From c23ec4aceebc5221aa5a366f408c4b709ca17578 Mon Sep 17 00:00:00 2001
From: Madeline <46743919+MaddyUnderStars@users.noreply.github.com>
Date: Thu, 17 Feb 2022 20:32:47 +1100
Subject: [PATCH 1/2] Fixed bug in /users/@me PATCH where username must be
 present in every request, breaking account claiming

---
 api/src/routes/users/@me/index.ts | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/api/src/routes/users/@me/index.ts b/api/src/routes/users/@me/index.ts
index acca8910..75c91001 100644
--- a/api/src/routes/users/@me/index.ts
+++ b/api/src/routes/users/@me/index.ts
@@ -58,7 +58,8 @@ router.patch("/", route({ body: "UserModifySchema" }), async (req: Request, res:
 	}
 
 	var check_username = body?.username?.replace(/\s/g, '');
-	if(!check_username) {
+	//claiming an account does not provide username so check if username in body before throw
+	if (!check_username && body.username) {
 		throw FieldErrors({
 			username: { code: "BASE_TYPE_REQUIRED", message: req.t("common:field.BASE_TYPE_REQUIRED") }
 		});

From d0cfbecc3286f8086629ac89b724e0adbdaf9a39 Mon Sep 17 00:00:00 2001
From: Madeline <46743919+MaddyUnderStars@users.noreply.github.com>
Date: Thu, 17 Feb 2022 20:57:42 +1100
Subject: [PATCH 2/2] Added email sanitisation to /users/@me PATCH. Could
 previously have email as any string

---
 api/assets/schemas.json           | 3 +++
 api/src/routes/users/@me/index.ts | 9 ++++++++-
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/api/assets/schemas.json b/api/assets/schemas.json
index 4ffa44b8..818c8a61 100644
--- a/api/assets/schemas.json
+++ b/api/assets/schemas.json
@@ -7039,6 +7039,9 @@
 			},
 			"code": {
 				"type": "string"
+			},
+			"email": {
+				"type": "string"
 			}
 		},
 		"definitions": {
diff --git a/api/src/routes/users/@me/index.ts b/api/src/routes/users/@me/index.ts
index 75c91001..93d2cb01 100644
--- a/api/src/routes/users/@me/index.ts
+++ b/api/src/routes/users/@me/index.ts
@@ -1,5 +1,5 @@
 import { Router, Request, Response } from "express";
-import { User, PrivateUserProjection, emitEvent, UserUpdateEvent, handleFile, FieldErrors } from "@fosscord/util";
+import { User, PrivateUserProjection, emitEvent, UserUpdateEvent, handleFile, FieldErrors, adjustEmail } from "@fosscord/util";
 import { route } from "@fosscord/api";
 import bcrypt from "bcrypt";
 
@@ -21,6 +21,7 @@ export interface UserModifySchema {
 	password?: string;
 	new_password?: string;
 	code?: string;
+	email?: string;
 }
 
 router.get("/", route({}), async (req: Request, res: Response) => {
@@ -46,6 +47,12 @@ router.patch("/", route({ body: "UserModifySchema" }), async (req: Request, res:
 		}
 	}
 
+	if (body.email) {
+		body.email = adjustEmail(body.email);
+		if (!body.email)
+			throw FieldErrors({ email: { message: req.t("auth:register.EMAIL_INVALID"), code: "EMAIL_INVALID" } });
+	}
+
 	user.assign(body);
 
 	if (body.new_password) {