From 870f26096a6a94f84f408357554ecfcd72453140 Mon Sep 17 00:00:00 2001
From: ljf <ljf+git@grimaud.me>
Date: Mon, 15 Feb 2021 04:53:44 +0100
Subject: [PATCH] [fix] Check POST value

---
 server.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/server.py b/server.py
index 25ade8c..f8529e9 100644
--- a/server.py
+++ b/server.py
@@ -41,8 +41,12 @@ def get_publishable_key():
 def create_checkout_session():
     data = json.loads(request.data)
     domain_url = os.getenv('DOMAIN')
-
     try:
+        if data['frequency'] not in ['RECURING', 'ONE_TIME'] or
+           data['currency'] not in ['EUR', 'USD'] or
+           int(data['quantity']) <= 0:
+            return jsonify(error="Bad value"), 400
+
         # Create new Checkout Session for the order
         price = f"{data['frequency']}_{data['currency']}_DONATION"
         mode = "payment" if data['frequency'] == 'ONE_TIME' else "subscription"