diff --git a/Moonlight/App/OAuth2/Providers/DiscordOAuth2Provider.cs b/Moonlight/App/OAuth2/Providers/DiscordOAuth2Provider.cs index fc4c292b..0b8e7bde 100644 --- a/Moonlight/App/OAuth2/Providers/DiscordOAuth2Provider.cs +++ b/Moonlight/App/OAuth2/Providers/DiscordOAuth2Provider.cs @@ -86,6 +86,13 @@ public class DiscordOAuth2Provider : OAuth2Provider var email = getData.GetValue("email"); var id = getData.GetValue("id"); + var verified = getData.GetValue("verified"); + + if (!verified) + { + Logger.Warn("A user tried to use an unverified discord account to login", "security"); + throw new DisplayException("You can only use verified discord accounts for oauth signin"); + } // Handle data diff --git a/Moonlight/Shared/Views/Profile/Index.razor b/Moonlight/Shared/Views/Profile/Index.razor index bf1aa79b..3c389990 100644 --- a/Moonlight/Shared/Views/Profile/Index.razor +++ b/Moonlight/Shared/Views/Profile/Index.razor @@ -5,6 +5,8 @@ @using Moonlight.App.Models.Forms @using Moonlight.App.Repositories @using Mappy.Net +@using Moonlight.App.Exceptions +@using Moonlight.App.Helpers @inject UserRepository UserRepository @@ -89,10 +91,21 @@ private Task Save() { + // Prevent users from locking out other users by changing their email + + Model.Email = Model.Email.ToLower(); + var userWithThatEmail = UserRepository + .Get() + .FirstOrDefault(x => x.Email == Model.Email); + + if (userWithThatEmail != null && CurrentUser.Id != userWithThatEmail.Id) + { + Logger.Warn($"A user tried to lock another user out by changing the email. Email: {Model.Email}", "security"); + throw new DisplayException("A user with that email does already exist"); + } + CurrentUser = Mapper.Map(CurrentUser, Model); - CurrentUser.Email = CurrentUser.Email.ToLower(); - UserRepository.Update(CurrentUser); return Task.CompletedTask;