|
|
@@ -22,6 +22,7 @@ const { invalidate_cached_user } = require('../helpers');
|
|
|
const router = new express.Router();
|
|
|
const auth = require('../middleware/auth.js');
|
|
|
const { DB_WRITE } = require('../services/database/consts');
|
|
|
+const APIError = require('../api/APIError.js');
|
|
|
|
|
|
// -----------------------------------------------------------------------//
|
|
|
// POST /confirm-email
|
|
|
@@ -48,6 +49,22 @@ router.post('/confirm-email', auth, express.json(), async (req, res, next)=>{
|
|
|
// Set expiry for rate limit
|
|
|
kv.expire(`confirm-email|${req.ip}|${req.body.email ?? req.body.username}`, 60 * 10, 'NX')
|
|
|
|
|
|
+ // Scenario: email was confirmed on another account already
|
|
|
+ const rows = await db.read(
|
|
|
+ 'SELECT `id` FROM `user` WHERE `email` = ? AND `email_confirmed` = 1',
|
|
|
+ [req.body.email],
|
|
|
+ );
|
|
|
+ if ( rows.length > 0 ) {
|
|
|
+ APIError.create('email_already_in_use').write(res);
|
|
|
+ return;
|
|
|
+ }
|
|
|
+
|
|
|
+ // If other users have the same unconfirmed email, revoke it
|
|
|
+ await db.write(
|
|
|
+ 'UPDATE `user` SET `unconfirmed_change_email` = NULL, `change_email_confirm_token` = NULL WHERE `unconfirmed_change_email` = ?',
|
|
|
+ [req.user.email],
|
|
|
+ );
|
|
|
+
|
|
|
if(req.body.code === req.user.email_confirm_code) {
|
|
|
await db.write(
|
|
|
"UPDATE `user` SET `email_confirmed` = 1, `requires_email_confirmation` = 0 WHERE id = ? LIMIT 1",
|
KernelDeimos