jjkiers/cloudron-box
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

profile: unify password verification check

Browse Source
This commit is contained in:
Girish Ramakrishnan
2024-01-22 13:53:40 +01:00
parent 3220721f84
commit d7dda61775
4 changed files with 7 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/routes/profile.js
+2 -14
View File
@@ -1,7 +1,7 @@
'use strict';
exports = module.exports = {
authorize,
canEditProfile,
get,
setDisplayName,
setEmail,
@@ -25,7 +25,7 @@ const assert = require('assert'),
safe = require('safetydance'),
users = require('../users.js');
async function authorize(req, res, next) {
async function canEditProfile(req, res, next) {
assert.strictEqual(typeof req.user, 'object');
const [error, profileConfig] = await safe(users.getProfileConfig());
@@ -66,12 +66,6 @@ async function setEmail(req, res, next) {
assert.strictEqual(typeof req.body, 'object');
if ('email' in req.body && typeof req.body.email !== 'string') return next(new HttpError(400, 'email must be string'));
if (!req.body.password || typeof req.body.password !== 'string') return next(new HttpError(400, 'password must be non empty string'));
const [verifyError] = await safe(users.verify(req.user.id, req.body.password, users.AP_WEBADMIN, { skipTotpCheck: true })); // just check password
if (verifyError) return next(BoxError.toHttpError(verifyError));
req.body.password = '<redacted>'; // this will prevent logs from displaying plain text password
const [error] = await safe(users.update(req.user, { email: req.body.email }, AuditSource.fromRequest(req)));
if (error) return next(BoxError.toHttpError(error));
@@ -84,12 +78,6 @@ async function setFallbackEmail(req, res, next) {
assert.strictEqual(typeof req.body, 'object');
if ('fallbackEmail' in req.body && typeof req.body.fallbackEmail !== 'string') return next(new HttpError(400, 'fallbackEmail must be string'));
if (!req.body.password || typeof req.body.password !== 'string') return next(new HttpError(400, 'password must be non empty string'));
const [verifyError] = await safe(users.verify(req.user.id, req.body.password, users.AP_WEBADMIN, { skipTotpCheck: true })); // just check password
if (verifyError) return next(BoxError.toHttpError(verifyError));
req.body.password = '<redacted>'; // this will prevent logs from displaying plain text password
const [error] = await safe(users.update(req.user, { fallbackEmail: req.body.fallbackEmail }, AuditSource.fromRequest(req)));
if (error) return next(BoxError.toHttpError(error));