Make require password to update email

2 files changed, 20 insertions, 2 deletions

diff --git a/src/client/app/common/views/components/profile-editor.vue b/src/client/app/common/views/components/profile-editor.vue
index fc0fbb9e65..62d5d7a29c 100644
--- a/src/client/app/common/views/components/profile-editor.vue
+++ b/src/client/app/common/views/components/profile-editor.vue
@@ -218,8 +218,14 @@ export default Vue.extend({
 		},
 
 		updateEmail() {
-			this.$root.api('i/update_email', {
-				email: this.email == '' ? null : this.email
+			this.$input({
+				title: this.$t('@.enter-password'),
+				type: 'password'
+			}).then(password => {
+				this.$root.api('i/update_email', {
+					password: password,
+					email: this.email == '' ? null : this.email
+				});
 			});
 		}
 	}
diff --git a/src/server/api/endpoints/i/update_email.ts b/src/server/api/endpoints/i/update_email.ts
index c2699d47c2..0aa22b4d83 100644
--- a/src/server/api/endpoints/i/update_email.ts
+++ b/src/server/api/endpoints/i/update_email.ts
@@ -7,6 +7,7 @@ import fetchMeta from '../../../../misc/fetch-meta';
 import rndstr from 'rndstr';
 import config from '../../../../config';
 const ms = require('ms');
+import * as bcrypt from 'bcryptjs';
 
 export const meta = {
 	requireCredential: true,
@@ -19,6 +20,10 @@ export const meta = {
 	},
 
 	params: {
+		password: {
+			validator: $.str
+		},
+
 		email: {
 			validator: $.str.optional.nullable
 		},
@@ -26,6 +31,13 @@ export const meta = {
 };
 
 export default define(meta, (ps, user) => new Promise(async (res, rej) => {
+	// Compare password
+	const same = await bcrypt.compare(ps.password, user.password);
+
+	if (!same) {
+		return rej('incorrect password');
+	}
+
 	await User.update(user._id, {
 		$set: {
 			email: ps.email,