require current password for email change

2022-09-09 17:18:35 +03:00 · 2022-09-09 17:18:35 +03:00 · 97fe447a43
parent b02191608a
commit 97fe447a43
4 changed files with 18 additions and 3 deletions
--- a/src/fe/scss/_form.scss
+++ b/src/fe/scss/_form.scss
@ -20,6 +20,7 @@ input.form-control {
  font-size: 1rem;
  border-radius: 4px;
  border: 1px solid var(--form-border);
+  box-shadow: inset 0 0 4px rgba(0, 0, 0, 0.1215686275);

  transition: outline 0.15s linear;

--- a/src/modules/api/admin/oauth2-admin.controller.ts
+++ b/src/modules/api/admin/oauth2-admin.controller.ts
@ -196,8 +196,8 @@ export class OAuth2AdminController {
      return this._oaClient.stripClientInfo(client);
    }

-    const splitGrants = allowedFieldsOnly.grants.split(' ');
-    const splitScopes = allowedFieldsOnly.scope.split(' ');
+    const splitGrants = allowedFieldsOnly.grants.trim().split(' ');
+    const splitScopes = allowedFieldsOnly.scope.trim().split(' ');
    let availableGrantTypes = this._oaClient.availableGrantTypes;
    let availableScopes = this._oaClient.availableScopes;

--- a/src/modules/static-front-end/settings/settings.controller.ts
+++ b/src/modules/static-front-end/settings/settings.controller.ts
@ -246,10 +246,11 @@ export class SettingsController {
    @Body()
    body: {
      current_email: string;
+      current_password: string;
      email: string;
    },
  ) {
-    const { current_email, email } = body;
+    const { current_email, current_password, email } = body;
    try {
      if (!current_email || !email) {
        throw new Error('Please fill out all of the fields.');
@ -263,6 +264,16 @@ export class SettingsController {
        throw new Error('The new email address is invalid.');
      }

+      if (
+        !current_password ||
+        !(await this._user.comparePasswords(
+          req.user.password,
+          current_password,
+        ))
+      ) {
+        throw new Error('Current password is invalid.');
+      }
+
      const existing = await this._user.getByEmail(email);
      if (existing) {
        throw new Error(
--- a/views/settings/security.pug
+++ b/views/settings/security.pug
@ -22,6 +22,7 @@ block settings
          input.form-control#password(type="password", name="password")
          label.form-label(for="new_password") New Password
          input.form-control#new_password(type="password", name="new_password", autocomplete="new-password")
+          small.form-hint At least 8 characters, a capital letter and a number required.
          label.form-label(for="password_repeat") Repeat new password
          input.form-control#password_repeat(type="password", name="password_repeat")
          button.btn.btn-primary(type="submit") Change
@ -30,6 +31,8 @@ block settings
      form(method="post", action="/account/security/email", autocomplete="off")
        div.form-container
          input(type="hidden", name="_csrf", value=csrf)
+          label.form-label(for="current_password") Current Password
+          input.form-control#current_password(type="password", name="current_password")
          label.form-label(for="current_email") Current Email Address
          input.form-control#current_email(type="email", name="current_email")
          small.form-hint Hint: #{emailHint}