mirror of
https://github.com/nexy7574/LCC-bot.git
synced 2024-09-19 18:16:34 +01:00
fix other users being able to delete binds
This commit is contained in:
parent
7815baa948
commit
1314d274cf
1 changed files with 12 additions and 7 deletions
|
@ -31,8 +31,9 @@ else:
|
||||||
|
|
||||||
try:
|
try:
|
||||||
from config import OAUTH_ID, OAUTH_REDIRECT_URI, OAUTH_SECRET
|
from config import OAUTH_ID, OAUTH_REDIRECT_URI, OAUTH_SECRET
|
||||||
|
BIND_REDIRECT_URI = OAUTH_REDIRECT_URI[:-4] + "bridge/bind/callback"
|
||||||
except ImportError:
|
except ImportError:
|
||||||
OAUTH_ID = OAUTH_SECRET = OAUTH_REDIRECT_URI = None
|
OAUTH_ID = OAUTH_SECRET = OAUTH_REDIRECT_URI = BIND_REDIRECT_URI = None
|
||||||
|
|
||||||
try:
|
try:
|
||||||
from config import WEB_ROOT_PATH
|
from config import WEB_ROOT_PATH
|
||||||
|
@ -65,13 +66,13 @@ app.state.last_sender_ts = datetime.utcnow()
|
||||||
app.state.ws_connected = Lock()
|
app.state.ws_connected = Lock()
|
||||||
|
|
||||||
|
|
||||||
async def get_access_token(code: str):
|
async def get_access_token(code: str, redirect_uri: str = OAUTH_REDIRECT_URI):
|
||||||
response = app.state.http.post(
|
response = app.state.http.post(
|
||||||
"https://discord.com/api/oauth2/token",
|
"https://discord.com/api/oauth2/token",
|
||||||
data={
|
data={
|
||||||
"grant_type": "authorization_code",
|
"grant_type": "authorization_code",
|
||||||
"code": code,
|
"code": code,
|
||||||
"redirect_uri": OAUTH_REDIRECT_URI,
|
"redirect_uri": redirect_uri,
|
||||||
},
|
},
|
||||||
headers={"Content-Type": "application/x-www-form-urlencoded"},
|
headers={"Content-Type": "application/x-www-form-urlencoded"},
|
||||||
auth=(OAUTH_ID, OAUTH_SECRET)
|
auth=(OAUTH_ID, OAUTH_SECRET)
|
||||||
|
@ -350,7 +351,7 @@ async def bridge_bind_new(mx_id: str):
|
||||||
app.state.binds[token] = mx_id
|
app.state.binds[token] = mx_id
|
||||||
url = discord.utils.oauth_url(
|
url = discord.utils.oauth_url(
|
||||||
OAUTH_ID,
|
OAUTH_ID,
|
||||||
redirect_uri=OAUTH_REDIRECT_URI[:-4] + "bridge/bind/callback",
|
redirect_uri=BIND_REDIRECT_URI,
|
||||||
scopes=("identify",)
|
scopes=("identify",)
|
||||||
) + f"&state={token}&prompt=none"
|
) + f"&state={token}&prompt=none"
|
||||||
return {
|
return {
|
||||||
|
@ -366,9 +367,9 @@ async def bridge_bind_callback(code: str, state: str):
|
||||||
mx_id = app.state.binds.pop(state, None)
|
mx_id = app.state.binds.pop(state, None)
|
||||||
if not mx_id:
|
if not mx_id:
|
||||||
raise HTTPException(status_code=400, detail="Invalid state")
|
raise HTTPException(status_code=400, detail="Invalid state")
|
||||||
data = await get_access_token(code)
|
data = await get_access_token(code, redirect_uri=BIND_REDIRECT_URI)
|
||||||
access_token = data["access_token"]
|
access_token = data["access_token"]
|
||||||
user = await get_authorised_user(access_token)
|
user = await get_authorised_user(access_token,)
|
||||||
user_id = int(user["id"])
|
user_id = int(user["id"])
|
||||||
await BridgeBind.objects.create(matrix_id=mx_id, user_id=user_id)
|
await BridgeBind.objects.create(matrix_id=mx_id, user_id=user_id)
|
||||||
return JSONResponse({"matrix": mx_id, "discord": user_id}, 201)
|
return JSONResponse({"matrix": mx_id, "discord": user_id}, 201)
|
||||||
|
@ -386,11 +387,15 @@ async def bridge_bind_delete(mx_id: str, code: str = None, state: str = None):
|
||||||
app.state.binds[token] = mx_id
|
app.state.binds[token] = mx_id
|
||||||
url = discord.utils.oauth_url(
|
url = discord.utils.oauth_url(
|
||||||
OAUTH_ID,
|
OAUTH_ID,
|
||||||
redirect_uri=OAUTH_REDIRECT_URI[:-4] + "bridge/bind/callback",
|
redirect_uri=BIND_REDIRECT_URI,
|
||||||
scopes=("identify",)
|
scopes=("identify",)
|
||||||
) + f"&state={token}&prompt=none"
|
) + f"&state={token}&prompt=none"
|
||||||
return JSONResponse({"status": "pending", "url": url})
|
return JSONResponse({"status": "pending", "url": url})
|
||||||
else:
|
else:
|
||||||
|
access_token = await get_access_token(code, redirect_uri=BIND_REDIRECT_URI)
|
||||||
|
user = await get_authorised_user(access_token)
|
||||||
|
if existing.discord_id != int(user["id"]):
|
||||||
|
raise HTTPException(403, "Invalid user")
|
||||||
real_mx_id = app.state.binds.pop(state, None)
|
real_mx_id = app.state.binds.pop(state, None)
|
||||||
if real_mx_id != mx_id:
|
if real_mx_id != mx_id:
|
||||||
raise HTTPException(400, "Invalid state")
|
raise HTTPException(400, "Invalid state")
|
||||||
|
|
Loading…
Reference in a new issue