fix(security): skip cache when checking old passwd

packages/backend/src/helpers.js

@@ -184,7 +184,7 @@ async function id2uuid(id){
 
     const cached = options.cached ?? true;
 
-    if ( cached ) {
+    if ( cached && ! options.force ) {
         if (options.username) user = kv.get('users:username:' + options.username);
         else if (options.email) user = kv.get('users:email:' + options.email);
         else if (options.uuid) user = kv.get('users:uuid:' + options.uuid);
@@ -194,6 +194,7 @@ async function id2uuid(id){
         if ( user ) return user;
     }
 
+    if ( ! options.force ) {
         if(options.username)
             user = await db.read("SELECT * FROM `user` WHERE `username` = ? LIMIT 1", [options.username]);
         else if(options.email)
@@ -204,6 +205,7 @@ async function id2uuid(id){
             user = await db.read("SELECT * FROM `user` WHERE `id` = ? LIMIT 1", [options.id]);
         else if(options.referral_code)
             user = await db.read("SELECT * FROM `user` WHERE `referral_code` = ? LIMIT 1", [options.referral_code]);
+    }
 
     if(!user || !user[0]){
         if(options.username)

packages/backend/src/routers/passwd.js

@@ -18,7 +18,7 @@
  */
 "use strict"
 const express = require('express');
-const { invalidate_cached_user } = require('../helpers');
+const { invalidate_cached_user, get_user } = require('../helpers');
 const router = new express.Router();
 const auth = require('../middleware/auth.js');
 const { DB_WRITE } = require('../services/database/consts');
@@ -51,8 +51,9 @@ router.post('/passwd', auth, express.json(), async (req, res, next)=>{
     }
 
     try{
+        const user = await get_user({ id: req.user.id, force: true });
         // check old_pass
-        const isMatch = await bcrypt.compare(req.body.old_pass, req.user.password)
+        const isMatch = await bcrypt.compare(req.body.old_pass, user.password)
         if(!isMatch)
             return res.status(400).send('old_pass does not match your current password.')
         // check new_pass length