From 1d4f08ecf668c44399ddf734de6b3febb3be341e Mon Sep 17 00:00:00 2001
From: Thegan Govender <govenderthegan@gmail.com>
Date: Thu, 1 Jun 2023 19:05:12 +0200
Subject: [PATCH] Security Patch

This addresses issue #44 and #42
---
 backend/auth.js   | 11 ++++++++---
 backend/server.js |  2 +-
 2 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/backend/auth.js b/backend/auth.js
index 974a8fa..d5ea615 100644
--- a/backend/auth.js
+++ b/backend/auth.js
@@ -3,7 +3,11 @@ const db = require("./db");
 const jwt = require('jsonwebtoken');
 
 
-const JWT_SECRET = process.env.JWT_SECRET ||'my-secret-jwt-key';
+const JWT_SECRET = process.env.JWT_SECRET;
+if (JWT_SECRET === undefined) {
+  console.log('JWT Secret cannot be undefined');
+  process.exit(1); // end the program with error status code
+}
 
 const router = express.Router();
 
@@ -13,8 +17,9 @@ router.post('/login', async (req, res) => {
     try{
       const { username, password } = req.body;
         
-      const { rows : login } = await db.query(`SELECT * FROM app_config where ("APP_USER"='${username}' and "APP_PASSWORD"='${password}') OR "REQUIRE_LOGIN"=false`);
-  
+      const query = 'SELECT * FROM app_config WHERE ("APP_USER" = $1 AND "APP_PASSWORD" = $2) OR "REQUIRE_LOGIN" = false';
+      const values = [username, password];
+      const { rows: login } = await db.query(query, values);
       if(login.length>0)
       {
         const user = { id: 1, username: username };
diff --git a/backend/server.js b/backend/server.js
index 31bb906..4db97a1 100644
--- a/backend/server.js
+++ b/backend/server.js
@@ -23,7 +23,7 @@ const db = knex(knexConfig.development);
 
 const PORT = process.env.PORT || 3003;
 const LISTEN_IP = '127.0.0.1';
-const JWT_SECRET = process.env.JWT_SECRET ||'my-secret-jwt-key';
+const JWT_SECRET = process.env.JWT_SECRET;
 
 if (JWT_SECRET === undefined) {
   console.log('JWT Secret cannot be undefined');