PapaTutuWawa/etesync-server
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Change password: change to require a signed request, just like login.

Browse Source 
Without this, it would be sufficient to steal an auth token to render the account
unusable because it would be possible to just reset the encrypted content
of the account. With this change we require the user to actually know
the account password in order to do it.
This commit is contained in:
Tom Hacohen
2020-06-17 14:38:02 +03:00
parent 54268ac027
commit ab0d85c84f
2 changed files with 71 additions and 46 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
django_etebase/serializers.py
View File

@@ -425,7 +425,7 @@ class AuthenticationLoginInnerSerializer(AuthenticationLoginChallengeSerializer)
raise NotImplementedError()
class AuthenticationChangePasswordSerializer(serializers.ModelSerializer):
class AuthenticationChangePasswordInnerSerializer(AuthenticationLoginInnerSerializer):
loginPubkey = BinaryBase64Field()
encryptedContent = BinaryBase64Field()