From 1c453b1b5511406e554f6827e4e124aaeb17e8b5 Mon Sep 17 00:00:00 2001
From: strawberry <strawberry@puppygock.gay>
Date: Fri, 5 Jul 2024 16:36:05 -0400
Subject: [PATCH] require authentication on change password and deactivation
 routes

Signed-off-by: strawberry <strawberry@puppygock.gay>
---
 src/api/client/account.rs | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/src/api/client/account.rs b/src/api/client/account.rs
index 71324c1b..0d8d6075 100644
--- a/src/api/client/account.rs
+++ b/src/api/client/account.rs
@@ -423,7 +423,12 @@ pub(crate) async fn register_route(
 pub(crate) async fn change_password_route(
 	InsecureClientIp(client): InsecureClientIp, body: Ruma<change_password::v3::Request>,
 ) -> Result<change_password::v3::Response> {
-	let sender_user = body.sender_user.as_ref().expect("user is authenticated");
+	// Authentication for this endpoint was made optional, but we need
+	// authentication currently
+	let sender_user = body
+		.sender_user
+		.as_ref()
+		.ok_or_else(|| Error::BadRequest(ErrorKind::MissingToken, "Missing access token."))?;
 	let sender_device = body.sender_device.as_ref().expect("user is authenticated");
 
 	let mut uiaainfo = UiaaInfo {
@@ -512,7 +517,12 @@ pub(crate) async fn whoami_route(body: Ruma<whoami::v3::Request>) -> Result<whoa
 pub(crate) async fn deactivate_route(
 	InsecureClientIp(client): InsecureClientIp, body: Ruma<deactivate::v3::Request>,
 ) -> Result<deactivate::v3::Response> {
-	let sender_user = body.sender_user.as_ref().expect("user is authenticated");
+	// Authentication for this endpoint was made optional, but we need
+	// authentication currently
+	let sender_user = body
+		.sender_user
+		.as_ref()
+		.ok_or_else(|| Error::BadRequest(ErrorKind::MissingToken, "Missing access token."))?;
 	let sender_device = body.sender_device.as_ref().expect("user is authenticated");
 
 	let mut uiaainfo = UiaaInfo {