require current password for email change

src/fe/scss/_form.scss

@@ -20,6 +20,7 @@ input.form-control {
   font-size: 1rem;
   border-radius: 4px;
   border: 1px solid var(--form-border);
+  box-shadow: inset 0 0 4px rgba(0, 0, 0, 0.1215686275);
 
   transition: outline 0.15s linear;
 

src/modules/api/admin/oauth2-admin.controller.ts

@@ -196,8 +196,8 @@ export class OAuth2AdminController {
       return this._oaClient.stripClientInfo(client);
     }
 
-    const splitGrants = allowedFieldsOnly.grants.split(' ');
+    const splitGrants = allowedFieldsOnly.grants.trim().split(' ');
-    const splitScopes = allowedFieldsOnly.scope.split(' ');
+    const splitScopes = allowedFieldsOnly.scope.trim().split(' ');
     let availableGrantTypes = this._oaClient.availableGrantTypes;
     let availableScopes = this._oaClient.availableScopes;
 

src/modules/static-front-end/settings/settings.controller.ts

@@ -246,10 +246,11 @@ export class SettingsController {
     @Body()
     body: {
       current_email: string;
+      current_password: string;
       email: string;
     },
   ) {
-    const { current_email, email } = body;
+    const { current_email, current_password, email } = body;
     try {
       if (!current_email || !email) {
         throw new Error('Please fill out all of the fields.');
@@ -263,6 +264,16 @@ export class SettingsController {
         throw new Error('The new email address is invalid.');
       }
 
+      if (
+        !current_password ||
+        !(await this._user.comparePasswords(
+          req.user.password,
+          current_password,
+        ))
+      ) {
+        throw new Error('Current password is invalid.');
+      }
+
       const existing = await this._user.getByEmail(email);
       if (existing) {
         throw new Error(

views/settings/security.pug

@@ -22,6 +22,7 @@ block settings
           input.form-control#password(type="password", name="password")
           label.form-label(for="new_password") New Password
           input.form-control#new_password(type="password", name="new_password", autocomplete="new-password")
+          small.form-hint At least 8 characters, a capital letter and a number required.
           label.form-label(for="password_repeat") Repeat new password
           input.form-control#password_repeat(type="password", name="password_repeat")
           button.btn.btn-primary(type="submit") Change
@@ -30,6 +31,8 @@ block settings
       form(method="post", action="/account/security/email", autocomplete="off")
         div.form-container
           input(type="hidden", name="_csrf", value=csrf)
+          label.form-label(for="current_password") Current Password
+          input.form-control#current_password(type="password", name="current_password")
           label.form-label(for="current_email") Current Email Address
           input.form-control#current_email(type="email", name="current_email")
           small.form-hint Hint: #{emailHint}