From 389ded9b779a84c0c97371581f67e0ff0d4af57f Mon Sep 17 00:00:00 2001
From: Marcel Baumgartner <marcel.kbkm@gmail.com>
Date: Sat, 24 Jun 2023 22:15:04 +0200
Subject: [PATCH 1/2] Fixed oauth2 account spoofing using unverified discord
 accounts for claiming identity

---
 Moonlight/App/OAuth2/Providers/DiscordOAuth2Provider.cs | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/Moonlight/App/OAuth2/Providers/DiscordOAuth2Provider.cs b/Moonlight/App/OAuth2/Providers/DiscordOAuth2Provider.cs
index fc4c292b..0b8e7bde 100644
--- a/Moonlight/App/OAuth2/Providers/DiscordOAuth2Provider.cs
+++ b/Moonlight/App/OAuth2/Providers/DiscordOAuth2Provider.cs
@@ -86,6 +86,13 @@ public class DiscordOAuth2Provider : OAuth2Provider
 
         var email = getData.GetValue<string>("email");
         var id = getData.GetValue<ulong>("id");
+        var verified = getData.GetValue<bool>("verified");
+
+        if (!verified)
+        {
+            Logger.Warn("A user tried to use an unverified discord account to login", "security");
+            throw new DisplayException("You can only use verified discord accounts for oauth signin");
+        }
         
         // Handle data
         

From f9f5865ef950a86b7dbc1cff845b586f32be96a6 Mon Sep 17 00:00:00 2001
From: Marcel Baumgartner <marcel.kbkm@gmail.com>
Date: Sat, 24 Jun 2023 22:35:38 +0200
Subject: [PATCH 2/2] Prevent user locking when duplicating the email entries

---
 Moonlight/Shared/Views/Profile/Index.razor | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/Moonlight/Shared/Views/Profile/Index.razor b/Moonlight/Shared/Views/Profile/Index.razor
index b9e80da8..1b49bba4 100644
--- a/Moonlight/Shared/Views/Profile/Index.razor
+++ b/Moonlight/Shared/Views/Profile/Index.razor
@@ -5,6 +5,8 @@
 @using Moonlight.App.Models.Forms
 @using Moonlight.App.Repositories
 @using Mappy.Net
+@using Moonlight.App.Exceptions
+@using Moonlight.App.Helpers
 
 @inject UserRepository UserRepository
 
@@ -89,10 +91,21 @@
 
     private Task Save()
     {
+        // Prevent users from locking out other users by changing their email
+        
+        Model.Email = Model.Email.ToLower();
+        var userWithThatEmail = UserRepository
+            .Get()
+            .FirstOrDefault(x => x.Email == Model.Email);
+
+        if (userWithThatEmail != null && CurrentUser.Id != userWithThatEmail.Id)
+        {
+            Logger.Warn($"A user tried to lock another user out by changing the email. Email: {Model.Email}", "security");
+            throw new DisplayException("A user with that email does already exist");
+        }
+        
         CurrentUser = Mapper.Map(CurrentUser, Model);
 
-        CurrentUser.Email = CurrentUser.Email.ToLower();
-        
         UserRepository.Update(CurrentUser);
         
         return Task.CompletedTask;