diff options
author | Chocobozzz <me@florianbigard.com> | 2018-09-26 16:28:15 +0200 |
---|---|---|
committer | Chocobozzz <me@florianbigard.com> | 2018-09-26 16:28:27 +0200 |
commit | a890d1e0d30851741392e6e7f14acffe685d28e0 (patch) | |
tree | 40f6d0c4643f795670943e176d60b2e85a0fb6e0 /server/middlewares | |
parent | be1206bb934c223893a652be5f1f6c911c9c66be (diff) | |
download | PeerTube-a890d1e0d30851741392e6e7f14acffe685d28e0.tar.gz PeerTube-a890d1e0d30851741392e6e7f14acffe685d28e0.tar.zst PeerTube-a890d1e0d30851741392e6e7f14acffe685d28e0.zip |
Check current password on server side
Diffstat (limited to 'server/middlewares')
-rw-r--r-- | server/middlewares/validators/users.ts | 21 |
1 files changed, 19 insertions, 2 deletions
diff --git a/server/middlewares/validators/users.ts b/server/middlewares/validators/users.ts index d3ba1ae23..61297120a 100644 --- a/server/middlewares/validators/users.ts +++ b/server/middlewares/validators/users.ts | |||
@@ -22,6 +22,7 @@ import { Redis } from '../../lib/redis' | |||
22 | import { UserModel } from '../../models/account/user' | 22 | import { UserModel } from '../../models/account/user' |
23 | import { areValidationErrors } from './utils' | 23 | import { areValidationErrors } from './utils' |
24 | import { ActorModel } from '../../models/activitypub/actor' | 24 | import { ActorModel } from '../../models/activitypub/actor' |
25 | import { comparePassword } from '../../helpers/peertube-crypto' | ||
25 | 26 | ||
26 | const usersAddValidator = [ | 27 | const usersAddValidator = [ |
27 | body('username').custom(isUserUsernameValid).withMessage('Should have a valid username (lowercase alphanumeric characters)'), | 28 | body('username').custom(isUserUsernameValid).withMessage('Should have a valid username (lowercase alphanumeric characters)'), |
@@ -137,15 +138,31 @@ const usersUpdateValidator = [ | |||
137 | const usersUpdateMeValidator = [ | 138 | const usersUpdateMeValidator = [ |
138 | body('displayName').optional().custom(isUserDisplayNameValid).withMessage('Should have a valid display name'), | 139 | body('displayName').optional().custom(isUserDisplayNameValid).withMessage('Should have a valid display name'), |
139 | body('description').optional().custom(isUserDescriptionValid).withMessage('Should have a valid description'), | 140 | body('description').optional().custom(isUserDescriptionValid).withMessage('Should have a valid description'), |
141 | body('currentPassword').optional().custom(isUserPasswordValid).withMessage('Should have a valid current password'), | ||
140 | body('password').optional().custom(isUserPasswordValid).withMessage('Should have a valid password'), | 142 | body('password').optional().custom(isUserPasswordValid).withMessage('Should have a valid password'), |
141 | body('email').optional().isEmail().withMessage('Should have a valid email attribute'), | 143 | body('email').optional().isEmail().withMessage('Should have a valid email attribute'), |
142 | body('nsfwPolicy').optional().custom(isUserNSFWPolicyValid).withMessage('Should have a valid display Not Safe For Work policy'), | 144 | body('nsfwPolicy').optional().custom(isUserNSFWPolicyValid).withMessage('Should have a valid display Not Safe For Work policy'), |
143 | body('autoPlayVideo').optional().custom(isUserAutoPlayVideoValid).withMessage('Should have a valid automatically plays video attribute'), | 145 | body('autoPlayVideo').optional().custom(isUserAutoPlayVideoValid).withMessage('Should have a valid automatically plays video attribute'), |
144 | 146 | ||
145 | (req: express.Request, res: express.Response, next: express.NextFunction) => { | 147 | async (req: express.Request, res: express.Response, next: express.NextFunction) => { |
146 | // TODO: Add old password verification | ||
147 | logger.debug('Checking usersUpdateMe parameters', { parameters: omit(req.body, 'password') }) | 148 | logger.debug('Checking usersUpdateMe parameters', { parameters: omit(req.body, 'password') }) |
148 | 149 | ||
150 | if (req.body.password) { | ||
151 | if (!req.body.currentPassword) { | ||
152 | return res.status(400) | ||
153 | .send({ error: 'currentPassword parameter is missing.' }) | ||
154 | .end() | ||
155 | } | ||
156 | |||
157 | const user: UserModel = res.locals.oauth.token.User | ||
158 | |||
159 | if (await user.isPasswordMatch(req.body.currentPassword) !== true) { | ||
160 | return res.status(401) | ||
161 | .send({ error: 'currentPassword is invalid.' }) | ||
162 | .end() | ||
163 | } | ||
164 | } | ||
165 | |||
149 | if (areValidationErrors(req, res)) return | 166 | if (areValidationErrors(req, res)) return |
150 | 167 | ||
151 | return next() | 168 | return next() |