From 224201ae2f1cdb01f2299c8ea58b58995758c851 Mon Sep 17 00:00:00 2001
From: Pim Kunis <pim@kunis.nl>
Date: Mon, 6 Sep 2021 16:08:49 +0200
Subject: [PATCH] Validate 'from' and 'to' tokens in client /messages endpoint

---
 lib/architex/schema/room.ex                         | 13 ++++---------
 .../client/controllers/room_controller.ex           |  4 ++--
 lib/architex_web/client/request/messages.ex         |  2 ++
 3 files changed, 8 insertions(+), 11 deletions(-)

diff --git a/lib/architex/schema/room.ex b/lib/architex/schema/room.ex
index 24de78d..85a14e2 100644
--- a/lib/architex/schema/room.ex
+++ b/lib/architex/schema/room.ex
@@ -69,7 +69,6 @@ defmodule Architex.Room do
   end
 
   def get_messages(room, %Messages{from: from, to: to, dir: dir, limit: limit}) do
-    # TODO: Quaternion seems to show events in the wrong order?
     # TODO: Check 'from' and 'to' formats.
     limit = limit || 10
 
@@ -116,23 +115,19 @@ defmodule Architex.Room do
 
   defp get_start([], _), do: nil
 
-  defp get_start([%Event{nid: first_nid} | _], "f") do
-    Integer.to_string(first_nid)
-  end
+  defp get_start([%Event{nid: first_nid} | _], "f"), do: first_nid
 
   defp get_start(events, "b") do
     %Event{nid: last_nid} = List.last(events)
-    Integer.to_string(last_nid)
+    last_nid
   end
 
   defp get_end(events, limit, _) when length(events) < limit, do: nil
 
-  defp get_end([%Event{nid: first_nid} | _], _, "f") do
-    Integer.to_string(first_nid)
-  end
+  defp get_end([%Event{nid: first_nid} | _], _, "f"), do: first_nid
 
   defp get_end(events, _, "b") do
     %Event{nid: last_nid} = List.last(events)
-    Integer.to_string(last_nid)
+    last_nid
   end
 end
diff --git a/lib/architex_web/client/controllers/room_controller.ex b/lib/architex_web/client/controllers/room_controller.ex
index 68ec9b2..05e53fa 100644
--- a/lib/architex_web/client/controllers/room_controller.ex
+++ b/lib/architex_web/client/controllers/room_controller.ex
@@ -241,8 +241,8 @@ defmodule ArchitexWeb.Client.RoomController do
           {events, start, end_} = Room.get_messages(room, request)
           events = Enum.map(events, &Event.Formatters.for_client/1)
           data = %{chunk: events}
-          data = if start, do: Map.put(data, :start, start), else: data
-          data = if end_, do: Map.put(data, :end, end_), else: data
+          data = if start, do: Map.put(data, :start, Integer.to_string(start)), else: data
+          data = if end_, do: Map.put(data, :end, Integer.to_string(end_)), else: data
 
           conn
           |> put_status(200)
diff --git a/lib/architex_web/client/request/messages.ex b/lib/architex_web/client/request/messages.ex
index e02c7e3..b103365 100644
--- a/lib/architex_web/client/request/messages.ex
+++ b/lib/architex_web/client/request/messages.ex
@@ -17,5 +17,7 @@ defmodule ArchitexWeb.Client.Request.Messages do
     |> Architex.validate_not_nil([:from])
     |> validate_inclusion(:dir, ["b", "f"])
     |> validate_number(:limit, greater_than: 0)
+    |> validate_format(:from, ~r/^[0-9]*$/)
+    |> validate_format(:to, ~r/^[0-9]+$/)
   end
 end