refactor(auth): remove unneeded query field

HabitRPG · Aug 19, 2023 · efbb8fa · efbb8fa
1 parent 2803db7
commit efbb8fa
Showing 1 changed file with 9 additions and 6 deletions.
diff --git a/website/server/middlewares/auth.js b/website/server/middlewares/auth.js
@@ -65,18 +65,21 @@ export function authWithHeaders (options = {}) {
       return next(new NotAuthorized(res.t('missingAuthHeaders')));
     }
 
-    const userQuery = {
-      _id: userId,
-      apiToken,
-    };
+    const userQuery = { _id: userId };
+
+    let fields = getUserFields(options, req);
+    if (fields && fields.indexOf('apiToken') === -1) {
+      fields = `${fields} apiToken`;
+    }
 
-    const fields = getUserFields(options, req);
     const findPromise = fields ? User.findOne(userQuery).select(fields) : User.findOne(userQuery);
 
     return findPromise
       .exec()
       .then(user => {
-        if (!user) throw new NotAuthorized(res.t('invalidCredentials'));
+        if (!user || apiToken !== user.apiToken) {
+          throw new NotAuthorized(res.t('invalidCredentials'));
+        }
 
         if (user.auth.blocked) {
           // We want the accountSuspended message to be translated but the language