Make compatible serialisers on script import

The new make_serialiser function allows you to import things to a
separate script and still use the standard secret key when making
serialisers.

During the process, we also realised we weren't salting values
properly, so thankfully that's been fixed! :P
This commit is contained in:
Badri Sunderarajan 2023-03-12 14:09:23 +05:30
parent 11cefdada0
commit 295147ae86

View file

@ -15,7 +15,7 @@ if (process.env.DEBUG || process.env.CROWDFUNDING_SITE_DEBUG) {
DEBUG = false
}
if (DEBUG) console.log('Starting website in debug mode')
if (DEBUG) console.log('Loading website in debug mode')
// set up secret key
let secretKey
@ -31,6 +31,11 @@ if (process.env.CROWDFUNDING_SITE_SECRET_KEY) {
}
}
// helper function to make the serialiser
function makeSerialiser(value) {
return URLSafeTimedSerializer(secretKey, {salt: value})
}
// set up nodemailer (if configured)
let mailer
let emailFrom
@ -490,7 +495,7 @@ router.post('/pledge', async (req, res) => {
}
// generate verification link
let serialiser = URLSafeTimedSerializer(secretKey, pledge.get('email'))
let serialiser = makeSerialiser(pledge.get('email'))
let verificationLink = `${req.protocol}://${req.hostname}/verify?email=${encodeURIComponent(pledge.get('email'))}&key=${encodeURIComponent(serialiser.dumps(pledge.get('amount')))}`
// send out the email, along with existing pledge deets
@ -528,7 +533,7 @@ router.get('/verify', async (req, res) => {
if (DEBUG) console.debug('Validating pledge:', req.query)
// unpack verification link (unless it's expired)
let serialiser = URLSafeTimedSerializer(secretKey, req.query.email)
let serialiser = makeSerialiser(req.query.email)
let amount
try {
@ -746,4 +751,5 @@ module.exports = {
Pledge,
UnverifiedPledge,
router,
makeSerialiser,
}