Merged in release/2025-12-19 (pull request #2726)

IO-3473 trim user input
2025-12-19 17:10:39 +00:00
parent 6a8d22ed31 40263791b8
commit 517b98d288
1 changed files with 95 additions and 39 deletions
--- a/server/integrations/partsManagement/endpoints/partsManagementProvisioning.js
+++ b/server/integrations/partsManagement/endpoints/partsManagementProvisioning.js
@@ -77,9 +77,8 @@ const generateResetLink = async (email) => {
 */
 const ensureExternalIdUnique = async (externalId) => {
  const resp = await client.request(CHECK_EXTERNAL_SHOP_ID, { key: externalId });
-  if (resp.bodyshops.length) {
-    throw { status: 400, message: `external_shop_id '${externalId}' is already in use.` };
-  }
+
+  return !!resp.bodyshops.length;
 };

 /**
@@ -225,10 +224,25 @@ const patchPartsManagementProvisioning = async (req, res) => {
 */
 const partsManagementProvisioning = async (req, res) => {
  const { logger } = req;
-  const body = { ...req.body, userEmail: req.body.userEmail?.toLowerCase() };
+
+  // Trim and normalize email early
+  const body = {
+    ...req.body,
+    userEmail: req.body.userEmail?.trim().toLowerCase()
+  };
+
+  const trim = (value) => (typeof value === "string" ? value.trim() : value);
+  const trimIfString = (value) =>
+    value !== null && value !== undefined && typeof value === "string" ? value.trim() : value;

  try {
+    // Ensure email is present and trimmed before checking registration
+    if (!body.userEmail) {
+      throw { status: 400, message: "userEmail is required" };
+    }
+
    await ensureEmailNotRegistered(body.userEmail);
+
    requireFields(body, [
      "external_shop_id",
      "shopname",
@@ -242,28 +256,68 @@ const partsManagementProvisioning = async (req, res) => {
      "userEmail"
    ]);

-    // TODO add in check for early access
-    await ensureExternalIdUnique(body.external_shop_id);
+    // Trim all top-level string fields
+    const trimmedBody = {
+      ...body,
+      external_shop_id: trim(body.external_shop_id),
+      shopname: trim(body.shopname),
+      address1: trim(body.address1),
+      address2: trimIfString(body.address2),
+      city: trim(body.city),
+      state: trim(body.state),
+      zip_post: trim(body.zip_post),
+      country: trim(body.country),
+      email: trim(body.email),
+      phone: trim(body.phone),
+      timezone: trimIfString(body.timezone),
+      logoUrl: trimIfString(body.logoUrl),
+      userPassword: body.userPassword, // passwords should NOT be trimmed (preserves intentional spaces if any, though rare)
+      vendors: Array.isArray(body.vendors)
+        ? body.vendors.map((v) => ({
+            name: trim(v.name),
+            street1: trimIfString(v.street1),
+            street2: trimIfString(v.street2),
+            city: trimIfString(v.city),
+            state: trimIfString(v.state),
+            zip: trimIfString(v.zip),
+            country: trimIfString(v.country),
+            email: trimIfString(v.email),
+            cost_center: trimIfString(v.cost_center),
+            phone: trimIfString(v.phone),
+            dmsid: trimIfString(v.dmsid),
+            discount: v.discount ?? 0,
+            due_date: v.due_date ?? null,
+            favorite: v.favorite ?? [],
+            active: v.active ?? true
+          }))
+        : []
+    };

-    logger.log("admin-create-shop-user", "debug", body.userEmail, null, {
+    const duplicateCheck = await ensureExternalIdUnique(trimmedBody.external_shop_id);
+
+    if (duplicateCheck) {
+      throw { status: 400, message: `external_shop_id '${trimmedBody.external_shop_id}' is already in use.` };
+    }
+
+    logger.log("admin-create-shop-user", "debug", trimmedBody.userEmail, null, {
      request: req.body,
      ioadmin: true
    });

    const shopInput = {
-      shopname: body.shopname,
-      address1: body.address1,
-      address2: body.address2 || null,
-      city: body.city,
-      state: body.state,
-      zip_post: body.zip_post,
-      country: body.country,
-      email: body.email,
-      external_shop_id: body.external_shop_id,
-      timezone: body.timezone || DefaultNewShop.timezone,
-      phone: body.phone,
+      shopname: trimmedBody.shopname,
+      address1: trimmedBody.address1,
+      address2: trimmedBody.address2,
+      city: trimmedBody.city,
+      state: trimmedBody.state,
+      zip_post: trimmedBody.zip_post,
+      country: trimmedBody.country,
+      email: trimmedBody.email,
+      external_shop_id: trimmedBody.external_shop_id,
+      timezone: trimmedBody.timezone || DefaultNewShop.timezone,
+      phone: trimmedBody.phone,
      logo_img_path: {
-        src: body.logoUrl,
+        src: trimmedBody.logoUrl || null, // allow empty logo
        width: "",
        height: "",
        headerMargin: DefaultNewShop.logo_img_path.headerMargin
@@ -288,35 +342,37 @@ const partsManagementProvisioning = async (req, res) => {
      appt_alt_transport: DefaultNewShop.appt_alt_transport,
      md_jobline_presets: DefaultNewShop.md_jobline_presets,
      vendors: {
-        data: body.vendors.map((v) => ({
+        data: trimmedBody.vendors.map((v) => ({
          name: v.name,
-          street1: v.street1 || null,
-          street2: v.street2 || null,
-          city: v.city || null,
-          state: v.state || null,
-          zip: v.zip || null,
-          country: v.country || null,
-          email: v.email || null,
-          discount: v.discount ?? 0,
-          due_date: v.due_date ?? null,
-          cost_center: v.cost_center || null,
-          favorite: v.favorite ?? [],
-          phone: v.phone || null,
-          active: v.active ?? true,
-          dmsid: v.dmsid || null
+          street1: v.street1,
+          street2: v.street2,
+          city: v.city,
+          state: v.state,
+          zip: v.zip,
+          country: v.country,
+          email: v.email,
+          discount: v.discount,
+          due_date: v.due_date,
+          cost_center: v.cost_center,
+          favorite: v.favorite,
+          phone: v.phone,
+          active: v.active,
+          dmsid: v.dmsid
        }))
      }
    };

    const newShopId = await insertBodyshop(shopInput);
-    const userRecord = await createFirebaseUser(body.userEmail, body.userPassword);
+    const userRecord = await createFirebaseUser(trimmedBody.userEmail, trimmedBody.userPassword);
    let resetLink = null;
-    if (!body.userPassword) resetLink = await generateResetLink(body.userEmail);
+    if (!trimmedBody.userPassword) {
+      resetLink = await generateResetLink(trimmedBody.userEmail);
+    }

-    const createdUser = await insertUserAssociation(userRecord.uid, body.userEmail, newShopId);
+    const createdUser = await insertUserAssociation(userRecord.uid, trimmedBody.userEmail, newShopId);

    return res.status(200).json({
-      shop: { id: newShopId, shopname: body.shopname },
+      shop: { id: newShopId, shopname: trimmedBody.shopname },
      user: {
        id: createdUser.id,
        email: createdUser.email,
@@ -324,7 +380,7 @@ const partsManagementProvisioning = async (req, res) => {
      }
    });
  } catch (err) {
-    logger.log("admin-create-shop-user-error", "error", body.userEmail, null, {
+    logger.log("admin-create-shop-user-error", "error", body.userEmail || "unknown", null, {
      message: err.message,
      detail: err.detail || err
    });