Make require password to update email

author: syuilo <syuilotan@yahoo.co.jp> 2018-11-29 20:19:02 +0900
committer: syuilo <syuilotan@yahoo.co.jp> 2018-11-29 20:19:02 +0900
commit: 22e30b44b905b594aa7790adff7faa8c2bdfef1b (patch)
tree: 361eacabff3f587eca67351ed146416f038fc306 /src/server
parent: [MFM] Improve hashtag detection (diff)
download: sharkey-22e30b44b905b594aa7790adff7faa8c2bdfef1b.tar.gz
sharkey-22e30b44b905b594aa7790adff7faa8c2bdfef1b.tar.bz2
sharkey-22e30b44b905b594aa7790adff7faa8c2bdfef1b.zip
1 files changed, 12 insertions, 0 deletions
diff --git a/src/server/api/endpoints/i/update_email.ts b/src/server/api/endpoints/i/update_email.ts
index c2699d47c2..0aa22b4d83 100644
--- a/src/server/api/endpoints/i/update_email.ts
+++ b/src/server/api/endpoints/i/update_email.ts
@@ -7,6 +7,7 @@ import fetchMeta from '../../../../misc/fetch-meta';
 import rndstr from 'rndstr';
 import config from '../../../../config';
 const ms = require('ms');
+import * as bcrypt from 'bcryptjs';
 
 export const meta = {
 	requireCredential: true,
@@ -19,6 +20,10 @@ export const meta = {
 	},
 
 	params: {
+		password: {
+			validator: $.str
+		},
+
 		email: {
 			validator: $.str.optional.nullable
 		},
@@ -26,6 +31,13 @@ export const meta = {
 };
 
 export default define(meta, (ps, user) => new Promise(async (res, rej) => {
+	// Compare password
+	const same = await bcrypt.compare(ps.password, user.password);
+
+	if (!same) {
+		return rej('incorrect password');
+	}
+
 	await User.update(user._id, {
 		$set: {
 			email: ps.email,
author	syuilo <syuilotan@yahoo.co.jp>	2018-11-29 20:19:02 +0900
committer	syuilo <syuilotan@yahoo.co.jp>	2018-11-29 20:19:02 +0900
commit	22e30b44b905b594aa7790adff7faa8c2bdfef1b (patch)
tree	361eacabff3f587eca67351ed146416f038fc306 /src/server
parent	[MFM] Improve hashtag detection (diff)
download	sharkey-22e30b44b905b594aa7790adff7faa8c2bdfef1b.tar.gz sharkey-22e30b44b905b594aa7790adff7faa8c2bdfef1b.tar.bz2 sharkey-22e30b44b905b594aa7790adff7faa8c2bdfef1b.zip