Enforce stricter login rules

2023-06-16 14:02:30 -07:00 · 2023-06-16 14:02:30 -07:00 · 3fdd1c870f
commit 3fdd1c870f
parent d2758c852e
1 changed files with 17 additions and 10 deletions
--- a/src/main.rs
+++ b/src/main.rs
@ -78,28 +78,35 @@ fn login() -> Redirect {

 #[derive(FromForm)]
 struct Login<'r> {
+    token_type: &'r str,
    access_token: &'r str,
    expires_in: u64,
+    scope: &'r str,
 }

 #[post("/login", data = "<login>")]
 fn post_login(login: Form<Login<'_>>, cookies: &CookieJar<'_>) -> Redirect {
+    if login.token_type != "Bearer" || login.scope != "guilds.join+identify+guilds" {
        cookies.add_private(Cookie::new(TOKEN_COOKIE, login.access_token.to_owned()));
        cookies.add(Cookie::new(TOKEN_EXPIRE_COOKIE, (Utc::now() + Duration::seconds(login.expires_in as i64)).timestamp().to_string()));
+    }
    Redirect::to("/")
 }

 #[get("/success")]
 fn success() -> RawHtml<&'static str> {
-    RawHtml("<form action=\"/login\" method=\"post\">
-    <input type=\"hidden\" name=\"access_token\">
-    <input type=\"hidden\" name=\"expires_in\">
-</form>
+    RawHtml("<form action=\"/login\" method=\"post\"></form>
 <script>
        const params = new URLSearchParams(location.hash.slice(1));
-    document.querySelector(\"[name=access_token]\").value = params.get(\"access_token\");
-    document.querySelector(\"[name=expires_in]\").value = params.get(\"expires_in\");
-    document.querySelector(\"form\").submit();
+        const form = document.querySelector(\"form\");
+        [\"token_type\", \"access_token\", \"expires_in\", \"scope\"].forEach(field => {
+            const input = document.createElement(\"input\");
+            input.type = \"hidden\";
+            input.name = field;
+            input.value = params.get(field);
+            form.appendChild(input);
+        });
+        form.submit();
 </script>")
 }