From 6591cf877a72b9d689a2ab3ade52483fabbae8ad Mon Sep 17 00:00:00 2001
From: Oliver Boehlk <ollitobiasb@gmail.com>
Date: Fri, 15 May 2020 23:00:23 +0200
Subject: [PATCH] require password for username change

---
 backend/index.js | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/backend/index.js b/backend/index.js
index f4047b6..abe8cde 100644
--- a/backend/index.js
+++ b/backend/index.js
@@ -294,9 +294,15 @@ app.get('/API/resourcelist', function (req, res) {
 });
 
 app.post("/API/user/setname", function (req, res) {
-    let { email } = req.body;
+    let { email, password } = req.body;
     if (email) {
         if (DEBUG) return res.status(status.OK).send();
+        try {
+            if (!await validatePassword(req.user.email, passport))
+                return res.status(status.UNAUTHORIZED).send("wrong password supplied");
+        } catch (e) {
+            return res.status(status.INTERNAL_SERVER_ERROR).send(e);
+        }
         connection.query(`UPDATE user SET email = ${mysql.escape(email)} WHERE email = ${mysql.escape(req.user.email)}`, function (err, rows) {
             if (err)
                 return res.status(status.INTERNAL_SERVER_ERROR).send("the username seems invalid or already taken - if you think this is an error contact the sys admin");