Add token based security feature

In the current setup users could be tricked into deleting their data by providing a malicious link like `[click me](/me/delete)`. This commit prevents such an easy attack and need the user's deleteToken to get his data deleted. In case someone requests his deletion by email you can also ask him for this token. We can add a GUI that shows it later on. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
author: Sheogorath 2018-05-25 18:19:31 +0200
committer: Sheogorath 2018-05-25 18:26:06 +0200
commit: 70df29790a83db4abb40ed1e16cb05a3aa760672 (patch)
tree: 0f3805604956f4dc93020f7af2a124136ed8084b /lib/models/user.js
parent: 9fd09a8dfb8c59a44e9b2b51658e9e638a855635 (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/lib/models/user.js b/lib/models/user.js
index 62ed5cc7..019aab7e 100644
--- a/lib/models/user.js
+++ b/lib/models/user.js
@@ -31,6 +31,10 @@ module.exports = function (sequelize, DataTypes) {
     refreshToken: {
       type: DataTypes.STRING
     },
+    deleteToken: {
+      type: DataTypes.UUID,
+      defaultValue: Sequelize.UUIDV4
+    },
     email: {
       type: Sequelize.TEXT,
       validate: {
author	Sheogorath	2018-05-25 18:19:31 +0200
committer	Sheogorath	2018-05-25 18:26:06 +0200
commit	70df29790a83db4abb40ed1e16cb05a3aa760672 (patch)
tree	0f3805604956f4dc93020f7af2a124136ed8084b /lib/models/user.js
parent	9fd09a8dfb8c59a44e9b2b51658e9e638a855635 (diff)