From 876803362f98a97cfddfa46036c337caf451df0e Mon Sep 17 00:00:00 2001
From: Tom Moor <tom.moor@gmail.com>
Date: Fri, 9 Sep 2022 22:10:32 +0100
Subject: [PATCH] fix: Server error when code is passed as null to
 users.delete, closes #4070

---
 server/routes/api/users.ts | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/server/routes/api/users.ts b/server/routes/api/users.ts
index b408821ad..4e6b934f0 100644
--- a/server/routes/api/users.ts
+++ b/server/routes/api/users.ts
@@ -416,16 +416,16 @@ router.post(
 
     // If we're attempting to delete our own account then a confirmation code
     // is required. This acts as CSRF protection.
-    if (!id || id === ctx.state.user.id) {
+    if ((!id || id === ctx.state.user.id) && emailEnabled) {
       const deleteConfirmationCode = user.deleteConfirmationCode;
 
       if (
-        emailEnabled &&
-        (code.length !== deleteConfirmationCode.length ||
-          !crypto.timingSafeEqual(
-            Buffer.from(code),
-            Buffer.from(deleteConfirmationCode)
-          ))
+        !code ||
+        code.length !== deleteConfirmationCode.length ||
+        !crypto.timingSafeEqual(
+          Buffer.from(code),
+          Buffer.from(deleteConfirmationCode)
+        )
       ) {
         throw ValidationError("The confirmation code was incorrect");
       }