From f672f7c4bfd0badeba119b8d433da0df273b19d8 Mon Sep 17 00:00:00 2001
From: Benjamin Piouffle <benjamin@opencollective.com>
Date: Fri, 1 Mar 2024 09:34:08 +0100
Subject: [PATCH] enhancement(setPassword): iterate on feedback

---
 server/graphql/v2/mutation/IndividualMutations.ts | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/server/graphql/v2/mutation/IndividualMutations.ts b/server/graphql/v2/mutation/IndividualMutations.ts
index c5f0e82c07f..d312fa0f345 100644
--- a/server/graphql/v2/mutation/IndividualMutations.ts
+++ b/server/graphql/v2/mutation/IndividualMutations.ts
@@ -5,7 +5,7 @@ import { GraphQLDateTime } from 'graphql-scalars';
 
 import RateLimit, { ONE_HOUR_IN_SECONDS } from '../../../lib/rate-limit';
 import TwoFactorAuthLib from '../../../lib/two-factor-authentication';
-import { checkRemoteUserCanUseAccount } from '../../common/scope-check';
+import { checkRemoteUserCanUseAccount, enforceScope } from '../../common/scope-check';
 import { confirmUserEmail } from '../../common/user';
 import { RateLimitExceeded, Unauthorized } from '../../errors';
 import { GraphQLIndividual } from '../object/Individual';
@@ -84,8 +84,8 @@ const individualMutations = {
 
       let token;
 
-      // We don't want OAuth tokens to be exchanged against a session token
-      if (req.userToken?.type !== 'OAUTH') {
+      // We don't want OAuth/Personal tokens to be exchanged against a session token
+      if (!req.userToken && !req.personalToken) {
         // Context: this is token generation when updating password
         token = await user.generateSessionToken({
           sessionId: req.jwtPayload?.sessionId,
@@ -121,6 +121,8 @@ const individualMutations = {
       },
     },
     resolve: async (_, { token: confirmEmailToken }, req) => {
+      enforceScope(req, 'account');
+
       const user = await confirmUserEmail(confirmEmailToken);
       const individual = await user.getCollective({ loaders: req.loaders });
 
@@ -128,7 +130,7 @@ const individualMutations = {
       let token;
 
       // We don't want OAuth tokens to be exchanged against a session token
-      if (req.userToken?.type !== 'OAUTH') {
+      if (req.remoteUser && !req.userToken && !req.personalToken) {
         // Context: this is token generation when updating password
         token = await user.generateSessionToken({
           sessionId: req.jwtPayload?.sessionId,