Merge branch 'fix-schema-update-credentials' into 'main'

Only allow valid data or empty string in update credentials See merge request soapbox-pub/ditto!315
2024-05-25 14:34:43 +00:00 · 2024-05-25 14:34:43 +00:00 · 40369be6c6
parent cf71c48f09 c89867f486
commit 40369be6c6
1 changed files with 11 additions and 5 deletions
--- a/src/controllers/api/accounts.ts
+++ b/src/controllers/api/accounts.ts
@ -220,15 +220,15 @@ const accountStatusesController: AppController = async (c) => {
 const updateCredentialsSchema = z.object({
  display_name: z.string().optional(),
  note: z.string().optional(),
-  avatar: fileSchema.optional(),
-  header: fileSchema.optional(),
+  avatar: fileSchema.or(z.literal('')).optional(),
+  header: fileSchema.or(z.literal('')).optional(),
  locked: z.boolean().optional(),
  bot: z.boolean().optional(),
  discoverable: z.boolean().optional(),
-  nip05: z.string().email().optional(),
+  nip05: z.string().email().or(z.literal('')).optional(),
  pleroma_settings_store: z.unknown().optional(),
-  lud16: z.string().email().optional(),
-  website: z.string().url().optional(),
+  lud16: z.string().email().or(z.literal('')).optional(),
+  website: z.string().url().or(z.literal('')).optional(),
 });

 const updateCredentialsController: AppController = async (c) => {
@ -269,6 +269,12 @@ const updateCredentialsController: AppController = async (c) => {
  meta.website = website ?? meta.website;
  meta.bot = bot ?? meta.bot;

+  if (avatarFile === '') delete meta.picture;
+  if (headerFile === '') delete meta.banner;
+  if (nip05 === '') delete meta.nip05;
+  if (lud16 === '') delete meta.lud16;
+  if (website === '') delete meta.website;
+
  const event = await createEvent({
    kind: 0,
    content: JSON.stringify(meta),