Add check to prevent request forgery

Without this check, it would be possible for someone who manages to intercept someone else's email (by social engineering or other means) to forge a project invitation request, reusing the still-valid JWT from the genuine user.
sillsdev · Sep 24, 2024 · 632e94f · 632e94f
1 parent 8832717
commit 632e94f
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/backend/LexBoxApi/Controllers/UserController.cs b/backend/LexBoxApi/Controllers/UserController.cs
@@ -99,6 +99,12 @@ public async Task<ActionResult<LexAuthUser>> AcceptEmailInvitation(RegisterAccou
  }
 
  var jwtUser = _loggedInContext.User;
+ if (jwtUser.Email != accountInput.Email)
+ {
+ // Someone is trying to reuse a JWT belonging to someone else. Naughty, naughty...
+ ModelState.AddModelError<RegisterAccountInput>(r => r.Email, "email address mismatch in invitation link");
+ return ValidationProblem(ModelState);
+ }
 
  // We now allow multiple invitations to be accepted by the same account, so only create one if there isn't one already
  var userEntity = await _lexBoxDbContext.Users.FindByEmailOrUsername(accountInput.Email);