enhancement(setPassword): iterate on feedback

opencollective · Mar 1, 2024 · f672f7c · f672f7c
1 parent 2e4b531
commit f672f7c
Showing 1 changed file with 6 additions and 4 deletions.
diff --git a/server/graphql/v2/mutation/IndividualMutations.ts b/server/graphql/v2/mutation/IndividualMutations.ts
@@ -5,7 +5,7 @@ import { GraphQLDateTime } from 'graphql-scalars';
 
 import RateLimit, { ONE_HOUR_IN_SECONDS } from '../../../lib/rate-limit';
 import TwoFactorAuthLib from '../../../lib/two-factor-authentication';
-import { checkRemoteUserCanUseAccount } from '../../common/scope-check';
+import { checkRemoteUserCanUseAccount, enforceScope } from '../../common/scope-check';
 import { confirmUserEmail } from '../../common/user';
 import { RateLimitExceeded, Unauthorized } from '../../errors';
 import { GraphQLIndividual } from '../object/Individual';
@@ -84,8 +84,8 @@ const individualMutations = {
 
       let token;
 
-      // We don't want OAuth tokens to be exchanged against a session token
-      if (req.userToken?.type !== 'OAUTH') {
+      // We don't want OAuth/Personal tokens to be exchanged against a session token
+      if (!req.userToken && !req.personalToken) {
         // Context: this is token generation when updating password
         token = await user.generateSessionToken({
           sessionId: req.jwtPayload?.sessionId,
@@ -121,14 +121,16 @@ const individualMutations = {
       },
     },
     resolve: async (_, { token: confirmEmailToken }, req) => {
+      enforceScope(req, 'account');
+
       const user = await confirmUserEmail(confirmEmailToken);
       const individual = await user.getCollective({ loaders: req.loaders });
 
       // The sign-in token
       let token;
 
       // We don't want OAuth tokens to be exchanged against a session token
-      if (req.userToken?.type !== 'OAUTH') {
+      if (req.remoteUser && !req.userToken && !req.personalToken) {
         // Context: this is token generation when updating password
         token = await user.generateSessionToken({
           sessionId: req.jwtPayload?.sessionId,