feat(security): enhance input validation and security measures across various routes

2026-03-04 08:39:29 +01:00
parent ba096a31a2
commit e22a895672
13 changed files with 222 additions and 29 deletions
--- a/server/routes/admin.js
+++ b/server/routes/admin.js
@@ -51,7 +51,7 @@ router.post('/users', authenticateToken, requireAdmin, async (req, res) => {
      return res.status(409).json({ error: 'Username is already taken' });
    }

-    const hash = bcrypt.hashSync(password, 12);
+    const hash = await bcrypt.hash(password, 12);
    const result = await db.run(
      'INSERT INTO users (name, display_name, email, password_hash, role, email_verified) VALUES (?, ?, ?, ?, ?, 1)',
      [name, display_name, email.toLowerCase(), hash, validRole]
@@ -156,7 +156,7 @@ router.put('/users/:id/password', authenticateToken, requireAdmin, async (req, r
    }

    const db = getDb();
-    const hash = bcrypt.hashSync(newPassword, 12);
+    const hash = await bcrypt.hash(newPassword, 12);
    await db.run('UPDATE users SET password_hash = ?, updated_at = CURRENT_TIMESTAMP WHERE id = ?', [hash, req.params.id]);

    res.json({ message: 'Password reset' });