fix(backend): critical bug

2025-12-13 07:45:54 +00:00 · 2022-11-30 12:15:47 +01:00 · 2022-11-30 12:15:47 +01:00 · c0096aa26c
commit c0096aa26c
parent e00fe51017
2 changed files with 6 additions and 21 deletions
--- a/backend/src/graphql/resolver/TransactionResolver.test.ts
+++ b/backend/src/graphql/resolver/TransactionResolver.test.ts
@ -291,7 +291,6 @@ describe('send coins', () => {
      await cleanDB()
    })

-    /*
    describe('trying to send negative amount', () => {
      it('throws an error', async () => {
        expect(
@ -305,18 +304,15 @@ describe('send coins', () => {
          }),
        ).toEqual(
          expect.objectContaining({
-            errors: [new GraphQLError(`user hasn't enough GDD or amount is < 0`)],
+            errors: [new GraphQLError(`Amount to send must be positive`)],
          }),
        )
      })

      it('logs the error thrown', () => {
-        expect(logger.error).toBeCalledWith(
-          `user hasn't enough GDD or amount is < 0 : balance=null`,
-        )
+        expect(logger.error).toBeCalledWith(`Amount to send must be positive`)
      })
    })
-    */

    describe('good transaction', () => {
      it('sends the coins', async () => {
--- a/backend/src/graphql/resolver/TransactionResolver.ts
+++ b/backend/src/graphql/resolver/TransactionResolver.ts
@ -314,6 +314,10 @@ export class TransactionResolver {
    @Ctx() context: Context,
  ): Promise<boolean> {
    logger.info(`sendCoins(email=${email}, amount=${amount}, memo=${memo})`)
+    if (amount.lte(0)) {
+      logger.error(`Amount to send must be positive`)
+      throw new Error('Amount to send must be positive')
+    }

    // TODO this is subject to replay attacks
    const senderUser = getUser(context)
@ -324,22 +328,7 @@ export class TransactionResolver {

    // validate recipient user
    const recipientUser = await findUserByEmail(email)
-    /*
-    const emailContact = await UserContact.findOne({ email }, { withDeleted: true })
-    if (!emailContact) {
-      logger.error(`Could not find UserContact with email: ${email}`)
-      throw new Error(`Could not find UserContact with email: ${email}`)
-    }
-    */
-    // const recipientUser = await dbUser.findOne({ id: emailContact.userId })

-    /* Code inside this if statement is unreachable (useless by so), 
-    in findUserByEmail() an error is already thrown if the user is not found
-    */
-    if (!recipientUser) {
-      logger.error(`unknown recipient to UserContact: email=${email}`)
-      throw new Error('unknown recipient')
-    }
    if (recipientUser.deletedAt) {
      logger.error(`The recipient account was deleted: recipientUser=${recipientUser}`)
      throw new Error('The recipient account was deleted')