fix(security): skip cache when checking old passwd

This commit is contained in:
KernelDeimos 2024-04-24 22:28:18 -04:00
parent 25eea41f60
commit 7800ef6102
2 changed files with 16 additions and 13 deletions

View File

@ -184,7 +184,7 @@ async function id2uuid(id){
const cached = options.cached ?? true;
if ( cached ) {
if ( cached && ! options.force ) {
if (options.username) user = kv.get('users:username:' + options.username);
else if (options.email) user = kv.get('users:email:' + options.email);
else if (options.uuid) user = kv.get('users:uuid:' + options.uuid);
@ -194,16 +194,18 @@ async function id2uuid(id){
if ( user ) return user;
}
if(options.username)
user = await db.read("SELECT * FROM `user` WHERE `username` = ? LIMIT 1", [options.username]);
else if(options.email)
user = await db.read("SELECT * FROM `user` WHERE `email` = ? LIMIT 1", [options.email]);
else if(options.uuid)
user = await db.read("SELECT * FROM `user` WHERE `uuid` = ? LIMIT 1", [options.uuid]);
else if(options.id)
user = await db.read("SELECT * FROM `user` WHERE `id` = ? LIMIT 1", [options.id]);
else if(options.referral_code)
user = await db.read("SELECT * FROM `user` WHERE `referral_code` = ? LIMIT 1", [options.referral_code]);
if ( ! options.force ) {
if(options.username)
user = await db.read("SELECT * FROM `user` WHERE `username` = ? LIMIT 1", [options.username]);
else if(options.email)
user = await db.read("SELECT * FROM `user` WHERE `email` = ? LIMIT 1", [options.email]);
else if(options.uuid)
user = await db.read("SELECT * FROM `user` WHERE `uuid` = ? LIMIT 1", [options.uuid]);
else if(options.id)
user = await db.read("SELECT * FROM `user` WHERE `id` = ? LIMIT 1", [options.id]);
else if(options.referral_code)
user = await db.read("SELECT * FROM `user` WHERE `referral_code` = ? LIMIT 1", [options.referral_code]);
}
if(!user || !user[0]){
if(options.username)

View File

@ -18,7 +18,7 @@
*/
"use strict"
const express = require('express');
const { invalidate_cached_user } = require('../helpers');
const { invalidate_cached_user, get_user } = require('../helpers');
const router = new express.Router();
const auth = require('../middleware/auth.js');
const { DB_WRITE } = require('../services/database/consts');
@ -51,8 +51,9 @@ router.post('/passwd', auth, express.json(), async (req, res, next)=>{
}
try{
const user = await get_user({ id: req.user.id, force: true });
// check old_pass
const isMatch = await bcrypt.compare(req.body.old_pass, req.user.password)
const isMatch = await bcrypt.compare(req.body.old_pass, user.password)
if(!isMatch)
return res.status(400).send('old_pass does not match your current password.')
// check new_pass length