diff --git a/src/routes/profile.js b/src/routes/profile.js index a384b8844..ee38e4ddc 100644 --- a/src/routes/profile.js +++ b/src/routes/profile.js @@ -64,6 +64,14 @@ async function update(req, res, next) { const data = _.pick(req.body, 'email', 'fallbackEmail', 'displayName'); + // for fallbackEmail we check the password + if (data.fallbackEmail) { + if (!req.body.password || typeof req.body.password !== 'string') return next(new HttpError(400, 'password must be non empty string')); + + const [verifyError] = await safe(users.verify(req.user.id, req.body.password, users.AP_WEBADMIN)); + if (verifyError) return next(BoxError.toHttpError(verifyError)); + } + const [error] = await safe(users.update(req.user, data, auditSource.fromRequest(req))); if (error) return next(BoxError.toHttpError(error)); diff --git a/src/routes/test/profile-test.js b/src/routes/test/profile-test.js index 586182bbb..ccb4e809d 100644 --- a/src/routes/test/profile-test.js +++ b/src/routes/test/profile-test.js @@ -115,7 +115,7 @@ describe('Profile API', function () { it('change email succeeds', async function () { const response = await superagent.post(`${serverUrl}/api/v1/profile`) .query({ access_token: owner.token }) - .send({ email: 'newemail@example.Com', fallbackEmail: 'NewFallbackemail@example.com' }); + .send({ email: 'newemail@example.Com' }); expect(response.statusCode).to.equal(204); @@ -125,10 +125,42 @@ describe('Profile API', function () { expect(response2.statusCode).to.equal(200); expect(response2.body.username).to.equal(owner.username); expect(response2.body.email).to.equal('newemail@example.com'); // lower cased - expect(response2.body.fallbackEmail).to.equal('newfallbackemail@example.com'); expect(response2.body.displayName).to.equal(''); }); + it('change fallback email fails due to missing password', async function () { + const response = await superagent.post(`${serverUrl}/api/v1/profile`) + .query({ access_token: owner.token }) + .send({ fallbackEmail: 'newemail@example.com' }) + .ok(() => true); + + expect(response.statusCode).to.equal(400); + }); + + it('change fallback email fails due to invalid password', async function () { + const response = await superagent.post(`${serverUrl}/api/v1/profile`) + .query({ access_token: owner.token }) + .send({ fallbackEmail: 'foo@bar.com', password: 'this is wrong' }) + .ok(() => true); + + expect(response.statusCode).to.equal(412); + }); + + it('change fallback email succeeds', async function () { + const response = await superagent.post(`${serverUrl}/api/v1/profile`) + .query({ access_token: owner.token }) + .send({ fallbackEmail: 'NewFallbackemail@example.com', password: owner.password }); + + expect(response.statusCode).to.equal(204); + + const response2 = await superagent.get(`${serverUrl}/api/v1/profile`) + .query({ access_token: owner.token }); + + expect(response2.statusCode).to.equal(200); + expect(response2.body.username).to.equal(owner.username); + expect(response2.body.fallbackEmail).to.equal('newfallbackemail@example.com'); // lowercase + }); + it('change displayName succeeds', async function () { const response = await superagent.post(`${serverUrl}/api/v1/profile`) .query({ access_token: owner.token }) @@ -158,7 +190,7 @@ describe('Profile API', function () { it('fails due to missing new password', async function () { const response = await superagent.post(`${serverUrl}/api/v1/profile/password`) .query({ access_token: owner.token }) - .send({ password: owner.password.password }) + .send({ password: owner.password }) .ok(() => true); expect(response.statusCode).to.equal(400);