From 4b7caa8a77cf620c760eb6a4553eb9158e4fc556 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bj=C3=B6rn?= <me@tentakelfabrik.de>
Date: Thu, 18 Jun 2020 09:15:29 +0200
Subject: [PATCH] adding schema and escaping

---
 package.json        |  1 +
 src/api/note.js     |  8 ++++++--
 src/bootstrap.js    | 14 +++++++++-----
 src/schemas/note.js | 43 +++++++++++++++++++++++++++++++++++++++++++
 4 files changed, 59 insertions(+), 7 deletions(-)
 create mode 100644 src/schemas/note.js

diff --git a/package.json b/package.json
index 24fdb470..498f7e06 100644
--- a/package.json
+++ b/package.json
@@ -12,6 +12,7 @@
     "dependencies": {
         "axios": "^0.19.2",
         "crispy-css": "^3.0.0",
+        "escape-html": "^1.0.3",
         "fastify": "^2.14.1",
         "fastify-plugin": "^1.6.1",
         "fastify-static": "^2.7.0",
diff --git a/src/api/note.js b/src/api/note.js
index 2dbf2167..91513333 100644
--- a/src/api/note.js
+++ b/src/api/note.js
@@ -1,4 +1,6 @@
 const NoteRepository = require('../repositories/note.js')
+const schemas = require('../schemas/note.js')
+const escapeHtml = require('escape-html')
 
 /**
  *  adding routes for Note
@@ -39,8 +41,10 @@ module.exports = async function (fastify, opts) {
      *  @param  {object} reply
      *  @return {object}
      */
-    fastify.post('/note', function(request, reply) {
+    fastify.post('/note', schemas.postSchema, function(request, reply) {
 
+        // escaping string
+        request.body.text = escapeHtml(request.body.text)
         results = repository.add(request.body)
 
         reply
@@ -58,7 +62,7 @@ module.exports = async function (fastify, opts) {
      *  @param  {object} reply
      *  @return {object}
      */
-    fastify.delete('/note/:id', function(request, reply) {
+    fastify.delete('/note/:id', schemas.deleteSchema, function(request, reply) {
 
         repository.remove(request.params.id)
 
diff --git a/src/bootstrap.js b/src/bootstrap.js
index b050f5ba..2c15bce5 100644
--- a/src/bootstrap.js
+++ b/src/bootstrap.js
@@ -9,10 +9,14 @@ fastify
     .register(require('./static/index.js'))
 
 // let it rain
-fastify.listen(3000, (error, address) => {
-    if (error) {
-        throw error
+const start = async () => {
+    try {
+        await fastify.listen(3000)
+        fastify.log.info(`server listening on ${fastify.server.address().port}`)
+    } catch (err) {
+        fastify.log.error(err)
+        process.exit(1)
     }
+}
 
-    fastify.log.info(`server listening on ${address}`)
-})
\ No newline at end of file
+start()
\ No newline at end of file
diff --git a/src/schemas/note.js b/src/schemas/note.js
new file mode 100644
index 00000000..c05e63b3
--- /dev/null
+++ b/src/schemas/note.js
@@ -0,0 +1,43 @@
+/**
+ *  schemas for note-routes
+ *
+ *  @author Björn Hase, Tentakelfabrik
+ *  @license http://opensource.org/licenses/MIT The MIT License
+ *  @link https://github.com/tentakelfabrik/fastify-lowdb-riotjs-lessons-learned
+ */
+
+const postSchema = {
+    schema: {
+        body: {
+            type: 'object',
+            required: ['text'],
+            properties: {
+                text: {
+                    type: 'string'
+                }
+            },
+            additionalProperties: false
+        }
+    }
+}
+
+const deleteSchema = {
+    schema: {
+        params: {
+            type: 'object',
+            required: ['id'],
+            properties: {
+                id: {
+                    type: 'string',
+                    pattern: '^[a-zA-Z0-9]*$'
+                }
+            },
+            additionalProperties: false
+        }
+    }
+}
+
+module.exports = {
+    postSchema: postSchema,
+    deleteSchema: deleteSchema
+}
\ No newline at end of file