From f3d10bd19f0f2ec09fbd3fc72b15a0afccfa14df Mon Sep 17 00:00:00 2001
From: Michael C <michael@mchang.name>
Date: Thu, 3 Feb 2022 21:31:43 -0500
Subject: [PATCH] don't leak adminID on tempVIP

---
 src/routes/addUserAsTempVIP.ts | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/routes/addUserAsTempVIP.ts b/src/routes/addUserAsTempVIP.ts
index 2c81798..fb8d482 100644
--- a/src/routes/addUserAsTempVIP.ts
+++ b/src/routes/addUserAsTempVIP.ts
@@ -32,7 +32,8 @@ const getChannelInfo = async (videoID: VideoID): Promise<{id: string | null, nam
 };
 
 export async function addUserAsTempVIP(req: AddUserAsTempVIPRequest, res: Response): Promise<Response> {
-    const { query: { userID, adminUserID } } = req;
+    const userID = req.query.userID;
+    let adminUserID = req.query.adminUserID;
 
     const enabled = req.query?.enabled === "true";
     const channelVideoID = req.query?.channelVideoID as VideoID;
@@ -43,9 +44,9 @@ export async function addUserAsTempVIP(req: AddUserAsTempVIPRequest, res: Respon
     }
 
     // hash the issuer userID
-    const issuerUserID = await getHashCache(adminUserID);
+    adminUserID = await getHashCache(adminUserID);
     // check if issuer is VIP
-    const issuerIsVIP = await isUserVIP(issuerUserID as HashedUserID);
+    const issuerIsVIP = await isUserVIP(adminUserID as HashedUserID);
     if (!issuerIsVIP) {
         return res.sendStatus(403);
     }