From 56f5871d8e60b8a5383e5b281d84fffc4350c302 Mon Sep 17 00:00:00 2001
From: Sergo <smatsiievskyi@k-space.ee>
Date: Sun, 30 Jul 2023 01:44:41 +0300
Subject: [PATCH] prevent deleting address from other domains

---
 src/services/aliases/aliases.class.ts | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/src/services/aliases/aliases.class.ts b/src/services/aliases/aliases.class.ts
index 3013d2f..489f41d 100644
--- a/src/services/aliases/aliases.class.ts
+++ b/src/services/aliases/aliases.class.ts
@@ -110,6 +110,16 @@ export class AliasesService<ServiceParams extends AliasesParams = AliasesParams>
   }
 
   async remove(id: NullableId, params: ServiceParams): Promise<Alias[]> {
+    const { data: addressInfoResponse } = await wildDuckClient.get<Alias>(
+      `addresses/resolve/${id}`,
+    );
+    const allowedDomain: string = config.get("wildDuck.domain");
+
+    // If address does not match the allowed domain, throw an error
+    if (!addressInfoResponse.address.endsWith(allowedDomain)) {
+      throw new BadRequest("Unable to delete address");
+    }
+
     await wildDuckClient.delete<Alias>(`/addresses/${id}`);
 
     const userId = await this.getUserIdByEmailAddress(params);