[passkey] check if user owns passkey befor delete

2023-12-26 12:57:59 +01:00 · 2023-12-26 12:57:59 +01:00 · 2eea083fe7
parent 7dff2a964f
commit 2eea083fe7
1 changed files with 4 additions and 0 deletions
--- a/lenticular_cloud/views/frontend.py
+++ b/lenticular_cloud/views/frontend.py
@ -285,9 +285,13 @@ def passkey_new_process() -> ResponseReturnValue:
 def passkey_delete(id: str) -> ResponseReturnValue:
    """delete registered credential"""

+    user = get_current_user()
    form = ButtonForm()
+
    if form.validate_on_submit():
        cred = PasskeyCredential.query.filter(PasskeyCredential.id == id).first_or_404()
+        if cred.user_id != user.id:
+            return '', 404
        db.session.delete(cred)
        db.session.commit()
        return redirect(url_for('.passkey'))