search

openassistive / OpenATBackend

Back end api for Open Assistive built using nodeJS.
https://api.openassistive.org
4 stars 1 forks source link

Need to verify format of input before /save #3

Closed willwade closed 7 years ago

willwade commented 7 years ago

No checking being done yet. Needs to happen once format settles

willwade commented 7 years ago

https://github.com/openassistive/OpenATBackend/blob/master/js/savejson/savejson.controller.js#L11

hosseinzoda commented 7 years ago

Also we need to verify the user before updating if the record exists. We can perform simple verification with email that project author has provided.

willwade commented 7 years ago

we actually don't have any user system at the moment. not sure how we would do this or even if there is a need

hosseinzoda commented 7 years ago

No need for user system. We can send an email with a code to author if it's not the first time submitting for save. Then they need to pass it at save.

hosseinzoda commented 7 years ago

Though there's no simple way to get author's email from the project.

hosseinzoda commented 7 years ago

verify with email is not going to work. User can edit content between "get" and "save" this is why invalid content can get in.

willwade commented 7 years ago

we can use cors to limit access to api from frontend. And on frontend maybe put a captcha? (just to limit spam)

hosseinzoda commented 7 years ago

Yeah. This is not very important right now. There are lots of ways to improve it. We can ask for email from user for verifying them on next save.

willwade commented 7 years ago

Leaving this here for note: https://www.npmjs.com/package/validate (need schema of the openat scheme written and then we can validate against that easy enough)

hosseinzoda commented 7 years ago

Validation notes

title, short_title, authors = required string
description = required markdown string, Needs sanitization to prevent injecting scripts, iframes, etc
datemod = a valid date and time in iso format https://en.wikipedia.org/wiki/ISO_8601
download_url, project_url = required valid url
license = optional string
tags = array of strings

This was my discovery. Please define others if i missed any.

willwade commented 7 years ago

date: Will be created by backend (or if in the the original format then fine - will read that)

hosseinzoda commented 7 years ago

Implemented

willwade commented 7 years ago

Great. Thanks for this. Just for documentation - can you point me in the direction where the schema is set?

hosseinzoda commented 7 years ago

Here. https://github.com/openassistive/OpenATBackend/commit/1202c41#diff-af81eb01f45a800449706ef402645e6aR10