krikkert/habitica
1
0
Fork 0
mirror of https://github.com/HabitRPG/habitica.git synced 2025-12-18 07:07:35 +01:00
Code Issues Packages Projects Releases Wiki Activity

Squashed commit of the following:

Browse Source 
commit 22971a0c0bd1c25e147fdc9d662fd55ca522193b
Author: SabreCat <sabe@habitica.com>
Date:   Fri Aug 18 21:13:49 2023 -0500

    fix(auth): don't mix include/exclude

commit efbb8fa136587a4c781660246cb426968cfe108a
Author: SabreCat <sabe@habitica.com>
Date:   Fri Aug 18 20:51:30 2023 -0500

    refactor(auth): remove unneeded query field
This commit is contained in:
SabreCat
2023-08-22 12:24:16 -05:00
parent 9e0e2a83be
commit ba96cd6e24
1 changed files with 10 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
website/server/middlewares/auth.js
View File

@@ -65,18 +65,22 @@ export function authWithHeaders (options = {}) {
return next(new NotAuthorized(res.t('missingAuthHeaders'))); return next(new NotAuthorized(res.t('missingAuthHeaders')));
} }
const userQuery = { const userQuery = { _id: userId };
_id: userId,
apiToken, let fields = getUserFields(options, req);
}; // If the request didn't include the API Token, retrieve it for validation
if (fields && fields.indexOf('apiToken') === -1 && fields.indexOf('-') === -1) {
fields = `${fields} apiToken`;
}
const fields = getUserFields(options, req);
const findPromise = fields ? User.findOne(userQuery).select(fields) : User.findOne(userQuery); const findPromise = fields ? User.findOne(userQuery).select(fields) : User.findOne(userQuery);
return findPromise return findPromise
.exec() .exec()
.then(user => { .then(user => {
if (!user) throw new NotAuthorized(res.t('invalidCredentials')); if (!user || apiToken !== user.apiToken) {
throw new NotAuthorized(res.t('invalidCredentials'));
}
if (user.auth.blocked) { if (user.auth.blocked) {
// We want the accountSuspended message to be translated but the language // We want the accountSuspended message to be translated but the language