Fix 8688ha84v

2025-01-24 06:50:22 +08:00 · 2024-05-17 22:55:40 -04:00 · 2024-05-17 22:55:40 -04:00 · 8cca067991
commit 8cca067991
parent 80b763c47c
3 changed files with 40 additions and 1 deletions
--- a/packages/backend/src/routers/_default.js
+++ b/packages/backend/src/routers/_default.js
@ -209,7 +209,7 @@ router.all('*', async function(req, res, next) {
                const {get_user} = require('../helpers')
                // get user
-                const user = await get_user({uuid: req.query.user_uuid})
+                const user = await get_user({uuid: req.query.user_uuid, force: true})
                // more validation
                if(user === undefined || user === null || user === false)
@ -220,6 +220,13 @@ router.all('*', async function(req, res, next) {
                    h += '<p style="text-align:center; color:red;">invalid token.</p>';
                // mark user as confirmed
                else{
                    // If other users have the same unconfirmed email, revoke it
                    await db.write(
                        'UPDATE `user` SET `unconfirmed_change_email` = NULL, `change_email_confirm_token` = NULL WHERE `unconfirmed_change_email` = ?',
                        [user.email],
                    );
                    // update user
                    await db.write(
                        "UPDATE `user` SET `email_confirmed` = 1, `requires_email_confirmation` = 0 WHERE id = ?",
                        [user.id]
--- a/packages/backend/src/routers/change_email.js
+++ b/packages/backend/src/routers/change_email.js
@ -53,6 +53,21 @@ const CHANGE_EMAIL_CONFIRM = eggspress('/change_email/confirm', {
        throw APIError.create('token_invalid');
    }
    // Scenario: email was confirmed on another account already
    const rows2 = await db.read(
        'SELECT `id` FROM `user` WHERE `email` = ?',
        [rows[0].unconfirmed_change_email]
    );
    if ( rows2.length > 0 ) {
        throw APIError.create('email_already_in_use');
    }
    // If other users have the same unconfirmed email, revoke it
    await db.write(
        'UPDATE `user` SET `unconfirmed_change_email` = NULL, `change_email_confirm_token` = NULL WHERE `unconfirmed_change_email` = ?',
        [rows[0].unconfirmed_change_email]
    );
    const new_email = rows[0].unconfirmed_change_email;
    await db.write(
--- a/packages/backend/src/routers/confirm-email.js
+++ b/packages/backend/src/routers/confirm-email.js
@ -22,6 +22,7 @@ const { invalidate_cached_user } = require('../helpers');
 const router = new express.Router();
 const auth = require('../middleware/auth.js');
 const { DB_WRITE } = require('../services/database/consts');
 const APIError = require('../api/APIError.js');
 // -----------------------------------------------------------------------//
 // POST /confirm-email
@ -48,6 +49,22 @@ router.post('/confirm-email', auth, express.json(), async (req, res, next)=>{
    // Set expiry for rate limit
    kv.expire(`confirm-email|${req.ip}|${req.body.email ?? req.body.username}`, 60 * 10, 'NX')
    // Scenario: email was confirmed on another account already
    const rows = await db.read(
        'SELECT `id` FROM `user` WHERE `email` = ? AND `email_confirmed` = 1',
        [req.body.email],
    );
    if ( rows.length > 0 ) {
        APIError.create('email_already_in_use').write(res);
        return;
    }
    // If other users have the same unconfirmed email, revoke it
    await db.write(
        'UPDATE `user` SET `unconfirmed_change_email` = NULL, `change_email_confirm_token` = NULL WHERE `unconfirmed_change_email` = ?',
        [req.user.email],
    );
    if(req.body.code === req.user.email_confirm_code) {
        await db.write(
            "UPDATE `user` SET `email_confirmed` = 1, `requires_email_confirmation` = 0 WHERE id = ? LIMIT 1",