#28: Check email validity when linking existing PNID #130
Conversation
This commit adds a check after the username/password check to ensure the submitted email matches the user's email. Fixes: PretendoNetwork#28
JohnBostick
changed the title
this didn't make it into the original commit somehow
middleware is used outside of initial link, so skip checking email if email header is not set
|
|
|
So sorry for the late review, I didn't see this until now. I think this should be fine, @DaniElectra look good to you? |
|
@jonbarrow I completely forgot about this. Maybe I should start doing more with pretendo... |
| return; | ||
| } | ||
|
|
||
| if (email != undefined && pnid.email.address !== email) { |
There was a problem hiding this comment.
This can be bypassed with a custom client if it doesn't add the x-nintendo-email header. I'd move this code to where the linking takes place
There was a problem hiding this comment.
If my memory serves, there are many times where this route is called but an email is never specified (I believe in eShop login and Wii u logins). So the purpose of this is less to improve security (which was fine because a username/password combination is still required) and more to restore proper functionality where expected (when email+username login is used).
There was a problem hiding this comment.
I'm fairly certain Dani means to move it from middleware to the route handler itself. Which, in hindsight, I agree with
4 participants
Resolves: #28
Changes:
This commit adds a check after the username/password check to ensure the submitted email matches the user's email.
The error code (022-2613 / 1105 in source code) is correct for any case where username/password/email are incorrect according to Nintendo.