API security updates.

pages/api/account/[id].js

@@ -9,24 +9,20 @@ export default async (req, res) => {
   const { id } = req.query;
   const user_id = +id;
 
-  if (req.method === 'GET') {
-    if (is_admin) {
-      const account = await getAccountById(user_id);
-
-      return ok(res, account);
-    }
-
+  if (is_admin) {
     return unauthorized(res);
   }
 
+  if (req.method === 'GET') {
+    const account = await getAccountById(user_id);
+
+    return ok(res, account);
+  }
+
   if (req.method === 'DELETE') {
-    if (is_admin) {
-      await deleteAccount(user_id);
+    await deleteAccount(user_id);
 
-      return ok(res);
-    }
-
-    return unauthorized(res);
+    return ok(res);
   }
 
   return methodNotAllowed(res);

pages/api/account/password.js

@@ -1,14 +1,18 @@
 import { getAccountById, updateAccount } from 'lib/queries';
 import { useAuth } from 'lib/middleware';
-import { badRequest, methodNotAllowed, ok } from 'lib/response';
+import { badRequest, methodNotAllowed, ok, unauthorized } from 'lib/response';
 import { checkPassword, hashPassword } from 'lib/crypto';
 
 export default async (req, res) => {
   await useAuth(req, res);
 
-  const { user_id } = req.auth;
+  const { user_id, is_admin } = req.auth;
   const { current_password, new_password } = req.body;
 
+  if (is_admin) {
+    return unauthorized(res);
+  }
+
   if (req.method === 'POST') {
     const account = await getAccountById(user_id);
     const valid = await checkPassword(current_password, account.password);