feat(auth): check password when deleting account #175

2024-09-13 12:02:06 +02:00
parent 6a656b15f0
commit 6c1edcd0a8
2 changed files with 43 additions and 13 deletions
--- a/service/auth.go
+++ b/service/auth.go
@@ -328,7 +328,31 @@ func HandleDeleteAccountComp(db *sql.DB) http.HandlerFunc {
 			return
 		}

-		_, err := db.Exec("DELETE FROM workout WHERE user_id = ?", user.Id)
+		password := r.FormValue("password")
+		if password == "" {
+			utils.TriggerToast(w, r, "error", "Password is required")
+			return
+		}
+
+		var (
+			storedHash []byte
+			salt       []byte
+		)
+
+		err := db.QueryRow("SELECT password, salt FROM user WHERE user_uuid = ?", user.Id).Scan(&storedHash, &salt)
+		if err != nil {
+			utils.LogError("Could not get password", err)
+			utils.TriggerToast(w, r, "error", "Internal Server Error")
+			return
+		}
+
+		currHash := getHashPassword(password, salt)
+		if subtle.ConstantTimeCompare(currHash, storedHash) == 0 {
+			utils.TriggerToast(w, r, "error", "Password is not correct")
+			return
+		}
+
+		_, err = db.Exec("DELETE FROM workout WHERE user_id = ?", user.Id)
 		if err != nil {
 			utils.LogError("Could not delete workouts", err)
 			utils.TriggerToast(w, r, "error", "Internal Server Error")