Check user_id as part of validating CSRF tokens

2025-12-24 03:48:49 +00:00 · 2018-11-08 00:29:20 -06:00
parent b9c29bf537
commit 1ff8579575
2 changed files with 9 additions and 5 deletions
--- a/src/invidious.cr
+++ b/src/invidious.cr
@@ -1429,7 +1429,7 @@ post "/delete_account" do |env|
    token = env.params.body["token"]?

    begin
-      validate_response(challenge, token, "delete_account", HMAC_KEY)
+      validate_response(challenge, token, user.email, "delete_account", HMAC_KEY)
    rescue ex
      error_message = ex.message
      next templated "error"
@@ -1474,7 +1474,7 @@ post "/clear_watch_history" do |env|
    token = env.params.body["token"]?

    begin
-      validate_response(challenge, token, "clear_watch_history", HMAC_KEY)
+      validate_response(challenge, token, user.email, "clear_watch_history", HMAC_KEY)
    rescue ex
      error_message = ex.message
      next templated "error"