summary refs log tree commit diff
diff options
context:
space:
mode:
authorMadeline <46743919+MaddyUnderStars@users.noreply.github.com>2022-02-17 20:57:42 +1100
committerMadeline <46743919+MaddyUnderStars@users.noreply.github.com>2022-02-17 20:57:42 +1100
commitd0cfbecc3286f8086629ac89b724e0adbdaf9a39 (patch)
tree623581f56dcd5c6da294251c24018fa005661216
parentFixed bug in /users/@me PATCH where username must be present in every request... (diff)
downloadserver-d0cfbecc3286f8086629ac89b724e0adbdaf9a39.tar.xz
Added email sanitisation to /users/@me PATCH. Could previously have email as any string
-rw-r--r--api/assets/schemas.json3
-rw-r--r--api/src/routes/users/@me/index.ts9
2 files changed, 11 insertions, 1 deletions
diff --git a/api/assets/schemas.json b/api/assets/schemas.json
index 4ffa44b8..818c8a61 100644
--- a/api/assets/schemas.json
+++ b/api/assets/schemas.json
@@ -7039,6 +7039,9 @@
 			},
 			"code": {
 				"type": "string"
+			},
+			"email": {
+				"type": "string"
 			}
 		},
 		"definitions": {
diff --git a/api/src/routes/users/@me/index.ts b/api/src/routes/users/@me/index.ts
index 75c91001..93d2cb01 100644
--- a/api/src/routes/users/@me/index.ts
+++ b/api/src/routes/users/@me/index.ts
@@ -1,5 +1,5 @@
 import { Router, Request, Response } from "express";
-import { User, PrivateUserProjection, emitEvent, UserUpdateEvent, handleFile, FieldErrors } from "@fosscord/util";
+import { User, PrivateUserProjection, emitEvent, UserUpdateEvent, handleFile, FieldErrors, adjustEmail } from "@fosscord/util";
 import { route } from "@fosscord/api";
 import bcrypt from "bcrypt";
 
@@ -21,6 +21,7 @@ export interface UserModifySchema {
 	password?: string;
 	new_password?: string;
 	code?: string;
+	email?: string;
 }
 
 router.get("/", route({}), async (req: Request, res: Response) => {
@@ -46,6 +47,12 @@ router.patch("/", route({ body: "UserModifySchema" }), async (req: Request, res:
 		}
 	}
 
+	if (body.email) {
+		body.email = adjustEmail(body.email);
+		if (!body.email)
+			throw FieldErrors({ email: { message: req.t("auth:register.EMAIL_INVALID"), code: "EMAIL_INVALID" } });
+	}
+
 	user.assign(body);
 
 	if (body.new_password) {