(partially) fix security problem with federated session

1 files changed, 6 insertions, 12 deletions

diff --git a/server/src/routes/ui/account/session/token.rs b/server/src/routes/ui/account/session/token.rs
index b6c22f7..969207d 100644
--- a/server/src/routes/ui/account/session/token.rs
+++ b/server/src/routes/ui/account/session/token.rs
@@ -12,7 +12,7 @@ use anyhow::anyhow;
 use base64::Engine;
 use chrono::{Duration, Utc};
 use jellybase::CONF;
-use jellycommon::user::User;
+use jellycommon::user::PermissionSet;
 use log::warn;
 use std::sync::LazyLock;
 
@@ -29,11 +29,11 @@ static SESSION_KEY: LazyLock<[u8; 32]> = LazyLock::new(|| {
     }
 });
 
-pub fn create(user: &User, expire: Duration) -> String {
+pub fn create(username: String, permissions: PermissionSet, expire: Duration) -> String {
     let session_data = SessionData {
         expire: Utc::now() + expire,
-        username: user.name.to_owned(),
-        permissions: user.permissions.clone(),
+        username: username.to_owned(),
+        permissions,
     };
     let mut plaintext =
         bincode::serde::encode_to_vec(&session_data, bincode::config::standard()).unwrap();
@@ -73,14 +73,8 @@ pub fn validate(token: &str) -> anyhow::Result<String> {
 #[test]
 fn test() {
     let tok = create(
-        &User {
-            name: "blub".to_string(),
-            display_name: "blub".to_owned(),
-            password: vec![],
-            admin: false,
-            permissions: jellycommon::user::PermissionSet::default(),
-            theme: jellycommon::user::Theme::Dark,
-        },
+        "blub".to_string(),
+        jellycommon::user::PermissionSet::default(),
         Duration::days(1),
     );
     validate(&tok).unwrap();