Make require password to update email

locales/ja-JP.yml

@@ -26,6 +26,7 @@ common:
   close: "閉じる"
   do-not-copy-paste: "ここにコードを入力したり張り付けたりしないでください。アカウントが不正利用される可能性があります。"
   load-more: "もっと読み込む"
+  enter-password: "パスワードを入力してください"
 
   got-it: "わかった"
   customization-tips:

src/client/app/common/views/components/profile-editor.vue

@@ -218,8 +218,14 @@ export default Vue.extend({
 		},
 
 		updateEmail() {
-			this.$root.api('i/update_email', {
-				email: this.email == '' ? null : this.email
+			this.$input({
+				title: this.$t('@.enter-password'),
+				type: 'password'
+			}).then(password => {
+				this.$root.api('i/update_email', {
+					password: password,
+					email: this.email == '' ? null : this.email
+				});
 			});
 		}
 	}

src/server/api/endpoints/i/update_email.ts

@@ -7,6 +7,7 @@ import fetchMeta from '../../../../misc/fetch-meta';
 import rndstr from 'rndstr';
 import config from '../../../../config';
 const ms = require('ms');
+import * as bcrypt from 'bcryptjs';
 
 export const meta = {
 	requireCredential: true,
@@ -19,6 +20,10 @@ export const meta = {
 	},
 
 	params: {
+		password: {
+			validator: $.str
+		},
+
 		email: {
 			validator: $.str.optional.nullable
 		},
@@ -26,6 +31,13 @@ export const meta = {
 };
 
 export default define(meta, (ps, user) => new Promise(async (res, rej) => {
+	// Compare password
+	const same = await bcrypt.compare(ps.password, user.password);
+
+	if (!same) {
+		return rej('incorrect password');
+	}
+
 	await User.update(user._id, {
 		$set: {
 			email: ps.email,