require sending the email address on identity validation

2 files changed, 9 insertions, 3 deletions

diff --git a/src/routers/vault/middlewares/identity.js b/src/routers/vault/middlewares/identity.js
index 6f77134..e05caef 100644
--- a/src/routers/vault/middlewares/identity.js
+++ b/src/routers/vault/middlewares/identity.js
@@ -55,7 +55,12 @@ const add_identity = async (req, res, next) => {
         // TODO: make an IdentityStore type similar to SessionStore and get rid of Ephemeral
         const ident = req.app.locals.identity_pending.get(secret);
 
-        if (ident === null || ident === undefined) {
+        let email;
+        try {
+            email = validate.get_email(req, res);
+        } catch { return } // already handled
+
+        if (ident === null || ident === undefined || ident.email !== email) {
             res.status(410).json({
                 status: "error",
                 error: "token has expired",
@@ -106,6 +111,7 @@ const add_identity = async (req, res, next) => {
 
         res.status(201).json({
             status: "success",
+            identity: newIdent,
         });
         req.app.locals.cooldown(req, 6e4);
         return;
diff --git a/src/routers/vault/utils/validate.js b/src/routers/vault/utils/validate.js
index a0d0ea3..5f2f2a6 100644
--- a/src/routers/vault/utils/validate.js
+++ b/src/routers/vault/utils/validate.js
@@ -76,7 +76,7 @@ const get_prop = (req, prop, regex = null) => {
  * @param {Request}
  * @returns {string} the session secret
  */
-const get_secret = (req) => {
+const get_secret = (req, res) => {
     const token = req.get("X-VAULT-TOKEN") || "";
 
     if (!token.match(regexes.uuid)) {
@@ -176,7 +176,7 @@ const get_session = (req, res) => {
     return [token, session];
 };
 
-const get_email = (req) => {
+const get_email = (req, res) => {
     const email = get_prop(req, "email");
 
     if (!email.match(regexes.email) || email.length >= 320) {