refactor: use user-token for historyDelete too

Previously, the user token was only used for the endpoint
to delete the user itself. This commit adds that token to
the history deletion as well.

Signed-off-by: Erik Michelson <github@erik.michelson.eu>

lib/history.js

@@ -174,7 +174,15 @@ function historyPost (req, res) {
 }
 
 function historyDelete (req, res) {
-  if (req.isAuthenticated()) {
+  if (!req.isAuthenticated()) {
+    return errors.errorForbidden(res)
+  }
+
+  const token = req.query.token
+  if (!token || token !== req.user.deleteToken) {
+    return errors.errorForbidden(res)
+  }
+
   const noteId = req.params.noteId
   if (!noteId) {
     setHistory(req.user.id, [], function (err, count) {
@@ -192,9 +200,6 @@ function historyDelete (req, res) {
       })
     })
   }
-  } else {
-    return errors.errorForbidden(res)
-  }
 }
 
 module.exports = History

lib/web/statusRouter.js

@@ -111,7 +111,8 @@ statusRouter.get('/config', function (req, res) {
     DROPBOX_APP_KEY: config.dropbox.appKey,
     allowedUploadMimeTypes: config.allowedUploadMimeTypes,
     linkifyHeaderStyle: config.linkifyHeaderStyle,
-    cookiePolicy: config.cookiePolicy
+    cookiePolicy: config.cookiePolicy,
+    userToken: req.user ? req.user.deleteToken : ''
   }
   res.set({
     'Cache-Control': 'private', // only cache by client

public/js/history.js

@@ -296,7 +296,7 @@ export function postHistoryToServer (noteId, data, callback) {
 
 export function deleteServerHistory (noteId, callback) {
   $.ajax({
-    url: `${serverurl}/history${noteId ? '/' + noteId : ''}`,
+    url: `${serverurl}/history${noteId ? '/' + noteId : ''}?token=${window.userToken}`,
     type: 'DELETE'
   })
     .done(result => callback(null, result))

public/js/lib/common/constant.ejs

@@ -10,3 +10,4 @@ window.linkifyHeaderStyle = '<%- linkifyHeaderStyle %>'
 window.DROPBOX_APP_KEY = '<%- DROPBOX_APP_KEY %>'
 
 window.cookiePolicy = '<%- cookiePolicy %>'
+window.userToken = '<%- userToken %>'