21244612417

Committed 22 Jan 2026 10:16AM UTC coverage: 86.417% (+0.02%) from 86.393%

Build # 21244612417

Build Type

push

github

Committed by

web-flow

Commit Message

Merge pull request #3012 from HishamHR5/master

test: add validation for challenge tags against i18n keys

Run Details

1303 of 1715 branches covered (75.98%)

Branch coverage included in aggregate %.

5460 of 6111 relevant lines covered (89.35%)

46.09 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

85.71

/routes/currentUser.ts

/*
 * Copyright (c) 2014-2026 Bjoern Kimminich & the OWASP Juice Shop contributors.
 * SPDX-License-Identifier: MIT
 */

import * as challengeUtils from '../lib/challengeUtils'
import { type Request, type Response } from 'express'
import { challenges } from '../data/datacache'
import * as security from '../lib/insecurity'

export function retrieveLoggedInUser () {
  return (req: Request, res: Response) => {
    let user
    let response: any
    const emptyUser = { id: undefined, email: undefined, lastLoginIp: undefined, profileImage: undefined }
    try {
      if (security.verify(req.cookies.token)) {
        user = security.authenticatedUsers.get(req.cookies.token)

        // Parse the fields parameter into an array, splitting by comma.
        // If not provided, both these variables will be undefined.
        const fieldsParam = req.query?.fields as string | undefined
        const requestedFields = fieldsParam ? fieldsParam.split(',').map(f => f.trim()) : []

        let baseUser: any = {}

        if (requestedFields.length > 0) {
          // When fields are specified, return only those fields
          for (const field of requestedFields) {
            if (user?.data[field as keyof typeof user.data] !== undefined) {
              baseUser[field] = user?.data[field as keyof typeof user.data]
            }
          }
        } else {
          // If no fields parameter, return standard fields (not password field)
          baseUser = {
            id: user?.data?.id,
            email: user?.data?.email,
            lastLoginIp: user?.data?.lastLoginIp,
            profileImage: user?.data?.profileImage
          }
        }

        response = { user: baseUser }
      } else {
        response = { user: emptyUser }
      }
    } catch (err) {
      response = { user: emptyUser }
    }
    // Solve passwordHashLeakChallenge when password field is included in response
    challengeUtils.solveIf(challenges.passwordHashLeakChallenge, () => response?.user?.password)

    if (req.query.callback === undefined) {
      res.json(response)
    } else {
      challengeUtils.solveIf(challenges.emailLeakChallenge, () => { return true })
      res.jsonp(response)
    }
  }
}

1	/*
2	* Copyright (c) 2014-2026 Bjoern Kimminich & the OWASP Juice Shop contributors.
3	* SPDX-License-Identifier: MIT
4	*/
5
6	import * as challengeUtils from '../lib/challengeUtils'	2✔
7	import { type Request, type Response } from 'express'
8	import { challenges } from '../data/datacache'	2✔
9	import * as security from '../lib/insecurity'	2✔
10
11	export function retrieveLoggedInUser () {	2✔
12	return (req: Request, res: Response) => {	3✔
13	let user
14	let response: any
15	const emptyUser = { id: undefined, email: undefined, lastLoginIp: undefined, profileImage: undefined }	10✔
16	try {	10✔
17	if (security.verify(req.cookies.token)) {	10✔
18	user = security.authenticatedUsers.get(req.cookies.token)	5✔
19
20	// Parse the fields parameter into an array, splitting by comma.
21	// If not provided, both these variables will be undefined.
22	const fieldsParam = req.query?.fields as string \| undefined	5✔
23	const requestedFields = fieldsParam ? fieldsParam.split(',').map(f => f.trim()) : []	8✔
24
25	let baseUser: any = {}	5✔
26
27	if (requestedFields.length > 0) {	5✔
28	// When fields are specified, return only those fields
29	for (const field of requestedFields) {	3✔
30	if (user?.data[field as keyof typeof user.data] !== undefined) {	7!
31	baseUser[field] = user?.data[field as keyof typeof user.data]	7✔
32	}
33	}
34	} else {
35	// If no fields parameter, return standard fields (not password field)
36	baseUser = {	2✔
37	id: user?.data?.id,
38	email: user?.data?.email,
39	lastLoginIp: user?.data?.lastLoginIp,
40	profileImage: user?.data?.profileImage
41	}
42	}
43
44	response = { user: baseUser }	5✔
45	} else {
46	response = { user: emptyUser }	5✔
47	}
48	} catch (err) {
49	response = { user: emptyUser }	×
50	}
51	// Solve passwordHashLeakChallenge when password field is included in response
52	challengeUtils.solveIf(challenges.passwordHashLeakChallenge, () => response?.user?.password)	10✔
53
54	if (req.query.callback === undefined) {	10!
55	res.json(response)	10✔
56	} else {
57	challengeUtils.solveIf(challenges.emailLeakChallenge, () => { return true })	×
58	res.jsonp(response)	×
59	}
60	}
61	}

juice-shop / juice-shop / 21244612417

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous