Do I need to use blocking when making requests?

M

miki1312016-03-27 18:14:51

MySQL

miki131, 2016-03-27 18:14:51

Is it possible to attack with parallel requests in the code below?
When I checked manually, everything was fine.

var
    knex        = require('knex')({ client: 'mysql', connection: config.DB }),
    bookshelf   = require('bookshelf')(knex);

var User = bookshelf.Model.extend({
    tableName: 'users'
});

var app = express();

app.all('/', function(req, res) {
    var data = req.query;

    data.sum = Math.abs(Math.ceil(data.sum)) || 0;

    if (!data.sum) return res.json({ status: 'error', code: 'sum' });

    User
        .where({id: data.id})
        .fetch()
        .then(function(user) {
            if (!user) return res.json({ status: 'error', code: 'user not found' });

            // если у пользователя достаточно на балансе, тогда делаем то что нам нужно
            if (user.get('balance') < data.sum) return res.json({ status: 'error', code: 'NO_BALANCE' });

            user
                .save({balance: user.get('balance') - data.sum}, {patched: true})
                .then(function(user) {
                    console.log('сняли', data.sum, 'новый баланс', user.get('balance'));
                    res.json({ status: 'success', balance: user.get('balance') });
                });
        })
});

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

D

Dmitry Belyaev, 2016-03-27
@bingo347

Blocking will be a crutch
And there is a vulnerability, starting with the fact that I can fake the amount debited