[passkey] check if user owns passkey befor delete

This commit is contained in:
tuxcoder 2023-12-26 12:57:59 +01:00
parent 7dff2a964f
commit 2eea083fe7

View file

@ -285,9 +285,13 @@ def passkey_new_process() -> ResponseReturnValue:
def passkey_delete(id: str) -> ResponseReturnValue:
"""delete registered credential"""
user = get_current_user()
form = ButtonForm()
if form.validate_on_submit():
cred = PasskeyCredential.query.filter(PasskeyCredential.id == id).first_or_404()
if cred.user_id != user.id:
return '', 404
db.session.delete(cred)
db.session.commit()
return redirect(url_for('.passkey'))