From 3fdd1c870f46c478c14d838fc93542eb1624db87 Mon Sep 17 00:00:00 2001
From: ElnuDev <elnu@elnu.com>
Date: Fri, 16 Jun 2023 14:02:30 -0700
Subject: [PATCH] Enforce stricter login rules

---
 src/main.rs | 27 +++++++++++++++++----------
 1 file changed, 17 insertions(+), 10 deletions(-)

diff --git a/src/main.rs b/src/main.rs
index 2a4bc08..b944251 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -78,28 +78,35 @@ fn login() -> Redirect {
 
 #[derive(FromForm)]
 struct Login<'r> {
+    token_type: &'r str,
     access_token: &'r str,
     expires_in: u64,
+    scope: &'r str,
 }
 
 #[post("/login", data = "<login>")]
 fn post_login(login: Form<Login<'_>>, cookies: &CookieJar<'_>) -> Redirect {
-    cookies.add_private(Cookie::new(TOKEN_COOKIE, login.access_token.to_owned()));
-    cookies.add(Cookie::new(TOKEN_EXPIRE_COOKIE, (Utc::now() + Duration::seconds(login.expires_in as i64)).timestamp().to_string()));
+    if login.token_type != "Bearer" || login.scope != "guilds.join+identify+guilds" {
+        cookies.add_private(Cookie::new(TOKEN_COOKIE, login.access_token.to_owned()));
+        cookies.add(Cookie::new(TOKEN_EXPIRE_COOKIE, (Utc::now() + Duration::seconds(login.expires_in as i64)).timestamp().to_string()));
+    }
     Redirect::to("/")
 }
 
 #[get("/success")]
 fn success() -> RawHtml<&'static str> {
-    RawHtml("<form action=\"/login\" method=\"post\">
-    <input type=\"hidden\" name=\"access_token\">
-    <input type=\"hidden\" name=\"expires_in\">
-</form>
+    RawHtml("<form action=\"/login\" method=\"post\"></form>
 <script>
-    const params = new URLSearchParams(location.hash.slice(1));
-    document.querySelector(\"[name=access_token]\").value = params.get(\"access_token\");
-    document.querySelector(\"[name=expires_in]\").value = params.get(\"expires_in\");
-    document.querySelector(\"form\").submit();
+        const params = new URLSearchParams(location.hash.slice(1));
+        const form = document.querySelector(\"form\");
+        [\"token_type\", \"access_token\", \"expires_in\", \"scope\"].forEach(field => {
+            const input = document.createElement(\"input\");
+            input.type = \"hidden\";
+            input.name = field;
+            input.value = params.get(field);
+            form.appendChild(input);
+        });
+        form.submit();
 </script>")
 }