Fix false-positive password recovery response

BlackSenPig · Apr 21, 2024 · 5c1e6ab · 5c1e6ab
1 parent f5f75db
commit 5c1e6ab
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/packages/backend/src/routers/set-pass-using-token.js b/packages/backend/src/routers/set-pass-using-token.js
@@ -53,10 +53,15 @@ router.post('/set-pass-using-token', express.json(), async (req, res, next)=>{
         return res.status(400).send(`Password must be at least ${config.min_pass_length} characters long.`)
 
     try{
-        await db.write(
+        const info = await db.write(
             'UPDATE user SET password=?, pass_recovery_token=NULL WHERE `uuid` = ? AND pass_recovery_token = ?',
             [await bcrypt.hash(req.body.password, 8), req.body.user_id, req.body.token]
         );
+
+        if ( ! info?.anyRowsAffected ) {
+            return res.status(400).send('Invalid token or user_id.');
+        }
+
         invalidate_cached_user_by_id(req.body.user_id);
 
         return res.send('Password successfully updated.')