From 1301832dd3d7383277e580013503a7c103be4196 Mon Sep 17 00:00:00 2001 From: gumi Date: Sat, 28 Mar 2020 12:52:21 -0400 Subject: require sending the email address on identity validation --- src/routers/vault/middlewares/identity.js | 8 +++++++- src/routers/vault/utils/validate.js | 4 ++-- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/src/routers/vault/middlewares/identity.js b/src/routers/vault/middlewares/identity.js index 6f77134..e05caef 100644 --- a/src/routers/vault/middlewares/identity.js +++ b/src/routers/vault/middlewares/identity.js @@ -55,7 +55,12 @@ const add_identity = async (req, res, next) => { // TODO: make an IdentityStore type similar to SessionStore and get rid of Ephemeral const ident = req.app.locals.identity_pending.get(secret); - if (ident === null || ident === undefined) { + let email; + try { + email = validate.get_email(req, res); + } catch { return } // already handled + + if (ident === null || ident === undefined || ident.email !== email) { res.status(410).json({ status: "error", error: "token has expired", @@ -106,6 +111,7 @@ const add_identity = async (req, res, next) => { res.status(201).json({ status: "success", + identity: newIdent, }); req.app.locals.cooldown(req, 6e4); return; diff --git a/src/routers/vault/utils/validate.js b/src/routers/vault/utils/validate.js index a0d0ea3..5f2f2a6 100644 --- a/src/routers/vault/utils/validate.js +++ b/src/routers/vault/utils/validate.js @@ -76,7 +76,7 @@ const get_prop = (req, prop, regex = null) => { * @param {Request} * @returns {string} the session secret */ -const get_secret = (req) => { +const get_secret = (req, res) => { const token = req.get("X-VAULT-TOKEN") || ""; if (!token.match(regexes.uuid)) { @@ -176,7 +176,7 @@ const get_session = (req, res) => { return [token, session]; }; -const get_email = (req) => { +const get_email = (req, res) => { const email = get_prop(req, "email"); if (!email.match(regexes.email) || email.length >= 320) { -- cgit v1.2.3-60-g2f50