From 97fe447a432059623af0e39f41f359fab703d563 Mon Sep 17 00:00:00 2001 From: Evert Prants Date: Fri, 9 Sep 2022 17:18:35 +0300 Subject: [PATCH] require current password for email change --- src/fe/scss/_form.scss | 1 + src/modules/api/admin/oauth2-admin.controller.ts | 4 ++-- .../settings/settings.controller.ts | 13 ++++++++++++- views/settings/security.pug | 3 +++ 4 files changed, 18 insertions(+), 3 deletions(-) diff --git a/src/fe/scss/_form.scss b/src/fe/scss/_form.scss index 9ea9b99..9666fe8 100644 --- a/src/fe/scss/_form.scss +++ b/src/fe/scss/_form.scss @@ -20,6 +20,7 @@ input.form-control { font-size: 1rem; border-radius: 4px; border: 1px solid var(--form-border); + box-shadow: inset 0 0 4px rgba(0, 0, 0, 0.1215686275); transition: outline 0.15s linear; diff --git a/src/modules/api/admin/oauth2-admin.controller.ts b/src/modules/api/admin/oauth2-admin.controller.ts index ea018d9..f464032 100644 --- a/src/modules/api/admin/oauth2-admin.controller.ts +++ b/src/modules/api/admin/oauth2-admin.controller.ts @@ -196,8 +196,8 @@ export class OAuth2AdminController { return this._oaClient.stripClientInfo(client); } - const splitGrants = allowedFieldsOnly.grants.split(' '); - const splitScopes = allowedFieldsOnly.scope.split(' '); + const splitGrants = allowedFieldsOnly.grants.trim().split(' '); + const splitScopes = allowedFieldsOnly.scope.trim().split(' '); let availableGrantTypes = this._oaClient.availableGrantTypes; let availableScopes = this._oaClient.availableScopes; diff --git a/src/modules/static-front-end/settings/settings.controller.ts b/src/modules/static-front-end/settings/settings.controller.ts index ded128d..0a2974c 100644 --- a/src/modules/static-front-end/settings/settings.controller.ts +++ b/src/modules/static-front-end/settings/settings.controller.ts @@ -246,10 +246,11 @@ export class SettingsController { @Body() body: { current_email: string; + current_password: string; email: string; }, ) { - const { current_email, email } = body; + const { current_email, current_password, email } = body; try { if (!current_email || !email) { throw new Error('Please fill out all of the fields.'); @@ -263,6 +264,16 @@ export class SettingsController { throw new Error('The new email address is invalid.'); } + if ( + !current_password || + !(await this._user.comparePasswords( + req.user.password, + current_password, + )) + ) { + throw new Error('Current password is invalid.'); + } + const existing = await this._user.getByEmail(email); if (existing) { throw new Error( diff --git a/views/settings/security.pug b/views/settings/security.pug index cd5e059..fa820fc 100644 --- a/views/settings/security.pug +++ b/views/settings/security.pug @@ -22,6 +22,7 @@ block settings input.form-control#password(type="password", name="password") label.form-label(for="new_password") New Password input.form-control#new_password(type="password", name="new_password", autocomplete="new-password") + small.form-hint At least 8 characters, a capital letter and a number required. label.form-label(for="password_repeat") Repeat new password input.form-control#password_repeat(type="password", name="password_repeat") button.btn.btn-primary(type="submit") Change @@ -30,6 +31,8 @@ block settings form(method="post", action="/account/security/email", autocomplete="off") div.form-container input(type="hidden", name="_csrf", value=csrf) + label.form-label(for="current_password") Current Password + input.form-control#current_password(type="password", name="current_password") label.form-label(for="current_email") Current Email Address input.form-control#current_email(type="email", name="current_email") small.form-hint Hint: #{emailHint}