From 2f8ebca52737ae60c73ba83ccc5035a2093ee634 Mon Sep 17 00:00:00 2001 From: Tnix Date: Tue, 10 Sep 2024 01:21:33 +1200 Subject: [PATCH] make sure an email address cannot be used more than once --- rest_api/v0/me.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/rest_api/v0/me.py b/rest_api/v0/me.py index 118ed49..ae78be9 100644 --- a/rest_api/v0/me.py +++ b/rest_api/v0/me.py @@ -228,7 +228,11 @@ async def update_email(data: UpdateEmailBody): if not security.check_password_hash(data.password, account["pswd"]): security.ratelimit(f"login:u:{request.user}", 5, 60) return {"error": True, "type": "invalidCredentials"}, 401 - + + # Make sure the email address hasn't been used before + if db.usersv0.count_documents({"normalized_email_hash": security.get_normalized_email_hash(data.email)}, limit=1): + return {"error": True, "type": "emailExists"}, 409 + # Ratelimit security.ratelimit(f"emailch:{request.user}", 3, 2700)