Skip to content

hw week 5#9

Open
ryancfields wants to merge 1 commit into
pce-uw-jscript400:masterfrom
JSArchive:fields-w5
Open

hw week 5#9
ryancfields wants to merge 1 commit into
pce-uw-jscript400:masterfrom
JSArchive:fields-w5

Conversation

@ryancfields

Copy link
Copy Markdown

No description provided.

@bwreid bwreid left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall, nice job! Error handling looks great, just a bit of work needed to some of the routes.

Comment thread api/routes/auth.js
if (!user) throw new Error('Username could not be found.')

const validPassword = await bcrypt.compare(password, user.password)
if (!validPassword) throw new Error('Password is incorrect.')

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You'll want to give the same errors in either case. Otherwise, it's easier for someone to "guess" at a valid username.

Comment thread api/routes/auth.js
const user = await User.findOne({ _id: validToken.id })

//Check for valid token
if (!tokenValidate) { res.status(401).json({ status, response: 'Token is not valid.' })}

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should probably be validToken instead, right?

Comment thread api/routes/auth.js
if (!user.admin == true) { res.status(400).json({ status, response: 'User is not an Admin.' })

//Try and see if user can be found,
if (!user == null) {

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This statement is a bit odd. I think what you want here is if (!user).

Comment thread api/routes/auth.js
//Try and see if user can be found,
if (!user == null) {
user.admin = req.body.admin
const user = await User.save

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be:

await user.save()

Comment thread api/routes/books.js

return payload
}

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You could just export this function so you don't need to copy it everywhere!

Comment thread api/routes/books.js
const response = await Book.find().select('-__v')
} else {
status = 401
}

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd be surprised if this worked? For this route, it's OK to let anyone request this information. But, it also looks like response won't be defined in the case the user is not an admin.

Comment thread api/routes/books.js
validToken = tokenValidate(req);
const user = await User.findOne({ _id: validToken.id })

if (!user.admin == true) {

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is the opposite of what you want. We only want the user to be able to create a book if they are an admin. So, I think we just need if (user.admin) here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants