From e8a1b1fb7cdc0b0784570b14576ade0171518b6b Mon Sep 17 00:00:00 2001
From: Knut Ahlers <knut@ahlers.me>
Date: Thu, 13 Jun 2024 17:45:04 +0200
Subject: [PATCH] Fix: Check editor auth before creating the initial token

Signed-off-by: Knut Ahlers <knut@ahlers.me>
---
 configEditor_global.go | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/configEditor_global.go b/configEditor_global.go
index 6f61b69..0433a17 100644
--- a/configEditor_global.go
+++ b/configEditor_global.go
@@ -9,6 +9,7 @@ import (
 
 	log "github.com/sirupsen/logrus"
 
+	"github.com/Luzifer/go_helpers/v2/str"
 	"github.com/Luzifer/twitch-bot/v3/pkg/twitch"
 	"github.com/Luzifer/twitch-bot/v3/plugins"
 )
@@ -200,6 +201,12 @@ func configEditorGlobalLogin(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	if !str.StringInSlice(user, config.BotEditors) && !str.StringInSlice(id, config.BotEditors) {
+		// That user is none of our editors: Deny access
+		http.Error(w, "access denied", http.StatusForbidden)
+		return
+	}
+
 	tok, expiresAt, err := editorTokenService.CreateLoginToken(id, user)
 	if err != nil {
 		http.Error(w, err.Error(), http.StatusInternalServerError)