account switch – extra protection for editor

2025-09-25 05:54:25 -04:00 · 2023-07-10 20:17:41 +02:00 · 2023-07-10 20:17:41 +02:00 · 73ab63447b
commit 73ab63447b
parent 04ed4aaebb
2 changed files with 6 additions and 0 deletions
--- a/routes/profileEditor.vue
+++ b/routes/profileEditor.vue
@ -452,6 +452,8 @@
                this.saving = true;
                try {
                    await this.$post(`/profile/save`, {
+                        username: this.$user().username,
+
                        opinions: this.opinions,
                        names: this.names,
                        pronouns: this.pronouns,
--- a/server/routes/profile.js
+++ b/server/routes/profile.js
@ -526,6 +526,10 @@ router.post('/profile/save', handleErrorAsync(async (req, res) => {
        return res.status(401).json({error: 'Unauthorised'});
    }

+    if (req.body.username && req.user.username !== req.body.username) {
+        return res.status(401).json({error: 'Payload username does not match the token'});
+    }
+
    if (!Array.isArray(req.body.names)) {
        // service worker cache sends v1 requests
        req.body = upgradeToV2(req.body);