From 38ee2a5949cb2b859bb8ff682f29154ad4e9496b Mon Sep 17 00:00:00 2001 From: John Bostick Date: Sun, 5 Jan 2025 22:43:41 -0500 Subject: [PATCH 1/3] fix: check email validity when linking existing PNID This commit adds a check after the username/password check to ensure the submitted email matches the user's email. Fixes: #28 --- src/middleware/pnid.ts | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/src/middleware/pnid.ts b/src/middleware/pnid.ts index cb9776e..80846bc 100644 --- a/src/middleware/pnid.ts +++ b/src/middleware/pnid.ts @@ -53,6 +53,19 @@ async function PNIDMiddleware(request: express.Request, response: express.Respon return; } + if (pnid.email.address !== email) { + response.status(401).send(xmlbuilder.create({ + errors: { + error: { + code: '1105', + message: 'Email address, username, or password, is not valid' + } + } + }).end()); + + return; + } + if (pnid.deleted) { response.status(400).send(xmlbuilder.create({ errors: { @@ -84,4 +97,4 @@ async function PNIDMiddleware(request: express.Request, response: express.Respon return next(); } -export default PNIDMiddleware; \ No newline at end of file +export default PNIDMiddleware; From ef9a01b3c164aaeb4b124565059666f8522eb102 Mon Sep 17 00:00:00 2001 From: John Bostick Date: Mon, 6 Jan 2025 13:12:12 -0500 Subject: [PATCH 2/3] fix: include email header this didn't make it into the original commit somehow --- src/middleware/pnid.ts | 1 + 1 file changed, 1 insertion(+) diff --git a/src/middleware/pnid.ts b/src/middleware/pnid.ts index 80846bc..a34ac29 100644 --- a/src/middleware/pnid.ts +++ b/src/middleware/pnid.ts @@ -6,6 +6,7 @@ import { HydratedPNIDDocument } from '@/types/mongoose/pnid'; async function PNIDMiddleware(request: express.Request, response: express.Response, next: express.NextFunction): Promise { const authHeader = getValueFromHeaders(request.headers, 'authorization'); + const email = getValueFromHeaders(request.headers, 'x-nintendo-email'); if (!authHeader || !(authHeader.startsWith('Bearer') || authHeader.startsWith('Basic'))) { return next(); From c226f516a4cb39cf9611a5b0afd84ea00499c415 Mon Sep 17 00:00:00 2001 From: John Bostick Date: Mon, 6 Jan 2025 15:40:19 -0500 Subject: [PATCH 3/3] fix: account for scenarios where middleware is used outside of signup middleware is used outside of initial link, so skip checking email if email header is not set --- src/middleware/pnid.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/middleware/pnid.ts b/src/middleware/pnid.ts index a34ac29..63b8554 100644 --- a/src/middleware/pnid.ts +++ b/src/middleware/pnid.ts @@ -54,7 +54,7 @@ async function PNIDMiddleware(request: express.Request, response: express.Respon return; } - if (pnid.email.address !== email) { + if (email != undefined && pnid.email.address !== email) { response.status(401).send(xmlbuilder.create({ errors: { error: {