Add expiry on sign up draft (to prevent leakage of personal information)

[ndcode_site.git] / api / account / sign_up / set_draft.json.jst

diff --git a/api/account/sign_up/set_draft.json.jst b/api/account/sign_up/set_draft.json.jst
index f7ca03b..0e3c105 100644 (file)
--- a/api/account/sign_up/set_draft.json.jst
+++ b/api/account/sign_up/set_draft.json.jst
@@ -11,19 +11,38 @@ return async env => {
     // handler
     async details => {
       // coerce and/or validate
-      details = {
-        email: details.email.slice(0, 256).toLowerCase(),
-        given_names: details.given_names.slice(0, 256),
-        family_name: details.family_name.slice(0, 256),
-        contact_me: details.contact_me ? true : false
-      }
+      if (details !== null)
+        details = {
+          email: details.email.slice(0, 256).toLowerCase(),
+          given_names: details.given_names.slice(0, 256),
+          family_name: details.family_name.slice(0, 256),
+          contact_me: details.contact_me ? true : false
+        }
 
       let transaction = await env.site.database.Transaction()
       try {
         // initialize env.session_key, set cookie in env.response
         let session = await session_cookie(env, transaction)
 
-        session.set('sign_up_draft', transaction.json_to_logjson(details))
+        if (details) {
+          let expires = new XDate()
+          expires.addDays(1)
+          session.set(
+            'sign_up_draft',
+            transaction.json_to_logjson(
+              {
+                email: details.email,
+                given_names: details.given_names,
+                family_name: details.family_name,
+                contact_me: details.contact_me,
+                expires: expires.getTime()
+              }
+            )
+          )
+        }
+        else
+          session.delete('sign_up_draft')
+
         await transaction.commit()
       }
       catch (error) {