From 36d7fb2790774c53415c96f8c6955be42bad952f Mon Sep 17 00:00:00 2001 From: metamuffin Date: Mon, 11 Dec 2023 01:19:51 +0100 Subject: (partially) fix security problem with federated session --- server/src/routes/api/mod.rs | 28 +++++++++++++++++++++++----- 1 file changed, 23 insertions(+), 5 deletions(-) (limited to 'server/src/routes/api/mod.rs') diff --git a/server/src/routes/api/mod.rs b/server/src/routes/api/mod.rs index 615c836..87ed0e9 100644 --- a/server/src/routes/api/mod.rs +++ b/server/src/routes/api/mod.rs @@ -4,12 +4,12 @@ Copyright (C) 2023 metamuffin */ use super::ui::{ - account::{login_logic, session::AdminSession, LoginForm}, + account::{login_logic, session::AdminSession}, error::MyResult, }; use crate::database::Database; use anyhow::{anyhow, Context}; -use jellycommon::Node; +use jellycommon::{user::UserPermission, Node}; use rocket::{ get, http::MediaType, @@ -20,8 +20,9 @@ use rocket::{ serde::json::Json, Request, State, }; +use serde::Deserialize; use serde_json::{json, Value}; -use std::ops::Deref; +use std::{collections::HashSet, ops::Deref}; #[get("/api")] pub fn r_api_root() -> Redirect { @@ -33,9 +34,26 @@ pub fn r_api_version() -> &'static str { "2" } +#[derive(Deserialize)] +pub struct CreateSessionParams { + username: String, + password: String, + expire: Option, + drop_permissions: Option>, +} + #[post("/api/create_session", data = "")] -pub fn r_api_account_login(database: &State, data: Json) -> MyResult { - let token = login_logic(database, &data.username, &data.password)?; +pub fn r_api_account_login( + database: &State, + data: Json, +) -> MyResult { + let token = login_logic( + database, + &data.username, + &data.password, + data.expire, + data.drop_permissions.clone(), + )?; Ok(json!(token)) } -- cgit v1.2.3-70-g09d2