Ask for password before resetting settings

2025-06-05 21:59:27 +02:00 · 2024-04-10 22:34:51 +03:00
parent 2306a4e34d
commit 01a4aa51f7
5 changed files with 27 additions and 2 deletions
--- a/public/scripts/login.js
+++ b/public/scripts/login.js
@@ -263,4 +263,13 @@ function configureDiscreetLogin() {
    }
    document.getElementById('shadow_popup').style.opacity = '';
    $('#cancelRecovery').on('click', onCancelRecoveryClick);
+    $(document).on('keydown', (evt) => {
+        if (evt.key === 'Enter' && document.activeElement.tagName === 'INPUT') {
+            if ($('#passwordRecoveryBlock').is(':visible')) {
+                $('#sendRecovery').trigger('click');
+            } else {
+                $('#loginButton').trigger('click');
+            }
+        }
+    });
 })();
--- a/public/scripts/templates/resetSettings.html
+++ b/public/scripts/templates/resetSettings.html
@@ -5,4 +5,9 @@
    <div data-i18n="Don't forget to save a snapshot of your settings before proceeding.">
        Don't forget to save a snapshot of your settings before proceeding.
    </div>
+    <hr>
+    <div>
+        Enter your password below to confirm:
+    </div>
+    <input id="resetSettingsPassword" name="password" type="password" class="text_pole" placeholder="Password">
 </div>
--- a/public/scripts/user.js
+++ b/public/scripts/user.js
@@ -364,7 +364,11 @@ async function deleteUser(handle, callback) {
 */
 async function resetSettings(handle, callback) {
    try {
+        let password = '';
        const template = $(renderTemplate('resetSettings'));
+        template.find('input[name="password"]').on('input', function () {
+            password = String($(this).val());
+        });
        const result = await callGenericPopup(template, POPUP_TYPE.CONFIRM, '', { okButton: 'Reset', cancelButton: 'Cancel', wide: false, large: false });

        if (result !== POPUP_RESULT.AFFIRMATIVE) {
@@ -374,7 +378,7 @@ async function resetSettings(handle, callback) {
        const response = await fetch('/api/users/reset-settings', {
            method: 'POST',
            headers: getRequestHeaders(),
-            body: JSON.stringify({ handle }),
+            body: JSON.stringify({ handle, password }),
        });

        if (!response.ok) {
--- a/src/endpoints/users-admin.js
+++ b/src/endpoints/users-admin.js
@@ -157,7 +157,7 @@ router.post('/create', requireAdminMiddleware, jsonParser, async (request, respo
        }

        const handles = await getAllUserHandles();
-        const handle = slugify(request.body.handle, { lower: true, trim: true, remove: /[^a-z0-9-]/g });
+        const handle = slugify(String(request.body.handle).toLowerCase(), { lower: true, trim: true, remove: /[^a-z0-9-]/g });

        if (!handle) {
            console.log('Create user failed: Invalid handle');
--- a/src/endpoints/users-private.js
+++ b/src/endpoints/users-private.js
@@ -117,6 +117,13 @@ router.post('/backup', jsonParser, async (request, response) => {

 router.post('/reset-settings', jsonParser, async (request, response) => {
    try {
+        const password = request.body.password;
+
+        if (request.user.profile.password && request.user.profile.password !== getPasswordHash(password, request.user.profile.salt)) {
+            console.log('Reset settings failed: Incorrect password');
+            return response.status(401).json({ error: 'Incorrect password' });
+        }
+
        const pathToFile = path.join(request.user.directories.root, SETTINGS_FILE);
        await fsPromises.rm(pathToFile, { force: true });
        await contentManager.checkForNewContent([request.user.directories], [contentManager.CONTENT_TYPES.SETTINGS]);