require current password for email change

This commit is contained in:
Evert Prants 2022-09-09 17:18:35 +03:00
parent b02191608a
commit 97fe447a43
Signed by: evert
GPG Key ID: 1688DA83D222D0B5
4 changed files with 18 additions and 3 deletions

View File

@ -20,6 +20,7 @@ input.form-control {
font-size: 1rem; font-size: 1rem;
border-radius: 4px; border-radius: 4px;
border: 1px solid var(--form-border); border: 1px solid var(--form-border);
box-shadow: inset 0 0 4px rgba(0, 0, 0, 0.1215686275);
transition: outline 0.15s linear; transition: outline 0.15s linear;

View File

@ -196,8 +196,8 @@ export class OAuth2AdminController {
return this._oaClient.stripClientInfo(client); return this._oaClient.stripClientInfo(client);
} }
const splitGrants = allowedFieldsOnly.grants.split(' '); const splitGrants = allowedFieldsOnly.grants.trim().split(' ');
const splitScopes = allowedFieldsOnly.scope.split(' '); const splitScopes = allowedFieldsOnly.scope.trim().split(' ');
let availableGrantTypes = this._oaClient.availableGrantTypes; let availableGrantTypes = this._oaClient.availableGrantTypes;
let availableScopes = this._oaClient.availableScopes; let availableScopes = this._oaClient.availableScopes;

View File

@ -246,10 +246,11 @@ export class SettingsController {
@Body() @Body()
body: { body: {
current_email: string; current_email: string;
current_password: string;
email: string; email: string;
}, },
) { ) {
const { current_email, email } = body; const { current_email, current_password, email } = body;
try { try {
if (!current_email || !email) { if (!current_email || !email) {
throw new Error('Please fill out all of the fields.'); throw new Error('Please fill out all of the fields.');
@ -263,6 +264,16 @@ export class SettingsController {
throw new Error('The new email address is invalid.'); throw new Error('The new email address is invalid.');
} }
if (
!current_password ||
!(await this._user.comparePasswords(
req.user.password,
current_password,
))
) {
throw new Error('Current password is invalid.');
}
const existing = await this._user.getByEmail(email); const existing = await this._user.getByEmail(email);
if (existing) { if (existing) {
throw new Error( throw new Error(

View File

@ -22,6 +22,7 @@ block settings
input.form-control#password(type="password", name="password") input.form-control#password(type="password", name="password")
label.form-label(for="new_password") New Password label.form-label(for="new_password") New Password
input.form-control#new_password(type="password", name="new_password", autocomplete="new-password") input.form-control#new_password(type="password", name="new_password", autocomplete="new-password")
small.form-hint At least 8 characters, a capital letter and a number required.
label.form-label(for="password_repeat") Repeat new password label.form-label(for="password_repeat") Repeat new password
input.form-control#password_repeat(type="password", name="password_repeat") input.form-control#password_repeat(type="password", name="password_repeat")
button.btn.btn-primary(type="submit") Change button.btn.btn-primary(type="submit") Change
@ -30,6 +31,8 @@ block settings
form(method="post", action="/account/security/email", autocomplete="off") form(method="post", action="/account/security/email", autocomplete="off")
div.form-container div.form-container
input(type="hidden", name="_csrf", value=csrf) input(type="hidden", name="_csrf", value=csrf)
label.form-label(for="current_password") Current Password
input.form-control#current_password(type="password", name="current_password")
label.form-label(for="current_email") Current Email Address label.form-label(for="current_email") Current Email Address
input.form-control#current_email(type="email", name="current_email") input.form-control#current_email(type="email", name="current_email")
small.form-hint Hint: #{emailHint} small.form-hint Hint: #{emailHint}