From a2809893aac8fc77c81278179fe4b7f7ac5a7a87 Mon Sep 17 00:00:00 2001
From: es3n1n <git@es3n1n.im>
Date: Sun, 18 Jan 2026 23:00:05 +0100
Subject: [PATCH] fix: minor security issues

---
 packages/server/src/api/auth/recover.ts              | 2 +-
 packages/server/src/providers/uploads/local/index.ts | 2 +-
 packages/server/test/integration/auth.js             | 8 ++++----
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/packages/server/src/api/auth/recover.ts b/packages/server/src/api/auth/recover.ts
index 9e6832b..cecc41d 100644
--- a/packages/server/src/api/auth/recover.ts
+++ b/packages/server/src/api/auth/recover.ts
@@ -36,7 +36,7 @@ export default makeFastifyRoute(authRecoverPost, async ({ req, res }) => {
 
   const user = await getUserByEmail({ email })
   if (user === undefined) {
-    return res.badUnknownEmail()
+    return res.goodVerifySent()
   }
 
   const verifyUuid = uuidv4()
diff --git a/packages/server/src/providers/uploads/local/index.ts b/packages/server/src/providers/uploads/local/index.ts
index 768671e..9005306 100644
--- a/packages/server/src/providers/uploads/local/index.ts
+++ b/packages/server/src/providers/uploads/local/index.ts
@@ -27,7 +27,7 @@ export default class LocalProvider implements Provider {
       index: false,
       setHeaders: (res: ServerResponse) => {
         res.setHeader('cache-control', 'public, max-age=31557600, immutable')
-        res.setHeader('content-disposition', 'atttachment')
+        res.setHeader('content-disposition', 'attachment')
       },
     })
   }
diff --git a/packages/server/test/integration/auth.js b/packages/server/test/integration/auth.js
index a42dd71..53e4086 100644
--- a/packages/server/test/integration/auth.js
+++ b/packages/server/test/integration/auth.js
@@ -4,13 +4,13 @@ import * as database from '../../src/database'
 import config from '../../src/config/server'
 import {
   badEmail,
-  badUnknownEmail,
   badKnownEmail,
   badKnownName,
   goodRegister,
   goodToken,
   goodUserUpdate,
   badRegistrationsDisabled,
+  goodVerifySent,
 } from '@rctf/api-types/responses'
 
 import * as auth from '../../src/auth'
@@ -45,7 +45,7 @@ test('fails with badEmail', async () => {
   expect(resp.body.kind).toBe('badEmail')
 })
 
-test('fails with badUnknownEmail', async () => {
+test('fails with goodVerifySent', async () => {
   config.email = oldEmail
 
   const unknownEmail = 'non-existent-email' + Math.random() + '@gmail.com'
@@ -54,9 +54,9 @@ test('fails with badUnknownEmail', async () => {
     .send({
       email: unknownEmail,
     })
-    .expect(badUnknownEmail.status)
+    .expect(goodVerifySent.status)
 
-  expect(resp.body.kind).toBe('badUnknownEmail')
+  expect(resp.body.kind).toBe('goodVerifySent')
 })
 
 test('when not email, succeeds with goodRegister', async () => {