From 22e30b44b905b594aa7790adff7faa8c2bdfef1b Mon Sep 17 00:00:00 2001
From: syuilo <syuilotan@yahoo.co.jp>
Date: Thu, 29 Nov 2018 20:19:02 +0900
Subject: Make require password to update email

---
 src/server/api/endpoints/i/update_email.ts | 12 ++++++++++++
 1 file changed, 12 insertions(+)

(limited to 'src/server/api')

diff --git a/src/server/api/endpoints/i/update_email.ts b/src/server/api/endpoints/i/update_email.ts
index c2699d47c2..0aa22b4d83 100644
--- a/src/server/api/endpoints/i/update_email.ts
+++ b/src/server/api/endpoints/i/update_email.ts
@@ -7,6 +7,7 @@ import fetchMeta from '../../../../misc/fetch-meta';
 import rndstr from 'rndstr';
 import config from '../../../../config';
 const ms = require('ms');
+import * as bcrypt from 'bcryptjs';
 
 export const meta = {
 	requireCredential: true,
@@ -19,6 +20,10 @@ export const meta = {
 	},
 
 	params: {
+		password: {
+			validator: $.str
+		},
+
 		email: {
 			validator: $.str.optional.nullable
 		},
@@ -26,6 +31,13 @@ export const meta = {
 };
 
 export default define(meta, (ps, user) => new Promise(async (res, rej) => {
+	// Compare password
+	const same = await bcrypt.compare(ps.password, user.password);
+
+	if (!same) {
+		return rej('incorrect password');
+	}
+
 	await User.update(user._id, {
 		$set: {
 			email: ps.email,
-- 
cgit v1.2.3-freya