Add expiry on sign up draft (to prevent leakage of personal information)

[ndcode_site.git] / api / account / sign_up / get_draft.json.jst

diff --git a/api/account/sign_up/get_draft.json.jst b/api/account/sign_up/get_draft.json.jst
index 197fd24..b07ab2b 100644 (file)
--- a/api/account/sign_up/get_draft.json.jst
+++ b/api/account/sign_up/get_draft.json.jst
@@ -16,12 +16,32 @@ return async env => {
         // initialize env.session_key, set cookie in env.response
         let session = await session_cookie(env, transaction)
 
-        return await logjson.logjson_to_json(
-          await session.get('sign_up_draft', {})
-        )
+        let sign_up_draft = await session.get('sign_up_draft')
+        let details =
+          sign_up_draft !== undefined &&
+            XDate.now() < await logjson.logjson_to_json(
+              await sign_up_draft.get('expires')
+            ) ? {
+              email: await logjson.logjson_to_json(
+                await sign_up_draft.get('email')
+              ),
+              given_names: await logjson.logjson_to_json(
+                await sign_up_draft.get('given_names')
+              ),
+              family_name: await logjson.logjson_to_json(
+                await sign_up_draft.get('family_name')
+              ),
+              contact_me: await logjson.logjson_to_json(
+                await sign_up_draft.get('contact_me')
+              )
+            } : null
+
+        await transaction.commit()
+        return details
       }
-      finally {
+      catch (error) {
         transaction.rollback()
+        throw error
       }
     }
   )