midou/invidious
1
0
Fork 1
mirror of https://github.com/iv-org/invidious.git synced 2025-02-03 20:39:33 +05:30
Code Issues Packages Projects Releases Wiki Activity

Only allow totp removal endpoint for users w/ 2fa

Browse Source
This commit is contained in:
syeopite 2021-07-16 14:37:08 -07:00
parent e93c8672b4
commit ba067e3deb
No known key found for this signature in database
GPG Key ID: A73C186DA3955A1A
1 changed files with 11 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
src/invidious/routes/account.cr
View File

@ -515,10 +515,17 @@ module Invidious::Routes::Account
# Templates the page to remove 2fa on an user account
def remove_2fa_page(env)
locale = env.get("preferences").as(Preferences).locale
referer = get_referer(env)
user = env.get("user").as(User)
sid = env.get("sid").as(String)
user = env.get? "user"
sid = env.get? "sid"
referer = get_referer(env, unroll: false)
if !user || user.is_a? User && !user.totp_secret
return env.redirect referer
end
user = user.as(User)
sid = sid.as(String)
csrf_token = generate_response(sid, {":2fa/remove"}, HMAC_KEY)
return templated "user/remove_2fa"
@ -532,7 +539,7 @@ module Invidious::Routes::Account
sid = env.get? "sid"
referer = get_referer(env, unroll: false)
if !user
if !user || user.is_a? User && !user.totp_secret
return env.redirect referer
end