From a890d1e0d30851741392e6e7f14acffe685d28e0 Mon Sep 17 00:00:00 2001 From: Chocobozzz Date: Wed, 26 Sep 2018 16:28:15 +0200 Subject: Check current password on server side --- server/middlewares/validators/users.ts | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) (limited to 'server/middlewares') diff --git a/server/middlewares/validators/users.ts b/server/middlewares/validators/users.ts index d3ba1ae23..61297120a 100644 --- a/server/middlewares/validators/users.ts +++ b/server/middlewares/validators/users.ts @@ -22,6 +22,7 @@ import { Redis } from '../../lib/redis' import { UserModel } from '../../models/account/user' import { areValidationErrors } from './utils' import { ActorModel } from '../../models/activitypub/actor' +import { comparePassword } from '../../helpers/peertube-crypto' const usersAddValidator = [ body('username').custom(isUserUsernameValid).withMessage('Should have a valid username (lowercase alphanumeric characters)'), @@ -137,15 +138,31 @@ const usersUpdateValidator = [ const usersUpdateMeValidator = [ body('displayName').optional().custom(isUserDisplayNameValid).withMessage('Should have a valid display name'), body('description').optional().custom(isUserDescriptionValid).withMessage('Should have a valid description'), + body('currentPassword').optional().custom(isUserPasswordValid).withMessage('Should have a valid current password'), body('password').optional().custom(isUserPasswordValid).withMessage('Should have a valid password'), body('email').optional().isEmail().withMessage('Should have a valid email attribute'), body('nsfwPolicy').optional().custom(isUserNSFWPolicyValid).withMessage('Should have a valid display Not Safe For Work policy'), body('autoPlayVideo').optional().custom(isUserAutoPlayVideoValid).withMessage('Should have a valid automatically plays video attribute'), - (req: express.Request, res: express.Response, next: express.NextFunction) => { - // TODO: Add old password verification + async (req: express.Request, res: express.Response, next: express.NextFunction) => { logger.debug('Checking usersUpdateMe parameters', { parameters: omit(req.body, 'password') }) + if (req.body.password) { + if (!req.body.currentPassword) { + return res.status(400) + .send({ error: 'currentPassword parameter is missing.' }) + .end() + } + + const user: UserModel = res.locals.oauth.token.User + + if (await user.isPasswordMatch(req.body.currentPassword) !== true) { + return res.status(401) + .send({ error: 'currentPassword is invalid.' }) + .end() + } + } + if (areValidationErrors(req, res)) return return next() -- cgit v1.2.3