Updated vague DB query which could lead to pwned accounts

2025-11-06 19:01:22 -05:00 · 2025-11-06 19:01:22 -05:00 · be01417cdf
commit be01417cdf
parent d7c55fe3da
3 changed files with 3 additions and 3 deletions
--- a/src/controllers/api/account/deleteController.js
+++ b/src/controllers/api/account/deleteController.js
@ -38,7 +38,7 @@ module.exports.post = async function(req, res){
                return res.send('Invalid Session! Cannot delete account while logged out!'); 
            }

-            const userDB = await userModel.findOne(user);
+            const userDB = await userModel.findOne({user: user.user});


            if(!userDB){
--- a/src/controllers/api/account/updateController.js
+++ b/src/controllers/api/account/updateController.js
@ -46,7 +46,7 @@ module.exports.post = async function(req, res){
            const {field, change} = data;
            const {user} = req.session;

-            const userDB = await userModel.findOne(user);
+            const userDB = await userModel.findOne({user: user.user});
            const update = {};