From 746a4546122be2ed79ad5858de6ce2c686f78ef0 Mon Sep 17 00:00:00 2001
From: Zephyrrus <krisztian1997@gmail.com>
Date: Thu, 9 Jul 2020 02:22:08 +0300
Subject: fix: stop leaking user's password and their apikey to admins

---
 src/api/structures/Route.js | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'src/api/structures')

diff --git a/src/api/structures/Route.js b/src/api/structures/Route.js
index 400ae3d..6be0dc7 100644
--- a/src/api/structures/Route.js
+++ b/src/api/structures/Route.js
@@ -77,7 +77,9 @@ class Route {
 				.where({ id })
 				.first();
 			if (!user) return res.status(401).json({ message: 'Invalid authorization' });
-			if (iat && iat < moment(user.passwordEditedAt).format('x')) { return res.status(401).json({ message: 'Token expired' }); }
+			if (iat && iat < moment(user.passwordEditedAt).format('x')) {
+				return res.status(401).json({ message: 'Token expired' });
+			}
 			if (!user.enabled) return res.status(401).json({ message: 'This account has been disabled' });
 			if (this.options.adminOnly && !user.isAdmin) { return res.status(401).json({ message: 'Invalid authorization' }); }
 
-- 
cgit v1.2.3