From e50f12b6158ffae6b0b59f2902798ae86d263b5d Mon Sep 17 00:00:00 2001 From: r Date: Mon, 18 Sep 2023 10:07:54 +0000 Subject: Restrict instance domain in single_instance mode --- service/client.go | 6 +++++- service/transport.go | 4 ++-- 2 files changed, 7 insertions(+), 3 deletions(-) (limited to 'service') diff --git a/service/client.go b/service/client.go index 3affd57..e4ab8cb 100644 --- a/service/client.go +++ b/service/client.go @@ -4,6 +4,7 @@ import ( "context" "encoding/base64" "encoding/json" + "errors" "net/http" "strings" "time" @@ -68,7 +69,7 @@ func (c *client) redirect(url string) { c.w.WriteHeader(http.StatusFound) } -func (c *client) authenticate(t int) (err error) { +func (c *client) authenticate(t int, instance string) (err error) { csrf := c.r.FormValue("csrf_token") ref := c.r.URL.RequestURI() defer func() { @@ -98,6 +99,9 @@ func (c *client) authenticate(t int) (err error) { return err } c.s = sess + if len(instance) > 0 && c.s.Instance != instance { + return errors.New("invalid instance") + } c.Client = mastodon.NewClient(&mastodon.Config{ Server: "https://" + c.s.Instance, ClientID: c.s.ClientID, diff --git a/service/transport.go b/service/transport.go index dcf2990..17dfca2 100644 --- a/service/transport.go +++ b/service/transport.go @@ -64,7 +64,7 @@ func NewHandler(s *service, verbose bool, staticDir string) http.Handler { } c.w.Header().Add("Content-Type", ct) - err = c.authenticate(at) + err = c.authenticate(at, s.instance) if err != nil { writeError(c, err, rt, req.Method == http.MethodGet) return @@ -79,7 +79,7 @@ func NewHandler(s *service, verbose bool, staticDir string) http.Handler { } rootPage := handle(func(c *client) error { - err := c.authenticate(SESSION) + err := c.authenticate(SESSION, "") if err != nil { if err == errInvalidSession { c.redirect("/signin") -- cgit v1.2.3