fix vulnerabilities

.env.example

@@ -1,20 +1,40 @@
-
+#Database
 USER=
 PASSWORD=
 DB=
 HOST=
 
+
+#Port
 PORT=
 HOST=localhost
 APP_URL=http://localhost:3000
 NODE_ENV=development
 
+
+DEFAULTPROFILEPICLINK=
+
+#flutterwave
 PUBLICK_KEY=
 SECRET_KEY=
 APP_SECRET_KEY=
 
+#Email
+EMAIL=
+PASS=
+
+#aws
 AWSSecretKey=
 AWSAccessKeyId=
 
 
-CALLBACKURL=
+# Call back url for card creation and transaction 
+CALLBACKURL=
+URL=
+
+
+# Card Fee
+BASICC=
+UNLIMITEDC=
+SHAREDC=
+TRAVELC=

server/controllers/card.controller.js

@@ -460,6 +460,13 @@ const gift_card = catchAsync(async (req, res) => {
         })
     }
 
+    if(sender.id == reciever.id){
+        console.log('You can not gift card to yourself')
+        return res.json({
+            message: 'You can not Gift Card to Yourself',
+        })
+    }
+
     // Get User balance 
     const accountDetails = await getUserBalance(UserId);
     const { balance } = accountDetails.dataValues;
@@ -679,6 +686,32 @@ const reject_gift_card = catchAsync(async() => {
         },
     });
 
+});
+
+const get_all_user_gift_card = catchAsync(async (req, res) => {
+    const data = await model.GiftCards.findAll({
+        where: {
+            recipient: req.user.id,
+        }
+    });
+    return res.status(httpStatus.OK).send({
+        success: true,
+        message: 'List of all Card Gifted to you',
+        result: data,
+    });
+})
+
+const get_all_card_user_has_gifted = catchAsync(async (req, res) => {
+    const data = await model.GiftCards.findAll({
+        where: {
+            UserId: req.user.id,
+        }
+    });
+    return res.status(httpStatus.OK).send({
+        success: true,
+        message: 'List of all Card You have Gifted',
+        result: data,
+    });
 })
 
 module.exports = {
@@ -693,4 +726,6 @@ module.exports = {
     create_Vcard,
     accept_gift_card,
     reject_gift_card,
+    get_all_user_gift_card,
+    get_all_card_user_has_gifted,
 }

server/middlewares/auth-admin.js

@@ -0,0 +1,33 @@
+const httpStatus = require("http-status");
+// const db = require("../config/db");
+import model from '../models';
+
+
+const authAdmin = async (req, res, next) => {
+try {
+    const user = req.user;
+
+    const account = await model.Users.findOne({
+        where: {
+            id: user.id
+    }
+    });
+    //const wallet = await db("wallets").where("user_id", user.id).first();
+
+    if (account.banned) {
+        return response.status(403).json({ message: 'You are banned from this site.' });
+    }
+
+    if (account.role !== 'admin' && user.role !== 'superadmin') {
+        return response.status(403).json({ message: 'You are not allowed to access this resource.' });
+    }
+    next();
+    } catch (error) {
+        console.error("authAdmin Middleware Error ==>", error);
+        return res.status(httpStatus.INTERNAL_SERVER_ERROR).send(error);
+    }
+};
+
+module.exports = {
+    authAdmin,
+};

server/middlewares/auth-superadmin.js

@@ -0,0 +1,33 @@
+const httpStatus = require("http-status");
+// const db = require("../config/db");
+import model from '../models';
+
+
+const authSuperAdmin = async (req, res, next) => {
+try {
+    const user = req.user;
+
+    const account = await model.Users.findOne({
+        where: {
+            id: user.id
+    }
+    });
+    //const wallet = await db("wallets").where("user_id", user.id).first();
+
+    if (account.banned) {
+        return response.status(403).json({ message: 'You are banned from this site.' });
+    }
+
+    if (user.role !== 'superadmin') {
+        return response.status(403).json({ message: 'You are not allowed to access this resource.' });
+    }
+    next();
+    } catch (error) {
+        console.error("authSuperAdmin Middleware Error ==>", error);
+        return res.status(httpStatus.INTERNAL_SERVER_ERROR).send(error);
+    }
+};
+
+module.exports = {
+    authSuperAdmin
+}

server/middlewares/index.js

@@ -0,0 +1,2 @@
+module.exports.auth = require('./auth');
+module.exports.authAdmin = require('./auth-admin');

server/middlewares/set-wallet-pin.js

@@ -9,7 +9,7 @@ const setWalletPin = async (req, res, next) => {
 
     const wallet = await model.Wallets.findOne({
       where: {
-        userId: user.id
+        UserId: user.id
       }
     });
     //const wallet = await db("wallets").where("user_id", user.id).first();

server/models/user.js

@@ -52,7 +52,7 @@ const User = sequelize.define('Users', {
   },
   role: {
     type: DataTypes.ENUM({
-      values: ['ADMIN', 'USER', 'AMBASADOR', 'SUPERADMIN', 'BONUS']
+      values: ['admin', 'user', 'superadmin']
     }),
     defaultValue: 'USER',
   }

server/routes/card.route.js

@@ -1,18 +1,18 @@
 import express from 'express';
 import cardController from '../controllers/card.controller';
-const { auth } = require("../middlewares/auth");
+const { auth, authAdmin } = require("../middlewares");
 const { cardValidation } = require('../validations')
 
 const router = express.Router();
 
-router.get('/card/listcard', cardController.list_Vcard);
+router.get('/card/listcard', [auth, authAdmin], cardController.list_Vcard);
 
 router.post('/card/createcard', [auth, cardValidation.createCard], cardController.create_Vcard);
 
 //still need working in controller
 router.post('/card/fundcard', [auth], cardController.fund_Vcard);
 
-router.post('/card/pay', [auth], cardController.pay_Vcard);
+router.post('/card/pay', [auth, authAdmin], cardController.pay_Vcard);
 
     // Get a single card by id
 router.get('/card/getcard', [auth], cardController.get_Vcard);

server/routes/user.route.js

@@ -1,13 +1,13 @@
 const express = require("express");
 const userController = require("../controllers/user.controller");
 const { userValidation } = require("../validations");
-const { auth } = require("../middlewares/auth");
+const { auth, authAdmin } = require("../middlewares");
 
 const router = express.Router();
 
 router.post("/register", userValidation.register, userController.register);
 router.post("/login", userValidation.login, userController.login);
 router.get("/auth/profile", [auth], userController.getProfile);
-router.get("/getallusers", userController.getAllusers);
+router.get("/getallusers", [auth, authAdmin], userController.getAllusers);
 
 module.exports = router;

server/services/creatcard.service.js

@@ -29,7 +29,7 @@ const createCard = async (data, cardType, UserId) => {
                 },
                 });
 
-            if (checkCard.name == 'BASICC' || checkCard.expired == false) {
+            if (checkCard.name == 'BASICC' && checkCard.expired == false) {
                 return res.status(httpStatus.BAD_REQUEST).json({
                     success: false,
                     message: "ALready Subscribed To This Card",
@@ -78,7 +78,7 @@ const createCard = async (data, cardType, UserId) => {
                 },
                 });
 
-            if (ucheckCard.name == 'UNLIMITEDC' || checkCard.expired == false) {
+            if (ucheckCard.name == 'UNLIMITEDC' && checkCard.expired == false) {
                 return res.status(httpStatus.BAD_REQUEST).json({
                     success: false,
                     message: "ALready Subscribed To This Card",
@@ -131,7 +131,7 @@ const createCard = async (data, cardType, UserId) => {
                 },
                 });
 
-            if (fcheckCard.name == 'SHAREDC' || checkCard.expired == false) {
+            if (fcheckCard.name == 'SHAREDC' && checkCard.expired == false) {
                 return res.status(httpStatus.BAD_REQUEST).json({
                     success: false,
                     message: "ALready Subscribed To This Card",
@@ -180,7 +180,7 @@ const createCard = async (data, cardType, UserId) => {
                 },
                 });
 
-            if (tcheckCard.name == 'TRAVELC' || checkCard.expired == false) {
+            if (tcheckCard.name == 'TRAVELC' && checkCard.expired == false) {
                 return res.status(httpStatus.BAD_REQUEST).json({
                     success: false,
                     message: "ALready Subscribed To This Card",