refactor: use user-token for historyDelete too

Previously, the user token was only used for the endpoint to delete the user itself. This commit adds that token to the history deletion as well. Signed-off-by: Philip Molares <philip.molares@udo.edu>
2025-11-26 19:20:54 +01:00
parent 05a937ea22
commit bc2075ae9d
6 changed files with 36 additions and 28 deletions
--- a/lib/history.js
+++ b/lib/history.js
@@ -174,26 +174,31 @@ function historyPost (req, res) {
 }

 function historyDelete (req, res) {
-  if (req.isAuthenticated()) {
-    const noteId = req.params.noteId
-    if (!noteId) {
-      setHistory(req.user.id, [], function (err, count) {
+  if (!req.isAuthenticated()) {
+    return errors.errorForbidden(res)
+  }
+
+  const token = req.query.token
+  if (!token || token !== req.user.deleteToken) {
+    return errors.errorForbidden(res)
+  }
+
+  const noteId = req.params.noteId
+  if (!noteId) {
+    setHistory(req.user.id, [], function (err, count) {
+      if (err) return errors.errorInternalError(res)
+      res.end()
+    })
+  } else {
+    getHistory(req.user.id, function (err, history) {
+      if (err) return errors.errorInternalError(res)
+      if (!history) return errors.errorNotFound(res)
+      delete history[noteId]
+      setHistory(req.user.id, history, function (err, count) {
        if (err) return errors.errorInternalError(res)
        res.end()
      })
-    } else {
-      getHistory(req.user.id, function (err, history) {
-        if (err) return errors.errorInternalError(res)
-        if (!history) return errors.errorNotFound(res)
-        delete history[noteId]
-        setHistory(req.user.id, history, function (err, count) {
-          if (err) return errors.errorInternalError(res)
-          res.end()
-        })
-      })
-    }
-  } else {
-    return errors.errorForbidden(res)
+    })
  }
 }

--- a/lib/web/statusRouter.js
+++ b/lib/web/statusRouter.js
@@ -112,7 +112,8 @@ statusRouter.get('/config', function (req, res) {
    allowedUploadMimeTypes: config.allowedUploadMimeTypes,
    linkifyHeaderStyle: config.linkifyHeaderStyle,
    cookiePolicy: config.cookiePolicy,
-    enableUploads: config.enableUploads
+    enableUploads: config.enableUploads,
+    userToken: req.user ? req.user.deleteToken : ''
  }
  res.set({
    'Cache-Control': 'private', // only cache by client