From 5c671661d4ec0b54ee0d7e5ccd4dcc4aff42d079 Mon Sep 17 00:00:00 2001
From: Tor Andersson <tor@ccxvii.net>
Date: Sat, 3 May 2025 11:53:07 +0200
Subject: Require password to change name and mail.

---
 server.js             | 33 +++++++++++++++++++++++----------
 views/change_mail.pug |  4 ++++
 views/change_name.pug |  4 ++++
 3 files changed, 31 insertions(+), 10 deletions(-)

diff --git a/server.js b/server.js
index fc812b9..8067d84 100644
--- a/server.js
+++ b/server.js
@@ -338,6 +338,12 @@ function format_minutes(mins) {
 	return mins + " minutes"
 }
 
+function is_valid_password(password) {
+	if (password.length < 4 || password.length > 100)
+		return false
+	return true
+}
+
 function is_valid_email(email) {
 	return REGEX_MAIL.test(email)
 }
@@ -370,6 +376,14 @@ function hash_password(password, salt) {
 	return hash.digest("hex")
 }
 
+function verify_password(user, password) {
+	var user_login = SQL_SELECT_LOGIN.get(user.user_id)
+	var hash  = hash_password(password, user_login.salt)
+	if (hash !== user_login.password)
+		return false
+	return true
+}
+
 /*
  * ALTCHA ANTI-BOT SIGNUP
  */
@@ -657,10 +671,8 @@ app.post("/account/reset-password", must_pass_altcha, function (req, res) {
 	let user = SQL_SELECT_LOGIN_BY_MAIL.get(mail)
 	if (!user)
 		return err("User not found.")
-	if (password.length < 4)
-		return err("Password is too short!")
-	if (password.length > 100)
-		return err("Password is too long!")
+	if (!is_valid_password(password))
+		return err("New password is invalid!")
 	if (!SQL_VERIFY_TOKEN.get(user.user_id, token))
 		return err("Invalid or expired token!")
 	let salt = crypto.randomBytes(32).toString("hex")
@@ -680,12 +692,9 @@ app.post("/account/change-password", must_be_logged_in, function (req, res) {
 	let newpass = req.body.newpass
 	// Get full user record including password and salt
 	let user = SQL_SELECT_LOGIN.get(req.user.user_id)
-	if (newpass.length < 4)
-		return res.render("change_password.pug", { flash: "Password is too short!" })
-	if (newpass.length > 100)
-		return res.render("change_password.pug", { flash: "Password is too long!" })
-	let oldhash = hash_password(oldpass, user.salt)
-	if (oldhash !== user.password)
+	if (!is_valid_password(newpass))
+		return res.render("change_password.pug", { flash: "New password is invalid!" })
+	if (!verify_password(req.user, oldpass))
 		return res.render("change_password.pug", { flash: "Wrong password!" })
 	let salt = crypto.randomBytes(32).toString("hex")
 	let hash = hash_password(newpass, salt)
@@ -792,6 +801,8 @@ app.post("/account/change-name", must_be_logged_in, function (req, res) {
 		return res.render("change_name.pug", { flash: "Invalid user name!" })
 	if (SQL_EXISTS_USER_NAME.get(newname))
 		return res.render("change_name.pug", { flash: "That name is already taken!" })
+	if (!verify_password(req.user, req.body.password))
+		return res.render("change_name.pug", { flash: "Wrong password!" })
 	SQL_UPDATE_USER_NAME.run(newname, req.user.user_id)
 	return res.redirect("/profile")
 })
@@ -806,6 +817,8 @@ app.post("/account/change-mail", must_be_logged_in, function (req, res) {
 		return res.render("change_mail.pug", { flash: "Invalid mail address!" })
 	if (SQL_EXISTS_USER_MAIL.get(newmail))
 		return res.render("change_mail.pug", { flash: "That mail address is already taken!" })
+	if (!verify_password(req.user, req.body.password))
+		return res.render("change_mail.pug", { flash: "Wrong password!" })
 	SQL_UPDATE_USER_MAIL.run(newmail, req.user.user_id)
 	SQL_UPDATE_USER_VERIFIED.run(0, req.user.user_id)
 	SQL_UPDATE_USER_NOTIFY.run(0, req.user.user_id)
diff --git a/views/change_mail.pug b/views/change_mail.pug
index 270d656..4d0605a 100644
--- a/views/change_mail.pug
+++ b/views/change_mail.pug
@@ -18,5 +18,9 @@ html
 					label New mail address:
 						br
 						input(type="text" name="newmail" required)
+				p
+					label Password:
+						br
+						input(type="password" name="password" required)
 				p
 					button(type="submit") Change mail
diff --git a/views/change_name.pug b/views/change_name.pug
index bcb1afa..b1845ab 100644
--- a/views/change_name.pug
+++ b/views/change_name.pug
@@ -18,5 +18,9 @@ html
 					label New name:
 						br
 						input(type="text" name="newname" required)
+				p
+					label Password:
+						br
+						input(type="password" name="password" required)
 				p
 					button(type="submit") Change name
-- 
cgit v1.2.3