diff --git a/browserid/lib/wsapi.js b/browserid/lib/wsapi.js index 659eb6e74e4ed5443941614a39f1071fa667febe..e75c239cc89dfb32ab9ba842aaaee16a9fefdefc 100644 --- a/browserid/lib/wsapi.js +++ b/browserid/lib/wsapi.js @@ -15,9 +15,7 @@ function checkParams(params) { if (req.method === "POST") { params_in_request = req.body; } else { - var getArgs = req.query; - req.get = getArgs; - params_in_request = getArgs; + params_in_request = req.query; } try { @@ -63,23 +61,24 @@ function setup(app) { * user via their claimed email address. Upon timeout expiry OR clickthrough * the staged user account transitions to a valid user account */ app.get('/wsapi/stage_user', checkParams([ "email", "pass", "pubkey", "site" ]), function(req, resp) { - var getArgs = req.get; // bcrypt the password - getArgs.hash = bcrypt.encrypt_sync(getArgs.pass, bcrypt.gen_salt_sync(10)); + // we should be cloning this object here. + var stageParams = req.query; + stageParams['hash'] = bcrypt.encrypt_sync(req.query.pass, bcrypt.gen_salt_sync(10)); try { // upon success, stage_user returns a secret (that'll get baked into a url // and given to the user), on failure it throws - var secret = db.stageUser(getArgs); + var secret = db.stageUser(stageParams); // store the email being registered in the session data if (!req.session) req.session = {}; // store inside the session the details of this pending verification req.session.pendingVerification = { - email: getArgs.email, - hash: getArgs.hash // we must store both email and password to handle the case where + email: stageParams.email, + hash: stageParams.hash // we must store both email and password to handle the case where // a user re-creates an account - specifically, registration status // must ensure the new credentials work to properly verify that // the user has clicked throught the email link. note, this salted, bcrypted @@ -90,7 +89,7 @@ function setup(app) { httputils.jsonResponse(resp, true); // let's now kick out a verification email! - email.sendVerificationEmail(getArgs.email, getArgs.site, secret); + email.sendVerificationEmail(stageParams.email, stageParams.site, secret); } catch(e) { // we should differentiate tween' 400 and 500 here. @@ -145,11 +144,10 @@ function setup(app) { app.get('/wsapi/authenticate_user', checkParams(["email", "pass"]), function(req, resp) { - var getArgs = req.get; - db.checkAuth(getArgs.email, getArgs.pass, function(rv) { + db.checkAuth(req.query.email, req.query.pass, function(rv) { if (rv) { if (!req.session) req.session = {}; - req.session.authenticatedUser = getArgs.email; + req.session.authenticatedUser = req.query.email; } httputils.jsonResponse(resp, rv); }); @@ -157,20 +155,18 @@ function setup(app) { // FIXME: need CSRF protection app.get('/wsapi/add_email', checkAuthed, checkParams(["email", "pubkey", "site"]), function (req, resp) { - var getArgs = req.get; - try { // upon success, stage_user returns a secret (that'll get baked into a url // and given to the user), on failure it throws - var secret = db.stageEmail(req.session.authenticatedUser, getArgs.email, getArgs.pubkey); + var secret = db.stageEmail(req.session.authenticatedUser, req.query.email, req.query.pubkey); // store the email being added in session data - req.session.pendingAddition = getArgs.email; + req.session.pendingAddition = req.query.email; httputils.jsonResponse(resp, true); // let's now kick out a verification email! - email.sendVerificationEmail(getArgs.email, getArgs.site, secret); + email.sendVerificationEmail(req.query.email, req.query.site, secret); } catch(e) { // we should differentiate tween' 400 and 500 here. httputils.badRequest(resp, e.toString()); @@ -202,8 +198,7 @@ function setup(app) { }); app.get('/wsapi/set_key', checkAuthed, checkParams(["email", "pubkey"]), function (req, resp) { - var getArgs = req.get; - db.addKeyToEmail(req.session.authenticatedUser, getArgs.email, getArgs.pubkey, function (rv) { + db.addKeyToEmail(req.session.authenticatedUser, req.query.email, req.query.pubkey, function (rv) { httputils.jsonResponse(resp, rv); }); }); @@ -236,9 +231,7 @@ function setup(app) { }); app.get('/wsapi/prove_email_ownership', checkParams(["token"]), function(req, resp) { - var getArgs = req.get; - - db.gotVerificationSecret(getArgs.token, function(e) { + db.gotVerificationSecret(req.query.token, function(e) { if (e) { console.log("error completing the verification: " + e); httputils.jsonResponse(resp, false);