nex/college-bot-v1
1
0
Fork 0
mirror of https://github.com/nexy7574/LCC-bot.git synced 2024-09-19 10:03:40 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix other users being able to delete binds

Browse source
This commit is contained in:
Nexus 2024-02-19 12:17:57 +00:00
parent 7815baa948
commit 1314d274cf
1 changed files with 12 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
web/server.py
View file

@ -31,8 +31,9 @@ else:
try: try:
from config import OAUTH_ID, OAUTH_REDIRECT_URI, OAUTH_SECRET from config import OAUTH_ID, OAUTH_REDIRECT_URI, OAUTH_SECRET
BIND_REDIRECT_URI = OAUTH_REDIRECT_URI[:-4] + "bridge/bind/callback"
except ImportError: except ImportError:
OAUTH_ID = OAUTH_SECRET = OAUTH_REDIRECT_URI = None OAUTH_ID = OAUTH_SECRET = OAUTH_REDIRECT_URI = BIND_REDIRECT_URI = None
try: try:
from config import WEB_ROOT_PATH from config import WEB_ROOT_PATH
@ -65,13 +66,13 @@ app.state.last_sender_ts = datetime.utcnow()
app.state.ws_connected = Lock() app.state.ws_connected = Lock()
async def get_access_token(code: str): async def get_access_token(code: str, redirect_uri: str = OAUTH_REDIRECT_URI):
response = app.state.http.post( response = app.state.http.post(
"https://discord.com/api/oauth2/token", "https://discord.com/api/oauth2/token",
data={ data={
"grant_type": "authorization_code", "grant_type": "authorization_code",
"code": code, "code": code,
"redirect_uri": OAUTH_REDIRECT_URI, "redirect_uri": redirect_uri,
}, },
headers={"Content-Type": "application/x-www-form-urlencoded"}, headers={"Content-Type": "application/x-www-form-urlencoded"},
auth=(OAUTH_ID, OAUTH_SECRET) auth=(OAUTH_ID, OAUTH_SECRET)
@ -350,7 +351,7 @@ async def bridge_bind_new(mx_id: str):
app.state.binds[token] = mx_id app.state.binds[token] = mx_id
url = discord.utils.oauth_url( url = discord.utils.oauth_url(
OAUTH_ID, OAUTH_ID,
redirect_uri=OAUTH_REDIRECT_URI[:-4] + "bridge/bind/callback", redirect_uri=BIND_REDIRECT_URI,
scopes=("identify",) scopes=("identify",)
) + f"&state={token}&prompt=none" ) + f"&state={token}&prompt=none"
return { return {
@ -366,9 +367,9 @@ async def bridge_bind_callback(code: str, state: str):
mx_id = app.state.binds.pop(state, None) mx_id = app.state.binds.pop(state, None)
if not mx_id: if not mx_id:
raise HTTPException(status_code=400, detail="Invalid state") raise HTTPException(status_code=400, detail="Invalid state")
data = await get_access_token(code) data = await get_access_token(code, redirect_uri=BIND_REDIRECT_URI)
access_token = data["access_token"] access_token = data["access_token"]
user = await get_authorised_user(access_token) user = await get_authorised_user(access_token,)
user_id = int(user["id"]) user_id = int(user["id"])
await BridgeBind.objects.create(matrix_id=mx_id, user_id=user_id) await BridgeBind.objects.create(matrix_id=mx_id, user_id=user_id)
return JSONResponse({"matrix": mx_id, "discord": user_id}, 201) return JSONResponse({"matrix": mx_id, "discord": user_id}, 201)
@ -386,11 +387,15 @@ async def bridge_bind_delete(mx_id: str, code: str = None, state: str = None):
app.state.binds[token] = mx_id app.state.binds[token] = mx_id
url = discord.utils.oauth_url( url = discord.utils.oauth_url(
OAUTH_ID, OAUTH_ID,
redirect_uri=OAUTH_REDIRECT_URI[:-4] + "bridge/bind/callback", redirect_uri=BIND_REDIRECT_URI,
scopes=("identify",) scopes=("identify",)
) + f"&state={token}&prompt=none" ) + f"&state={token}&prompt=none"
return JSONResponse({"status": "pending", "url": url}) return JSONResponse({"status": "pending", "url": url})
else: else:
access_token = await get_access_token(code, redirect_uri=BIND_REDIRECT_URI)
user = await get_authorised_user(access_token)
if existing.discord_id != int(user["id"]):
raise HTTPException(403, "Invalid user")
real_mx_id = app.state.binds.pop(state, None) real_mx_id = app.state.binds.pop(state, None)
if real_mx_id != mx_id: if real_mx_id != mx_id:
raise HTTPException(400, "Invalid state") raise HTTPException(400, "Invalid state")