diff options
| author | metamuffin <metamuffin@disroot.org> | 2023-12-11 01:19:51 +0100 |
|---|---|---|
| committer | metamuffin <metamuffin@disroot.org> | 2023-12-11 01:19:51 +0100 |
| commit | 36d7fb2790774c53415c96f8c6955be42bad952f (patch) | |
| tree | 4481dac53a6d0896e90ff72b9b68665e59e159db /server/src/routes/stream.rs | |
| parent | 767d6c4c7b8518198b0343781128027051b94ae5 (diff) | |
| download | jellything-36d7fb2790774c53415c96f8c6955be42bad952f.tar jellything-36d7fb2790774c53415c96f8c6955be42bad952f.tar.bz2 jellything-36d7fb2790774c53415c96f8c6955be42bad952f.tar.zst | |
(partially) fix security problem with federated session
Diffstat (limited to 'server/src/routes/stream.rs')
| -rw-r--r-- | server/src/routes/stream.rs | 17 |
1 files changed, 11 insertions, 6 deletions
diff --git a/server/src/routes/stream.rs b/server/src/routes/stream.rs index 5944ace..279a621 100644 --- a/server/src/routes/stream.rs +++ b/server/src/routes/stream.rs @@ -10,6 +10,7 @@ use jellybase::{ permission::{NodePermissionExt, PermissionSetExt}, CONF, }; +use jellyclient::LoginDetails; use jellycommon::{stream::StreamSpec, user::UserPermission, MediaSource}; use log::{info, warn}; use rocket::{ @@ -19,7 +20,7 @@ use rocket::{ response::{self, Redirect, Responder}, Either, Request, Response, State, }; -use std::{ops::Range, time::Duration}; +use std::{collections::HashSet, ops::Range}; use tokio::io::{duplex, DuplexStream}; #[head("/n/<_id>/stream?<spec>")] @@ -71,11 +72,15 @@ pub async fn r_stream( info!("creating session on {host}"); let instance = federation.get_instance(&host)?.to_owned(); let session = instance - .login( - username.to_owned(), - password.to_owned(), - Duration::from_secs(60), - ) + .login(LoginDetails { + username: username.to_owned(), + password: password.to_owned(), + expire: Some(60), + drop_permissions: Some(HashSet::from_iter([ + UserPermission::ManageSelf, + UserPermission::Admin, // in case somebody federated the admin :))) + ])), + }) .await?; let uri = session.stream(&remote_id, &spec); |