From efbb8fa136587a4c781660246cb426968cfe108a Mon Sep 17 00:00:00 2001
From: SabreCat <sabe@habitica.com>
Date: Fri, 18 Aug 2023 20:51:30 -0500
Subject: [PATCH] refactor(auth): remove unneeded query field

---
 website/server/middlewares/auth.js | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/website/server/middlewares/auth.js b/website/server/middlewares/auth.js
index cf7804cf208..918ed1deeab 100644
--- a/website/server/middlewares/auth.js
+++ b/website/server/middlewares/auth.js
@@ -65,18 +65,21 @@ export function authWithHeaders (options = {}) {
       return next(new NotAuthorized(res.t('missingAuthHeaders')));
     }
 
-    const userQuery = {
-      _id: userId,
-      apiToken,
-    };
+    const userQuery = { _id: userId };
+
+    let fields = getUserFields(options, req);
+    if (fields && fields.indexOf('apiToken') === -1) {
+      fields = `${fields} apiToken`;
+    }
 
-    const fields = getUserFields(options, req);
     const findPromise = fields ? User.findOne(userQuery).select(fields) : User.findOne(userQuery);
 
     return findPromise
       .exec()
       .then(user => {
-        if (!user) throw new NotAuthorized(res.t('invalidCredentials'));
+        if (!user || apiToken !== user.apiToken) {
+          throw new NotAuthorized(res.t('invalidCredentials'));
+        }
 
         if (user.auth.blocked) {
           // We want the accountSuspended message to be translated but the language