Issue 246 fix - Unconditionally remove the hidden fields from incoming body in middlewares.js:handleParseHeaders

middlewares.js

@@ -28,47 +28,70 @@ function handleParseHeaders(req, res, next) {
 
   var fileViaJSON = false;
 
-  if (!info.appId || !cache.apps[info.appId]) {
-    // See if we can find the app id on the body.
-    if (req.body instanceof Buffer) {
-      // The only chance to find the app id is if this is a file
-      // upload that actually is a JSON body. So try to parse it.
-      req.body = JSON.parse(req.body);
-      fileViaJSON = true;
-    }
+  // See if we can find the app id on the body.
+  if (req.body instanceof Buffer) {
+    // The only chance to find the app id is if this is a file
+    // upload that actually is a JSON body. So try to parse it.
+    req.body = JSON.parse(req.body);
+    fileViaJSON = true;
+  }
 
-    if (req.body && req.body._ApplicationId
-    && cache.apps[req.body._ApplicationId]
-    && (
-      !info.masterKey
-      ||
-      cache.apps[req.body._ApplicationId]['masterKey'] === info.masterKey)
-    ) {
+  if (req.body && req.body._ApplicationId
+  && cache.apps[req.body._ApplicationId]
+  && (
+    !info.masterKey
+    ||
+    cache.apps[req.body._ApplicationId]['masterKey'] === info.masterKey)
+  ) {
+    if ((info.appId) && (info.appId !== req.body._ApplicationId))
+      return invalidRequest(req, res);
+    else if (!info.appId)
       info.appId = req.body._ApplicationId;
+
+    delete req.body._ApplicationId;
+
+    if ((info.javascriptKey) && (info.javascriptKey !== req.body._JavaScriptKey))
+      return invalidRequest(req, res);
+    else if (!info.javascriptKey)
       info.javascriptKey = req.body._JavaScriptKey || '';
-      delete req.body._ApplicationId;
-      delete req.body._JavaScriptKey;
-      // TODO: test that the REST API formats generated by the other
-      // SDKs are handled ok
-      if (req.body._ClientVersion) {
-        info.clientVersion = req.body._ClientVersion;
-        delete req.body._ClientVersion;
-      }
-      if (req.body._InstallationId) {
+
+    delete req.body._JavaScriptKey;
+
+    if (req.body._InstallationId) {
+      if ((info.installationId) && (info.installationId !== req.body._InstallationId))
+        return invalidRequest(req, res);
+      else if (!info.installationId)
         info.installationId = req.body._InstallationId;
-        delete req.body._InstallationId;
-      }
-      if (req.body._SessionToken) {
+
+      delete req.body._InstallationId;
+    }
+
+    if (req.body._SessionToken) {
+      if ((info.sessionToken) && (info.sessionToken !== req.body._SessionToken))
+        return invalidRequest(req, res);
+      else if (!info.sessionToken)
         info.sessionToken = req.body._SessionToken;
-        delete req.body._SessionToken;
-      }
-      if (req.body._MasterKey) {
+
+      delete req.body._SessionToken;
+    }
+
+    if (req.body._MasterKey) {
+      if ((info.masterKey) && (info.masterKey !== req.body._MasterKey))
+        return invalidRequest(req, res);
+      else if (!info.masterKey)
         info.masterKey = req.body._MasterKey;
-        delete req.body._MasterKey;
-      }
-    } else {
-      return invalidRequest(req, res);
+
+      delete req.body._MasterKey;
+    }
+
+    // TODO: test that the REST API formats generated by the other
+    // SDKs are handled ok
+    if (req.body._ClientVersion) {
+      info.clientVersion = req.body._ClientVersion;
+      delete req.body._ClientVersion;
     }
+  } else {
+    return invalidRequest(req, res);
   }
 
   if (fileViaJSON) {