From c9101af2bd50dcbbfe2883e5c48e1e032d90b21f Mon Sep 17 00:00:00 2001
From: metamuffin <metamuffin@disroot.org>
Date: Mon, 23 Mar 2026 15:36:21 +0100
Subject: fix panic in auth token validation

---
 server/src/auth.rs | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/server/src/auth.rs b/server/src/auth.rs
index 69d68d0..d5ca54c 100644
--- a/server/src/auth.rs
+++ b/server/src/auth.rs
@@ -130,6 +130,9 @@ pub mod token {
     }
     pub fn validate(sk: &SessionKey, token: &str) -> Result<RowNum> {
         let cipher = URL_SAFE.decode(token)?;
+        if cipher.len() < 12 {
+            bail!("token format invalid")
+        }
         let (cipher, nonce) = cipher.split_at(cipher.len() - 12);
         let plain =
             sk.0.decrypt(nonce.into(), cipher)
-- 
cgit v1.3