From 21daab109f5751163979784bac1ac405a5099b21 Mon Sep 17 00:00:00 2001
From: Cameron Clough <cameronjclough@gmail.com>
Date: Thu, 24 Mar 2022 13:51:39 +0000
Subject: [PATCH] bug fixes for useradmin

---
 src/server/controllers/devices.js |  4 ++--
 src/server/router/legacy.js       |  7 +++++--
 src/server/router/useradmin.js    | 24 +++++++++++++++---------
 3 files changed, 22 insertions(+), 13 deletions(-)

diff --git a/src/server/controllers/devices.js b/src/server/controllers/devices.js
index 3f5f6d8..4aac54c 100644
--- a/src/server/controllers/devices.js
+++ b/src/server/controllers/devices.js
@@ -158,7 +158,7 @@ async function getAllDevicesFiltered() {
 async function updateLastPing(deviceId) {
   return Devices.update(
     { last_ping: Date.now() },
-    { where: { [Op.or]: [{ id: deviceId }, { dongle_id: deviceId }] } },
+    { where: { dongle_id: deviceId } },
   );
 }
 
@@ -197,7 +197,7 @@ async function getOwnersFromDongle(dongleId) {
 }
 
 async function getDrives(dongleId, includeDeleted, includeMeta) {
-  let query = { where: { dongle_id: dongleId } };
+  let query = { where: { dongle_id: dongleId }, order: [['created', 'DESC']] };
 
   if (!includeDeleted) {
     query = { ...query, where: { ...query.where, is_deleted: false } };
diff --git a/src/server/router/legacy.js b/src/server/router/legacy.js
index 351fdeb..3d1d03f 100644
--- a/src/server/router/legacy.js
+++ b/src/server/router/legacy.js
@@ -214,7 +214,8 @@ async function upload(req, res) {
   }
 
   const decoded = device.public_key
-    ? await validateJWT(req.headers.authorization, device.public_key).catch(logger.error)
+    ? await validateJWT(req.headers.authorization, device.public_key)
+      .catch((err) => logger.error(err))
     : null;
 
   if ((!decoded || decoded.identity !== dongleId)) {
@@ -222,7 +223,9 @@ async function upload(req, res) {
     return res.status(401).send('Unauthorized.');
   }
 
-  await deviceController.updateLastPing(dongleId).catch(logger.error);
+  await deviceController
+    .updateLastPing(dongleId)
+    .catch((err) => logger.error(err));
 
   let responseUrl = null;
   const ts = Date.now(); // we use this to make sure old URLs cannot be reused (timeout after 60min)
diff --git a/src/server/router/useradmin.js b/src/server/router/useradmin.js
index 34aa7e0..54fe625 100644
--- a/src/server/router/useradmin.js
+++ b/src/server/router/useradmin.js
@@ -117,7 +117,7 @@ router.post('/register/token', bodyParser.urlencoded({ extended: true }), runAsy
 
   let infoText = '';
 
-  if (req.body.token === undefined) { // email entered, token request
+  if (!req.body.token) { // email entered, token request
     infoText = 'Please check your inbox (<b>SPAM</b>) for an email with the registration token.<br>If the token was not delivered, please ask the administrator to check the <i>server.log</i> for the token generated for your email.<br><br>';
 
     await mailingController.sendEmailVerification(token, email);
@@ -259,7 +259,7 @@ router.post('/pair_device', [getAccount, bodyParser.urlencoded({ extended: true
     return;
   }
 
-  const pairDevice = await deviceController.pairDevice(account, req.body.qrString);
+  const pairDevice = await deviceController.pairDevice(account, qrString);
   if (pairDevice.success === true) {
     res.redirect('/useradmin/overview');
   } else if (pairDevice.registered === true) {
@@ -283,9 +283,11 @@ router.get('/device/:dongleId', runAsyncWrapper(async (req, res) => {
     return res.redirect(`/useradmin?status=${encodeURIComponent('Invalid or expired session')}`);
   }
 
-  const device = await deviceController.getDeviceFromDongleId(req.params.dongleId);
-  if (device == null || device.account_id !== account.id) {
-    return res.status(400).send('Unauthorized.');
+  const device = await deviceController.getDeviceFromDongleId(dongleId);
+  if (!device) {
+    return res.status(404).send('Not Found.');
+  } else if (device.account_id !== account.id) {
+    return res.status(401).send('Unauthorized.');
   }
 
   const drives = await deviceController.getDrives(device.dongle_id, false, true);
@@ -399,6 +401,7 @@ router.get('/device/:dongleId', runAsyncWrapper(async (req, res) => {
   return res.status(200).send(response);
 }));
 
+// TODO: move to user admin api?
 router.get('/drive/:dongleId/:driveIdentifier/:action', runAsyncWrapper(async (req, res) => {
   const account = await authenticationController.getAuthenticatedAccount(req);
   if (account == null) {
@@ -407,7 +410,7 @@ router.get('/drive/:dongleId/:driveIdentifier/:action', runAsyncWrapper(async (r
 
   const drive = await deviceController.getDrive(req.params.dongleId, req.params.driveIdentifier);
   if (drive == null) {
-    return res.status(400).send('Unauthorized.');
+    return res.status(404).send('Not Found.');
   }
 
   const { action } = req.params;
@@ -431,12 +434,15 @@ router.get('/drive/:dongleId/:driveIdentifier', runAsyncWrapper(async (req, res)
   }
 
   const device = await deviceController.getDeviceFromDongleId(req.params.dongleId);
-  if (device == null || device.account_id !== account.id) {
-    return res.status(400).send('Unauthorized.');
+  if (!device) {
+    return res.status(404).send('Not Found.');
+  } else if (device.account_id !== account.id) {
+    return res.status(401).send('Unauthorized.');
   }
+
   const drive = await deviceController.getDrive(req.params.dongleId, req.params.driveIdentifier);
   if (drive == null) {
-    return res.status(400).send('Unauthorized.');
+    return res.status(404).send('Not Found.');
   }
 
   const dongleIdHash = crypto.createHmac('sha256', process.env.APP_SALT).update(device.dongle_id).digest('hex');