Fix: Check editor auth before creating the initial token

Signed-off-by: Knut Ahlers <knut@ahlers.me>
This commit is contained in:
Knut Ahlers 2024-06-13 17:45:04 +02:00
parent 0075da1eba
commit ba01c3c2f0
Signed by: luzifer
SSH key fingerprint: SHA256:/xtE5lCgiRDQr8SLxHMS92ZBlACmATUmF1crK16Ks4E

View file

@ -9,6 +9,7 @@ import (
log "github.com/sirupsen/logrus"
"github.com/Luzifer/go_helpers/v2/str"
"github.com/Luzifer/twitch-bot/v3/pkg/twitch"
"github.com/Luzifer/twitch-bot/v3/plugins"
)
@ -200,6 +201,12 @@ func configEditorGlobalLogin(w http.ResponseWriter, r *http.Request) {
return
}
if !str.StringInSlice(user, config.BotEditors) && !str.StringInSlice(id, config.BotEditors) {
// That user is none of our editors: Deny access
http.Error(w, "access denied", http.StatusForbidden)
return
}
tok, expiresAt, err := editorTokenService.CreateLoginToken(id, user)
if err != nil {
http.Error(w, err.Error(), http.StatusInternalServerError)