Enforce stricter login rules

src/main.rs

@@ -78,28 +78,35 @@ fn login() -> Redirect {
 
 #[derive(FromForm)]
 struct Login<'r> {
+    token_type: &'r str,
     access_token: &'r str,
     expires_in: u64,
+    scope: &'r str,
 }
 
 #[post("/login", data = "<login>")]
 fn post_login(login: Form<Login<'_>>, cookies: &CookieJar<'_>) -> Redirect {
-    cookies.add_private(Cookie::new(TOKEN_COOKIE, login.access_token.to_owned()));
+    if login.token_type != "Bearer" || login.scope != "guilds.join+identify+guilds" {
-    cookies.add(Cookie::new(TOKEN_EXPIRE_COOKIE, (Utc::now() + Duration::seconds(login.expires_in as i64)).timestamp().to_string()));
+        cookies.add_private(Cookie::new(TOKEN_COOKIE, login.access_token.to_owned()));
+        cookies.add(Cookie::new(TOKEN_EXPIRE_COOKIE, (Utc::now() + Duration::seconds(login.expires_in as i64)).timestamp().to_string()));
+    }
     Redirect::to("/")
 }
 
 #[get("/success")]
 fn success() -> RawHtml<&'static str> {
-    RawHtml("<form action=\"/login\" method=\"post\">
+    RawHtml("<form action=\"/login\" method=\"post\"></form>
-    <input type=\"hidden\" name=\"access_token\">
-    <input type=\"hidden\" name=\"expires_in\">
-</form>
 <script>
-    const params = new URLSearchParams(location.hash.slice(1));
+        const params = new URLSearchParams(location.hash.slice(1));
-    document.querySelector(\"[name=access_token]\").value = params.get(\"access_token\");
+        const form = document.querySelector(\"form\");
-    document.querySelector(\"[name=expires_in]\").value = params.get(\"expires_in\");
+        [\"token_type\", \"access_token\", \"expires_in\", \"scope\"].forEach(field => {
-    document.querySelector(\"form\").submit();
+            const input = document.createElement(\"input\");
+            input.type = \"hidden\";
+            input.name = field;
+            input.value = params.get(field);
+            form.appendChild(input);
+        });
+        form.submit();
 </script>")
 }