Merge pull request #9818 from weseek/imprv/make-user-activation-middleware-securely

imprv: Make user activation middleware securely

apps/app/src/interfaces/errors/user-activation.ts

@@ -1,5 +1,6 @@
 export const UserActivationErrorCode = {
   TOKEN_NOT_FOUND: 'token-not-found',
+  INVALID_TOKEN: 'token-is-invalid',
   USER_REGISTRATION_ORDER_IS_NOT_APPROPRIATE: 'user-registration-order-is-not-appropriate',
 } as const;
 

apps/app/src/server/middlewares/inject-user-registration-order-by-token-middleware.ts

@@ -23,7 +23,14 @@ export default async(req: ReqWithUserRegistrationOrder, res: Response, next: Nex
     return next(createError(400, msg, { code: UserActivationErrorCode.TOKEN_NOT_FOUND }));
   }
 
-  const userRegistrationOrder = await UserRegistrationOrder.findOne({ token });
+  if (typeof token !== 'string') {
+    const msg = 'Invalid token format';
+    logger.error(msg);
+    return next(createError(400, msg, { code: UserActivationErrorCode.INVALID_TOKEN }));
+  }
+
+  // exec query safely with $eq
+  const userRegistrationOrder = await UserRegistrationOrder.findOne({ token: { $eq: token } });
 
   // check if the token is valid
   if (userRegistrationOrder == null || userRegistrationOrder.isExpired() || userRegistrationOrder.isRevoked) {