auth/username auth/unregister: password confirmation

pg-act/auth/unregister.php

@@ -1,5 +1,8 @@
 <?php
 
+if (checkPassword($_SESSION['id'], $_POST['current-password']) !== true)
+	output(403, _('Wrong current password.'));
+
 if (!isset($_POST['delete']))
 	output(403, _('Account deletion must be confirmed.'));
 

pg-act/auth/username.php

@@ -2,6 +2,9 @@
 
 checkUsernameFormat($_POST['new-username']);
 
+if (checkPassword($_SESSION['id'], $_POST['current-password']) !== true)
+	output(403, _('Wrong current password.'));
+
 $username = hashUsername($_POST['new-username']);
 
 if (usernameExists($username) !== false)

pg-view/auth/unregister.php

@@ -3,8 +3,11 @@
 </p>
 
 <form method="post">
+	<label for="current-password"><?= _('Current password') ?></label><br>
+	<input required="" autocomplete="current-password" minlength="8" maxlength="1024" pattern="<?= PASSWORD_REGEX ?>" id="current-password" name="current-password" type="password" placeholder="<?= PLACEHOLDER_PASSWORD ?>"><br>
+
 	<input type="checkbox" name="delete" id="delete" required="">
-	<label for="delete"><?= _('Delete the current account and everything related (required)') ?></label>
-	<br>
+	<label for="delete"><?= _('Delete the current account and everything related (required)') ?></label><br>
+
 	<input type="submit" value="<?= _('Delete') ?>">
 </form>

pg-view/auth/username.php

@@ -1,4 +1,7 @@
 <form method="post">
+	<label for="current-password"><?= _('Current password') ?></label><br>
+	<input required="" autocomplete="current-password" minlength="8" maxlength="1024" pattern="<?= PASSWORD_REGEX ?>" id="current-password" name="current-password" type="password" placeholder="<?= PLACEHOLDER_PASSWORD ?>"><br>
+
 	<label for="new-username"><?= _('New username') ?></label><br>
 	<input required="" autocomplete="username" minlength="1" maxlength="1024" pattern="<?= USERNAME_REGEX ?>" id="new-username" name="new-username" type="text" placeholder="<?= PLACEHOLDER_USERNAME ?>"><br>