From 346fcaef778d4310120f9742c90679ff9697123b Mon Sep 17 00:00:00 2001
From: Dita Aji Pratama <ditaajipratama@protonmail.com>
Date: Thu, 7 Aug 2025 12:05:18 +0700
Subject: [PATCH] Validating password confirmation for sending invitation

---
 modules/api/auth.py | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/modules/api/auth.py b/modules/api/auth.py
index 598d2ea..35d1aef 100644
--- a/modules/api/auth.py
+++ b/modules/api/auth.py
@@ -254,6 +254,9 @@ class auth:
             jwt 		= auth_header.split(' ')[1]
             payload 		= tokenguard.decode(jwt, globalvar.ssh['key']['public'])
             session_id 		= payload["session"]["id"]
+            loggorilla.prcss(APIADDR, "Get dependency data")
+            self.cursor.execute("SELECT COUNT(*) AS `count`, auth.token, auth_profile.id, auth_profile.username, auth.password FROM auth_profile INNER JOIN auth ON auth.token = auth_profile.token WHERE auth_profile.username = %s ; ", (user['profile']['username'],) )
+            result_login = self.cursor.fetchone()
             loggorilla.prcss(APIADDR, "Account validation")
             user_validation 	= procedure_validation.validation().account(APIADDR, allowed_roles, token)
             user 		= user_validation['data']
@@ -264,6 +267,11 @@ class auth:
                 loggorilla.prcss(APIADDR, "Giving response")
                 response["status"	] = "failed"
                 response["desc"		] = "Invitation roles is not allowed"
+            elif not bcrypt.checkpw(password.encode(), result_login['password'].decode().encode() ):
+                loggorilla.accss(APIADDR, f"{user['profile']['username']} put a wrong password for send invitation")
+                loggorilla.prcss(APIADDR, "Giving response")
+                response["status"	] = "failed"
+                response["desc"		] = "Incorrect password for send invitation"
             else:
                 loggorilla.prcss(APIADDR, "Set expired datetime")
                 expired 		= globalvar.invitation_link_expiration