' parameter + const [set, setError] = $(params.set).optional.object() + .pipe(obj => { + return Object.entries(obj).some(kv => { + const k = kv[0]; + const v = kv[1]; + return $(k).string().match(/[a-z_]+/).isNg() && $(v).string().isNg(); + }); + }).$; + if (setError) return rej('invalid set param'); + + // Get 'key' parameter + const [key, keyError] = $(params.key).optional.string().match(/[a-z_]+/).$; + if (keyError) return rej('invalid key param'); + + // Get 'value' parameter + const [value, valueError] = $(params.value).optional.string().$; + if (valueError) return rej('invalid value param'); + + let data = {}; + if (set) { + data = set; + } else { + data[key] = value; } if (isSecure) { const _user = await User.findOneAndUpdate(user._id, { - $set: { - data: Object.assign(user.data || {}, JSON.parse(data)) - } + $set: { data } }); + res(204); // Publish i updated event @@ -35,10 +56,6 @@ module.exports = (params, user, app, isSecure) => new Promise(async (res, rej) = includeSecrets: true })); } else { - const appdata = await Appdata.findOne({ - app_id: app._id, - user_id: user._id - }); await Appdata.update({ app_id: app._id, user_id: user._id @@ -46,12 +63,11 @@ module.exports = (params, user, app, isSecure) => new Promise(async (res, rej) = app_id: app._id, user_id: user._id }, { - $set: { - data: Object.assign((appdata || {}).data || {}, JSON.parse(data)) - } + $set: { data } }), { upsert: true }); + res(204); } });