From ee136f4168d74d0de4b8f2ec6490cd4dd7ada614 Mon Sep 17 00:00:00 2001 From: KernelDeimos Date: Thu, 23 Jan 2025 11:03:21 -0500 Subject: [PATCH] dev: add extra safeguards for system user --- src/backend/src/routers/login.js | 7 +++++++ .../src/routers/send-pass-recovery-email.js | 14 ++++++++++++++ 2 files changed, 21 insertions(+) diff --git a/src/backend/src/routers/login.js b/src/backend/src/routers/login.js index 7686d69f8..f46360349 100644 --- a/src/backend/src/routers/login.js +++ b/src/backend/src/routers/login.js @@ -108,6 +108,13 @@ router.post('/login', express.json(), body_parser_error_handler, async (req, res if(!user) return res.status(400).send('Email not found.') } + if (user.username === 'system' && config.allow_system_login !== true) { + return res.status(400).send( + req.body.username + ? 'Username not found.' + : 'Email not found.' + ) + } // is user suspended? if(user.suspended) return res.status(401).send('This account is suspended.') diff --git a/src/backend/src/routers/send-pass-recovery-email.js b/src/backend/src/routers/send-pass-recovery-email.js index c2d3e1cd6..bd5112026 100644 --- a/src/backend/src/routers/send-pass-recovery-email.js +++ b/src/backend/src/routers/send-pass-recovery-email.js @@ -74,10 +74,24 @@ router.post('/send-pass-recovery-email', express.json(), body_parser_error_handl return res.status(400).send('Email not found.') } + if ( user.username === 'system' && config.allow_system_login !== true ) { + return res.status(400).send( + req.body.username + ? 'Username not found.' + : 'Email not found.' + ) + } + // check if user is suspended if(user.suspended){ return res.status(401).send('Account suspended'); } + + // check if user even has an email for recovery + if( ! user.email ) { + return res.status(422).send('No email associated with this account.'); + } + // set pass_recovery_token const { v4: uuidv4 } = require('uuid'); const nodemailer = require("nodemailer");