diff --git a/CHANGELOG.md b/CHANGELOG.md index b9e2869fa..eea9a1011 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,7 +7,8 @@ to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). ## Unreleased -- Adds validation to firstFactors name while creating tenants/apps/etc. to not allow special chars. +- Adds validation to firstFactors and requiredSecondaryFactors names while creating tenants/apps/etc. to not allow + special chars. ## [9.2.2] - 2024-09-04 diff --git a/src/main/java/io/supertokens/webserver/api/multitenancy/BaseCreateOrUpdate.java b/src/main/java/io/supertokens/webserver/api/multitenancy/BaseCreateOrUpdate.java index e0eb9fb13..52d96136d 100644 --- a/src/main/java/io/supertokens/webserver/api/multitenancy/BaseCreateOrUpdate.java +++ b/src/main/java/io/supertokens/webserver/api/multitenancy/BaseCreateOrUpdate.java @@ -102,7 +102,7 @@ protected void handle(HttpServletRequest req, HttpServletResponse resp, TenantId // Apply updates based on CDI version tenantConfig = applyTenantUpdates(tenantConfig, getVersionFromRequest(req), isV2, input); - validateFirstFactorsName(tenantConfig); + validateFactorsName(tenantConfig); // Write tenant config to db createOrUpdate(req, sourceTenantIdentifier, tenantConfig); @@ -939,15 +939,25 @@ private static TenantConfig applyTenantUpdates_5_0(TenantConfig tenantConfig, Js return tenantConfig; } - private static void validateFirstFactorsName(TenantConfig tenantConfig) throws ServletException { - if(tenantConfig.firstFactors != null && tenantConfig.firstFactors.length > 0) { - String allowedPattern = "^[0-9a-z-]+$"; - for(String firstFactor: tenantConfig.firstFactors){ - if(firstFactor != null && !firstFactor.matches(allowedPattern)){ - throw new ServletException(new BadRequestException("firstFactors should not contain only 0-9,a-z,- characters")); + private static void validateFactorsName(TenantConfig tenantConfig) throws ServletException{ + if(!areFactorNamesValid(tenantConfig.firstFactors)){ + throw new ServletException(new BadRequestException("firstFactors should contain only 0-9,a-z,A-Z,_,- characters")); + } + if(!areFactorNamesValid(tenantConfig.requiredSecondaryFactors)){ + throw new ServletException(new BadRequestException("requiredSecondaryFactors should contain only 0-9,a-z,A-Z,_,- characters")); + } + } + + private static boolean areFactorNamesValid(String[] factors) { + if(factors != null && factors.length > 0) { + String allowedPattern = "^[0-9a-zA-Z_-]+$"; + for(String factor: factors){ + if(factor != null && !factor.matches(allowedPattern)){ + return false; } } } + return true; } private static TenantConfig applyV2TenantUpdates_5_1(TenantConfig tenantConfig, JsonObject input)