fix: only allow api_to_cookie if is for same user (#2423)

2025-09-07 15:14:17 +08:00 · 2025-03-20 15:45:24 +01:00 · 2025-03-20 15:45:24 +01:00 · 9e8ee6467c
commit 9e8ee6467c
parent 8acc48d997
2 changed files with 36 additions and 5 deletions
--- a/app/auth/views/api_to_cookie.py
+++ b/app/auth/views/api_to_cookie.py
@ -1,6 +1,6 @@
 import arrow
 from flask import redirect, url_for, request, flash
-from flask_login import login_user
+from flask_login import current_user, login_user

 from app.auth.base import auth_bp
 from app.models import ApiToCookieToken
@ -14,7 +14,11 @@ def api_to_cookie():
        flash("Missing token", "error")
        return redirect(url_for("auth.login"))

-    token = ApiToCookieToken.get_by(code=code)
+    if current_user and current_user.is_authenticated:
+        token = ApiToCookieToken.get_by(code=code, user_id=current_user.id)
+    else:
+        token = ApiToCookieToken.get_by(code=code)
+
    if not token or token.created_at < arrow.now().shift(minutes=-5):
        flash("Missing token", "error")
        return redirect(url_for("auth.login"))
@ -26,5 +30,5 @@ def api_to_cookie():
    next_url = sanitize_next_url(request.args.get("next"))
    if next_url:
        return redirect(next_url)
-    else:
-        return redirect(url_for("dashboard.index"))
+
+    return redirect(url_for("dashboard.index"))
--- a/tests/auth/test_api_to_cookie.py
+++ b/tests/auth/test_api_to_cookie.py
@ -1,7 +1,7 @@
 from flask import url_for

 from app.models import ApiToCookieToken, ApiKey
-from tests.utils import create_new_user
+from tests.utils import create_new_user, login


 def test_get_cookie(flask_client):
@ -27,3 +27,30 @@ def test_get_cookie(flask_client):

    assert ApiToCookieToken.get(token_id) is None
    assert r.headers.getlist("Set-Cookie") is not None
+
+
+def test_get_cookie_does_not_allow_to_change_user(flask_client):
+    user = create_new_user()
+    api_key = ApiKey.create(
+        user_id=user.id,
+        commit=True,
+    )
+    token = ApiToCookieToken.create(
+        user_id=user.id,
+        api_key_id=api_key.id,
+        commit=True,
+    )
+    token_code = token.code
+
+    other_user = create_new_user()
+    login(flask_client, other_user)
+
+    r = flask_client.get(
+        url_for(
+            "auth.api_to_cookie", token=token_code, next=url_for("dashboard.setting")
+        ),
+        follow_redirects=False,
+    )
+
+    assert r.status_code == 302
+    assert r.location.endswith("/auth/login")