[IMPROVE] AvatarBlockUnauthenticatedAccess do not call user.find if you dont have to

server/routes/avatar/utils.js

@@ -45,27 +45,26 @@ function isUserAuthenticated({ headers, query }) {
 		return false;
 	}
 
-	const userFound = Users.findOneByIdAndLoginToken(rc_uid, rc_token, { fields: { _id: 1 } });
+	const userFound = Users.findOneByIdAndLoginToken(rc_uid, rc_token, { fields: { _id: 1 } }); // TODO memoize find
 
-	return !!rc_uid && !!rc_token && !!userFound;
+	return !!userFound;
 }
 
 const warnUnauthenticatedAccess = throttle(() => {
 	console.warn('The server detected an unauthenticated access to an user avatar. This type of request will soon be blocked by default.');
 }, 60000 * 30); // 30 minutes
 
 export function userCanAccessAvatar({ headers = {}, query = {} }) {
-	const isAuthenticated = isUserAuthenticated({ headers, query });
-
-	if (settings.get('Accounts_AvatarBlockUnauthenticatedAccess') === true) {
-		return isAuthenticated;
+	if (!settings.get('Accounts_AvatarBlockUnauthenticatedAccess')) {
+		return true;
 	}
 
+	const isAuthenticated = isUserAuthenticated({ headers, query });
 	if (!isAuthenticated) {
 		warnUnauthenticatedAccess();
 	}
 
-	return true;
+	return isAuthenticated;
 }
 
 const getFirstLetter = (name) => name.replace(/[^A-Za-z0-9]/g, '').substr(0, 1).toUpperCase();