Move pagination limit/page query param validation to middleware & check for positive integer

2025-01-22 00:07:52 +01:00 · 2024-10-06 16:29:30 -05:00 · 2024-10-06 16:29:30 -05:00 · 64b78b5822
commit 64b78b5822
parent 8ba17db877
2 changed files with 24 additions and 22 deletions
--- a/client/components/app/BookShelfToolbar.vue
+++ b/client/components/app/BookShelfToolbar.vue
@ -479,8 +479,6 @@ export default {
        })
    },
    async fetchAllAuthors() {
-      const authors = []
-
      // fetch all authors from the server, in the order that they are currently displayed
      const response = await this.$axios.$get(`/api/libraries/${this.currentLibraryId}/authors?sort=${this.settings.authorSortBy}&desc=${this.settings.authorSortDesc}`)
      return response.authors
--- a/server/controllers/LibraryController.js
+++ b/server/controllers/LibraryController.js
@ -493,8 +493,8 @@ class LibraryController {
    const payload = {
      results: [],
      total: undefined,
-      limit: req.query.limit && !isNaN(req.query.limit) ? Number(req.query.limit) : 0,
-      page: req.query.page && !isNaN(req.query.page) ? Number(req.query.page) : 0,
+      limit: req.query.limit,
+      page: req.query.page,
      sortBy: req.query.sort,
      sortDesc: req.query.desc === '1',
      filterBy: req.query.filter,
@ -504,13 +504,6 @@ class LibraryController {
      include: include.join(',')
    }

-    if (!Number.isInteger(payload.limit) || payload.limit < 0) {
-      return res.status(400).send('Invalid request. Limit must be a positive integer')
-    }
-    if (!Number.isInteger(payload.page) || payload.page < 0) {
-      return res.status(400).send('Invalid request. Page must be a positive integer')
-    }
-
    payload.offset = payload.page * payload.limit

    // TODO: Temporary way of handling collapse sub-series. Either remove feature or handle through sql queries
@ -602,8 +595,8 @@ class LibraryController {
    const payload = {
      results: [],
      total: 0,
-      limit: req.query.limit && !isNaN(req.query.limit) ? Number(req.query.limit) : 0,
-      page: req.query.page && !isNaN(req.query.page) ? Number(req.query.page) : 0,
+      limit: req.query.limit,
+      page: req.query.page,
      sortBy: req.query.sort,
      sortDesc: req.query.desc === '1',
      filterBy: req.query.filter,
@ -674,8 +667,8 @@ class LibraryController {
    const payload = {
      results: [],
      total: 0,
-      limit: req.query.limit && !isNaN(req.query.limit) ? Number(req.query.limit) : 0,
-      page: req.query.page && !isNaN(req.query.page) ? Number(req.query.page) : 0,
+      limit: req.query.limit,
+      page: req.query.page,
      sortBy: req.query.sort,
      sortDesc: req.query.desc === '1',
      filterBy: req.query.filter,
@ -710,8 +703,8 @@ class LibraryController {
    const payload = {
      results: [],
      total: playlistsForUser.length,
-      limit: req.query.limit && !isNaN(req.query.limit) ? Number(req.query.limit) : 0,
-      page: req.query.page && !isNaN(req.query.page) ? Number(req.query.page) : 0
+      limit: req.query.limit,
+      page: req.query.page
    }

    if (payload.limit) {
@ -742,7 +735,7 @@ class LibraryController {
   * @param {Response} res
   */
  async getUserPersonalizedShelves(req, res) {
-    const limitPerShelf = req.query.limit && !isNaN(req.query.limit) ? Number(req.query.limit) || 10 : 10
+    const limitPerShelf = req.query.limit || 10
    const include = (req.query.include || '')
      .split(',')
      .map((v) => v.trim().toLowerCase())
@ -815,7 +808,7 @@ class LibraryController {
      return res.status(400).send('Invalid request. Query param "q" must be a string')
    }

-    const limit = req.query.limit && !isNaN(req.query.limit) ? Number(req.query.limit) : 12
+    const limit = req.query.limit || 12
    const query = asciiOnlyToLowerCase(req.query.q.trim())

    const matches = await libraryItemFilters.search(req.user, req.library, query, limit)
@ -873,7 +866,7 @@ class LibraryController {
   * @param {Response} res
   */
  async getAuthors(req, res) {
-    const isPaginated = req.query.limit && !isNaN(req.query.limit) && req.query.page && !isNaN(req.query.page)
+    const isPaginated = req.query.limit && !isNaN(req.query.limit) && !isNaN(req.query.page)

    const payload = {
      results: [],
@ -1147,8 +1140,8 @@ class LibraryController {

    const payload = {
      episodes: [],
-      limit: req.query.limit && !isNaN(req.query.limit) ? Number(req.query.limit) : 0,
-      page: req.query.page && !isNaN(req.query.page) ? Number(req.query.page) : 0
+      limit: req.query.limit,
+      page: req.query.page
    }

    const offset = payload.page * payload.limit
@ -1251,6 +1244,17 @@ class LibraryController {
      return res.status(404).send('Library not found')
    }
    req.library = library
+
+    // Ensure pagination query params are positive integers
+    for (const queryKey of ['limit', 'page']) {
+      if (req.query[queryKey] !== undefined) {
+        req.query[queryKey] = !isNaN(req.query[queryKey]) ? Number(req.query[queryKey]) : 0
+        if (!Number.isInteger(req.query[queryKey]) || req.query[queryKey] < 0) {
+          return res.status(400).send(`Invalid request. ${queryKey} must be a positive integer`)
+        }
+      }
+    }
+
    next()
  }
 }