pedrochaparro / loomies-backend Goto Github PK

Rewards are storing an _id field that isn't required:

1. Validate that the user account was verified.
2. Returns the user non-sensible information.
3. Returns a JWT (Access token) in the JSON response. The TTL shouldn't be short, 1 month should be OK.

• Solo utilizar los loomies de tipo común.
• Generar los loomies con las stats base.

If you signed in as [email protected] submitting [email protected] will be rejected.

The reset password functionality implemented in #70 . Has a serious security vulnerability that allows users to steal other user's accounts.

How to reproduce

Consider we have two users:

{
	name: Foo,
	email: [email protected],
	...
}
{
	name: Bar,
	email: [email protected],
	...
}

1. Login normally as Foo.
2. Request a password change (as per #70 ):

POST /user/password/code
{
	"email": "[email protected]"
}

3. Get the code in your email.
4. Send the confirmation password change request (as per #70 ) but this time specify Bar's mail address instead:

PUT /user/password
{
	"resetPassCode":"123456",
	"email":"[email protected]",
	"password":"NewPassword1!"
}

5. Now you should be able to login to Bar's account, effectively stealing it:

POST /session/login
{
	"email":"[email protected]",
	"password":"NewPassword1!"
}

Response:

{

	"error": false,
	"message": "Successfully logged in",
	"accessToken": ...,
	"refreshToken": ...,
	"user": ...
}

This recently opened PR PedroChaparro/loomies-mobile#53 makes it easier to see it.

• The problem is not with the web socket connection, the problem is with the gyms_challenges_register collection.

I'm not sure if this can be reproduced again but happened to me (I had to manually update the entry in the database).

@andres123dbh has a problem with the docker-compose file. Original comment was created in #29.

Players should be able to change the Loomies that are protecting their gyms.

I've create this issue in order to track the different fixes / improvements required for the combat system.

• The timeout for inactivity is too short. Maybe increase it somewhere around 5 minutes.
• Token can be obtained from far gyms: When fetching /combat/register you can specify any gym even if it is out of reach; a token will be received and this token will fail when trying to enter the actual combat.
• There is no dedicated Message type when the combat ends, timeout.
• The Message types for using items in combat are not documented in the Markdown file loomies-backend/api/combat/MESSAGES_TYPES.md. (Added in #98 )
• An user can combat multiple gyms simultaneously. Fixed in #114
• The amount of Loomies the enemy gym has left should be sent along regular updates, events such as when a Loomie is weakened. Fixed in #120
• The user can register a combat with a gym (combat/register) even when having no Loomies on his team. (A token will be returned but it will fail when trying to enter the actual combat). Fixed in #120
• When an attack is executed successfully also return if it was very effective or just normal. Fixed in #120.
• When successfully using an item return the item serial as well. Fixed in #120.
• Add a new message type for when an item cannot be applied. Specifying item serial and reason as enum. Fixed in #120. Ex.

{
  "type": "ERROR_USING_ITEM",
  "payload": {
    "item_serial": string,
    "error_reason": USER_ALREADY_HEALED, 
  }
}

• Players can attack gyms owned by themselves.
• When a Loomie is weakened also send the damage dealt (full damage). Fixed in #127.
• Wait a few seconds between GYM/USER_LOOMIE_WEAKENED and UPDATE_GYM/USER_LOOMIE. And in the meantime don't receive user/gym attacks. Fixed in #127.
• Send a boolean indicating if the user owns the gym on endpoint GET gyms/{id}

Problem

The users collection has some fields that, although they depend on the user, do not belong directly to the collection:

Proposed solution

Create a new collection to store the verification codes and password reset codes.

1. Endpoint para enviar el código de verificación.
2. Endpoint para recibir el código de verificación generado y la nueva contraseña.

Problem

The /loomies/near endpoint doesn't distinguish "outdated" Loomies.

Proposed solution

1. Check the expiration time in the /loomies/near model.
2. Create an script to remove "outdated" loomies automatically.

Note: This issue was initially identified by @Woynert.

• Loomies: Definir salud, defensa, y daño base.
• Pokeballs: Tipos y probabilidad de captura.
• Items aplicables a Loomies: Contexto, efectos.

Está información puede encontrarse en Notion Pokemon Data.