Enforce stricter login rules

1 year ago · 3fdd1c870f
parent d2758c852e
commit 3fdd1c870f
1 changed files with 17 additions and 10 deletions
--- a/src/main.rs
+++ b/src/main.rs
@ -78,28 +78,35 @@ fn login() -> Redirect {
 #[derive(FromForm)]
 struct Login<'r> {
    token_type: &'r str,
    access_token: &'r str,
    expires_in: u64,
    scope: &'r str,
 }
 #[post("/login", data = "<login>")]
 fn post_login(login: Form<Login<'_>>, cookies: &CookieJar<'_>) -> Redirect {
    if login.token_type != "Bearer" || login.scope != "guilds.join+identify+guilds" {
        cookies.add_private(Cookie::new(TOKEN_COOKIE, login.access_token.to_owned()));
        cookies.add(Cookie::new(TOKEN_EXPIRE_COOKIE, (Utc::now() + Duration::seconds(login.expires_in as i64)).timestamp().to_string()));
    }
    Redirect::to("/")
 }
 #[get("/success")]
 fn success() -> RawHtml<&'static str> {
-    RawHtml("<form action=\"/login\" method=\"post\">
+    RawHtml("<form action=\"/login\" method=\"post\"></form>
    <input type=\"hidden\" name=\"access_token\">
    <input type=\"hidden\" name=\"expires_in\">
 </form>
 <script>
        const params = new URLSearchParams(location.hash.slice(1));
-    document.querySelector(\"[name=access_token]\").value = params.get(\"access_token\");
+        const form = document.querySelector(\"form\");
-    document.querySelector(\"[name=expires_in]\").value = params.get(\"expires_in\");
+        [\"token_type\", \"access_token\", \"expires_in\", \"scope\"].forEach(field => {
-    document.querySelector(\"form\").submit();
+            const input = document.createElement(\"input\");
            input.type = \"hidden\";
            input.name = field;
            input.value = params.get(field);
            form.appendChild(input);
        });
        form.submit();
 </script>")
 }