openclawd/docfast
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

security: remove Change Email feature (leaked key = account hijack)
All checks were successful
Deploy to Production / Deploy to Server (push) Successful in 1m7s
Details

Browse source
This commit is contained in:
DocFast Bot 2026-02-17 11:40:27 +00:00
parent 1702abdeb8
commit f5cea97adf
12 changed files with 80 additions and 849 deletions
Download patch file Download diff file Expand all files Collapse all files

293
public/src/change-email.html
View file

@ -1,293 +0,0 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Change Email — DocFast</title>
<meta name="description" content="Change the email address associated with your DocFast API key.">
<link rel="canonical" href="https://docfast.dev/change-email">
<link rel="icon" href="data:image/svg+xml,<svg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 100 100'><text y='.9em' font-size='90'>⚡</text></svg>">
<link href="https://fonts.googleapis.com/css2?family=Inter:wght@400;500;600;700;800&display=swap" rel="stylesheet">
{{> styles_base}}
<style>
.change-email-wrap {
max-width: 480px;
margin: 80px auto 60px;
padding: 0 24px;
}
.change-email-card {
background: var(--card);
border: 1px solid var(--border);
border-radius: 16px;
padding: 40px;
}
.change-email-card h1 {
font-size: 1.6rem;
margin-bottom: 8px;
}
.change-email-card .subtitle {
color: var(--muted);
margin-bottom: 28px;
font-size: 0.95rem;
}
.ce-field {
margin-bottom: 14px;
}
.ce-field label {
display: block;
font-size: 0.85rem;
color: var(--muted);
margin-bottom: 6px;
}
.ce-field input {
width: 100%;
padding: 12px 14px;
border: 1px solid var(--border);
background: var(--bg);
color: var(--fg);
border-radius: 8px;
font-size: 0.9rem;
font-family: inherit;
box-sizing: border-box;
transition: border-color 0.15s;
}
.ce-field input:focus {
outline: none;
border-color: var(--accent);
}
.ce-field input.monospace {
font-family: monospace;
}
.ce-field input.code-input {
font-family: monospace;
font-size: 1.4rem;
letter-spacing: 0.3em;
text-align: center;
padding: 14px;
}
.ce-btn {
width: 100%;
margin-top: 8px;
}
.ce-error {
background: rgba(239,68,68,0.1);
border: 1px solid rgba(239,68,68,0.3);
color: #f87171;
border-radius: 8px;
padding: 10px 14px;
font-size: 0.875rem;
margin-bottom: 16px;
display: none;
}
.ce-hint {
margin-top: 14px;
color: var(--muted);
font-size: 0.8rem;
text-align: center;
}
.ce-loading {
text-align: center;
padding: 20px 0;
}
.ce-success {
text-align: center;
padding: 10px 0;
}
.ce-success .success-icon {
font-size: 3rem;
margin-bottom: 16px;
}
.ce-success h2 {
margin-bottom: 12px;
}
.ce-success p {
color: var(--muted);
margin-bottom: 24px;
}
.step { display: none; }
.step.active { display: block; }
</style>
</head>
<body>
{{> nav}}
<div class="change-email-wrap">
<div class="change-email-card">
<!-- Step 1: Enter API key + new email -->
<div class="step active" id="ceStepInitial">
<h1>Change Email</h1>
<p class="subtitle">Enter your API key and new email address.</p>
<div class="ce-error" id="ceError"></div>
<div class="ce-field">
<label for="ceApiKey">Your API key</label>
<input type="text" id="ceApiKey" class="monospace" placeholder="df_free_... or df_pro_..." required autocomplete="off" spellcheck="false">
</div>
<div class="ce-field">
<label for="ceNewEmail">New email address</label>
<input type="email" id="ceNewEmail" placeholder="new.email@example.com" required>
</div>
<button class="btn btn-primary ce-btn" id="ceSendBtn">Send Verification Code →</button>
<p class="ce-hint">A 6-digit code will be sent to your new email address</p>
</div>
<!-- Step 2: Loading -->
<div class="step" id="ceStepLoading">
<div class="ce-loading">
<div class="spinner"></div>
<p style="color:var(--muted);margin:12px 0 0">Sending verification code…</p>
</div>
</div>
<!-- Step 3: Enter code -->
<div class="step" id="ceStepVerify">
<h1>Check your inbox</h1>
<p class="subtitle">We sent a 6-digit code to <strong id="ceEmailDisplay"></strong></p>
<div class="ce-error" id="ceVerifyError"></div>
<div class="ce-field">
<label for="ceCode">Verification code</label>
<input type="text" id="ceCode" class="code-input" placeholder="123456" maxlength="6" pattern="[0-9]{6}" inputmode="numeric" required>
</div>
<button class="btn btn-primary ce-btn" id="ceVerifyBtn">Verify →</button>
<p class="ce-hint">Code expires in 15 minutes</p>
</div>
<!-- Step 4: Success -->
<div class="step" id="ceStepSuccess">
<div class="ce-success">
<div class="success-icon"></div>
<h2>Email updated!</h2>
<p>Your account email has been changed to <strong id="ceSuccessEmail"></strong></p>
<a href="/" class="btn btn-primary">Back to Home →</a>
</div>
</div>
</div>
</div>
{{> footer}}
<script>
(function () {
var _apiKey = '';
var _newEmail = '';
function showStep(id) {
['ceStepInitial','ceStepLoading','ceStepVerify','ceStepSuccess'].forEach(function(s) {
var el = document.getElementById(s);
if (el) el.classList.remove('active');
});
var target = document.getElementById(id);
if (target) target.classList.add('active');
}
function showError(elId, msg) {
var el = document.getElementById(elId);
if (!el) return;
el.textContent = msg;
el.style.display = 'block';
}
function hideError(elId) {
var el = document.getElementById(elId);
if (el) el.style.display = 'none';
}
async function handleSend() {
var apiKey = document.getElementById('ceApiKey').value.trim();
var newEmail = document.getElementById('ceNewEmail').value.trim();
hideError('ceError');
if (!apiKey) {
showError('ceError', 'Please enter your API key.');
return;
}
if (!newEmail || !/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(newEmail)) {
showError('ceError', 'Please enter a valid email address.');
return;
}
var btn = document.getElementById('ceSendBtn');
btn.disabled = true;
showStep('ceStepLoading');
try {
var res = await fetch('/v1/email-change', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ apiKey: apiKey, newEmail: newEmail })
});
var data = await res.json();
if (!res.ok) {
showStep('ceStepInitial');
showError('ceError', data.error || 'Something went wrong. Please try again.');
btn.disabled = false;
return;
}
_apiKey = apiKey;
_newEmail = newEmail;
document.getElementById('ceEmailDisplay').textContent = newEmail;
showStep('ceStepVerify');
document.getElementById('ceCode').focus();
} catch (err) {
showStep('ceStepInitial');
showError('ceError', 'Network error. Please try again.');
btn.disabled = false;
}
}
async function handleVerify() {
var code = document.getElementById('ceCode').value.trim();
hideError('ceVerifyError');
if (!code || !/^\d{6}$/.test(code)) {
showError('ceVerifyError', 'Please enter the 6-digit code.');
return;
}
var btn = document.getElementById('ceVerifyBtn');
btn.disabled = true;
try {
var res = await fetch('/v1/email-change/verify', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ apiKey: _apiKey, newEmail: _newEmail, code: code })
});
var data = await res.json();
if (!res.ok) {
showError('ceVerifyError', data.error || 'Verification failed. Please try again.');
btn.disabled = false;
return;
}
document.getElementById('ceSuccessEmail').textContent = data.newEmail || _newEmail;
showStep('ceStepSuccess');
} catch (err) {
showError('ceVerifyError', 'Network error. Please try again.');
btn.disabled = false;
}
}
document.addEventListener('DOMContentLoaded', function () {
document.getElementById('ceSendBtn').addEventListener('click', handleSend);
document.getElementById('ceVerifyBtn').addEventListener('click', handleVerify);
// Allow Enter key in inputs
document.getElementById('ceNewEmail').addEventListener('keydown', function(e) {
if (e.key === 'Enter') handleSend();
});
document.getElementById('ceCode').addEventListener('keydown', function(e) {
if (e.key === 'Enter') handleVerify();
});
});
})();
</script>
</body>
</html>