(partially) fix security problem with federated session

1 files changed, 23 insertions, 5 deletions

diff --git a/server/src/routes/api/mod.rs b/server/src/routes/api/mod.rs
index 615c836..87ed0e9 100644
--- a/server/src/routes/api/mod.rs
+++ b/server/src/routes/api/mod.rs
@@ -4,12 +4,12 @@
     Copyright (C) 2023 metamuffin <metamuffin.org>
 */
 use super::ui::{
-    account::{login_logic, session::AdminSession, LoginForm},
+    account::{login_logic, session::AdminSession},
     error::MyResult,
 };
 use crate::database::Database;
 use anyhow::{anyhow, Context};
-use jellycommon::Node;
+use jellycommon::{user::UserPermission, Node};
 use rocket::{
     get,
     http::MediaType,
@@ -20,8 +20,9 @@ use rocket::{
     serde::json::Json,
     Request, State,
 };
+use serde::Deserialize;
 use serde_json::{json, Value};
-use std::ops::Deref;
+use std::{collections::HashSet, ops::Deref};
 
 #[get("/api")]
 pub fn r_api_root() -> Redirect {
@@ -33,9 +34,26 @@ pub fn r_api_version() -> &'static str {
     "2"
 }
 
+#[derive(Deserialize)]
+pub struct CreateSessionParams {
+    username: String,
+    password: String,
+    expire: Option<i64>,
+    drop_permissions: Option<HashSet<UserPermission>>,
+}
+
 #[post("/api/create_session", data = "<data>")]
-pub fn r_api_account_login(database: &State<Database>, data: Json<LoginForm>) -> MyResult<Value> {
-    let token = login_logic(database, &data.username, &data.password)?;
+pub fn r_api_account_login(
+    database: &State<Database>,
+    data: Json<CreateSessionParams>,
+) -> MyResult<Value> {
+    let token = login_logic(
+        database,
+        &data.username,
+        &data.password,
+        data.expire,
+        data.drop_permissions.clone(),
+    )?;
     Ok(json!(token))
 }