From 11a2e94a04bf451a1b8411daa18d8f340a12a9c6 Mon Sep 17 00:00:00 2001
From: Daniel Friesel <derf@finalrewind.org>
Date: Fri, 20 Dec 2019 16:39:15 +0100
Subject: travel API: more helpful errors on invalid input

---
 lib/Travelynx/Controller/Api.pm | 39 +++++++++++++++++++++++++++++++++++----
 1 file changed, 35 insertions(+), 4 deletions(-)

(limited to 'lib/Travelynx')

diff --git a/lib/Travelynx/Controller/Api.pm b/lib/Travelynx/Controller/Api.pm
index f0fa5db..f95caa3 100755
--- a/lib/Travelynx/Controller/Api.pm
+++ b/lib/Travelynx/Controller/Api.pm
@@ -221,7 +221,7 @@ sub travel_v1 {
 	}
 
 	my $token = $self->get_api_token($uid);
-	if ( $api_token ne $token->{'travel'} ) {
+	if ( not $token->{'travel'} or $api_token ne $token->{'travel'} ) {
 		$self->render(
 			json => {
 				success    => \0,
@@ -240,6 +240,7 @@ sub travel_v1 {
 				success    => \0,
 				deprecated => \0,
 				error      => 'Missing or invalid action',
+				status     => $self->get_user_status_json_v1($uid)
 			},
 		);
 		return;
@@ -250,6 +251,25 @@ sub travel_v1 {
 		my $to_station   = sanitize( q{}, $payload->{toStation} );
 		my $train_id;
 
+		if (
+			not(
+				$from_station
+				and ( ( $payload->{train}{type} and $payload->{train}{no} )
+					or $payload->{train}{id} )
+			)
+		  )
+		{
+			$self->render(
+				json => {
+					success    => \0,
+					deprecated => \0,
+					error      => 'Missing fromStation or train data',
+					status     => $self->get_user_status_json_v1($uid)
+				},
+			);
+			return;
+		}
+
 		if ( exists $payload->{train}{id} ) {
 			$train_id = sanitize( 0, $payload->{train}{id} );
 		}
@@ -277,9 +297,8 @@ sub travel_v1 {
 					json => {
 						success    => \0,
 						deprecated => \0,
-						error      => 'Fehler am Abfahrtsbahnhof: '
-						  . $status->{errstr},
-						status => $self->get_user_status_json_v1($uid)
+						error      => 'Zug nicht gefunden',
+						status     => $self->get_user_status_json_v1($uid)
 					}
 				);
 				return;
@@ -319,6 +338,18 @@ sub travel_v1 {
 	elsif ( $payload->{action} eq 'checkout' ) {
 		my $to_station = sanitize( q{}, $payload->{toStation} );
 
+		if ( not $to_station ) {
+			$self->render(
+				json => {
+					success    => \0,
+					deprecated => \0,
+					error      => 'Missing toStation',
+					status     => $self->get_user_status_json_v1($uid)
+				},
+			);
+			return;
+		}
+
 		if ( $payload->{comment} ) {
 			$self->update_in_transit_comment(
 				sanitize( q{}, $payload->{comment} ), $uid );
-- 
cgit v1.2.3