From 746e44e86863f4913cf671da6fed135483ca9632 Mon Sep 17 00:00:00 2001
From: Sainan <sainan@calamity.inc>
Date: Mon, 23 Dec 2024 00:09:32 +0100
Subject: [PATCH] fix: avoid spilling new database account fields into login
 response

---
 src/controllers/api/loginController.ts | 43 ++++++++++++--------------
 src/types/loginTypes.ts                | 28 ++++++++++-------
 2 files changed, 35 insertions(+), 36 deletions(-)

diff --git a/src/controllers/api/loginController.ts b/src/controllers/api/loginController.ts
index 7ef22e57..156f057a 100644
--- a/src/controllers/api/loginController.ts
+++ b/src/controllers/api/loginController.ts
@@ -7,11 +7,11 @@ import buildConfig from "@/static/data/buildConfig.json";
 import { toLoginRequest } from "@/src/helpers/loginHelpers";
 import { Account } from "@/src/models/loginModel";
 import { createAccount, isCorrectPassword } from "@/src/services/loginService";
-import { ILoginResponse } from "@/src/types/loginTypes";
+import { IDatabaseAccountDocument, ILoginResponse } from "@/src/types/loginTypes";
 import { DTLS, groups, HUB, platformCDNs } from "@/static/fixed_responses/login_static";
 import { logger } from "@/src/utils/logger";
 
-const loginController: RequestHandler = async (request, response) => {
+export const loginController: RequestHandler = async (request, response) => {
     // eslint-disable-next-line @typescript-eslint/no-unsafe-assignment, @typescript-eslint/no-unsafe-argument
     const body = JSON.parse(request.body); // parse octet stream of json data to json object
     const loginRequest = toLoginRequest(body);
@@ -39,21 +39,7 @@ const loginController: RequestHandler = async (request, response) => {
                 Nonce: nonce
             });
             logger.debug("created new account");
-            // eslint-disable-next-line @typescript-eslint/no-unused-vars
-            const { email, password, LastLoginDay, ...databaseAccount } = newAccount;
-            const newLoginResponse: ILoginResponse = {
-                ...databaseAccount,
-                Groups: groups,
-                platformCDNs: platformCDNs,
-                NRS: [config.myAddress],
-                DTLS: DTLS,
-                IRC: config.myIrcAddresses ?? [config.myAddress],
-                HUB: HUB,
-                BuildLabel: buildLabel,
-                MatchmakingBuildId: buildConfig.matchmakingBuildId
-            };
-
-            response.json(newLoginResponse);
+            response.json(createLoginResponse(newAccount, buildLabel));
             return;
         } catch (error: unknown) {
             if (error instanceof Error) {
@@ -76,9 +62,22 @@ const loginController: RequestHandler = async (request, response) => {
     }
     await account.save();
 
-    const { email, password, LastLoginDay, ...databaseAccount } = account.toJSON();
-    const newLoginResponse: ILoginResponse = {
-        ...databaseAccount,
+    response.json(createLoginResponse(account.toJSON(), buildLabel));
+};
+
+const createLoginResponse = (acct: IDatabaseAccountDocument, buildLabel: string): ILoginResponse => {
+    return {
+        id: acct.id,
+        DisplayName: acct.DisplayName,
+        CountryCode: acct.CountryCode,
+        ClientType: acct.ClientType,
+        CrossPlatformAllowed: acct.CrossPlatformAllowed,
+        ForceLogoutVersion: acct.ForceLogoutVersion,
+        AmazonAuthToken: acct.AmazonAuthToken,
+        AmazonRefreshToken: acct.AmazonRefreshToken,
+        ConsentNeeded: acct.ConsentNeeded,
+        TrackedSettings: acct.TrackedSettings,
+        Nonce: acct.Nonce,
         Groups: groups,
         platformCDNs: platformCDNs,
         NRS: [config.myAddress],
@@ -88,8 +87,4 @@ const loginController: RequestHandler = async (request, response) => {
         BuildLabel: buildLabel,
         MatchmakingBuildId: buildConfig.matchmakingBuildId
     };
-
-    response.json(newLoginResponse);
 };
-
-export { loginController };
diff --git a/src/types/loginTypes.ts b/src/types/loginTypes.ts
index cfec7ad9..8b3fa880 100644
--- a/src/types/loginTypes.ts
+++ b/src/types/loginTypes.ts
@@ -1,4 +1,18 @@
-export interface ILoginResponse extends Omit<IDatabaseAccountDocument, "email" | "password"> {
+export interface IAccountAndLoginResponseCommons {
+    DisplayName: string;
+    CountryCode: string;
+    ClientType: string;
+    CrossPlatformAllowed: boolean;
+    ForceLogoutVersion: number;
+    AmazonAuthToken?: string;
+    AmazonRefreshToken?: string;
+    ConsentNeeded: boolean;
+    TrackedSettings: string[];
+    Nonce: number;
+}
+
+export interface ILoginResponse extends IAccountAndLoginResponseCommons {
+    id: string;
     Groups: IGroup[];
     BuildLabel: string;
     MatchmakingBuildId: string;
@@ -19,19 +33,9 @@ export interface IGroup {
     experimentGroup: string;
 }
 
-export interface IDatabaseAccount {
+export interface IDatabaseAccount extends IAccountAndLoginResponseCommons {
     email: string;
     password: string;
-    DisplayName: string;
-    CountryCode: string;
-    ClientType: string;
-    CrossPlatformAllowed: boolean;
-    ForceLogoutVersion: number;
-    AmazonAuthToken?: string;
-    AmazonRefreshToken?: string;
-    ConsentNeeded: boolean;
-    TrackedSettings: string[];
-    Nonce: number;
     LastLoginDay?: number;
 }