From 961208679088247911f90b365afdef786e5acd75 Mon Sep 17 00:00:00 2001
From: neil <neil@noreply.example.org>
Date: Wed, 14 Apr 2021 00:31:18 +0200
Subject: [PATCH] now force login on /admin/<token> route, partial fix for #27

---
 src/forward.rs | 51 +++++++++++++++++++++++++++-----------------------
 1 file changed, 28 insertions(+), 23 deletions(-)

diff --git a/src/forward.rs b/src/forward.rs
index 91277bc..22a828a 100644
--- a/src/forward.rs
+++ b/src/forward.rs
@@ -52,8 +52,8 @@ pub async fn forward(
     // (prevents the user from sending some specific POST requests)
     if check_request(route, &body) {
         debug(&format!(
-            "Restricted request: {}",
-            String::from_utf8_lossy(&body)
+                "Restricted request: {}",
+                String::from_utf8_lossy(&body)
         ));
         return Err(crash(get_lang(&req), "error_dirtyhacker"));
     }
@@ -70,8 +70,8 @@ pub async fn forward(
     // and basic-auth, because this feature is not needed.
     for (header_name, header_value) in res
         .headers()
-        .iter()
-        .filter(|(h, _)| *h != "connection" && *h != "content-encoding")
+            .iter()
+            .filter(|(h, _)| *h != "connection" && *h != "content-encoding")
     {
         client_resp.header(header_name.clone(), header_value.clone());
     }
@@ -91,8 +91,8 @@ pub async fn forward(
         let form_id = check_new_form(&response_body);
         if form_id > 0 {
             debug(&format!(
-                "New form. Forging request to set isAnonymous for id {}",
-                form_id
+                    "New form. Forging request to set isAnonymous for id {}",
+                    form_id
             ));
 
             let forged_body = format!(
@@ -105,8 +105,8 @@ pub async fn forward(
                 &url,
                 &client,
             )
-            .set_header("content-length", forged_body.len())
-            .set_header("content-type", "application/json;charset=utf-8");
+                .set_header("content-length", forged_body.len())
+                .set_header("content-type", "application/json;charset=utf-8");
 
             let res = update_req.send_body(forged_body).await.map_err(|e| {
                 eprintln!("error_forward_isanon: {}", e);
@@ -129,8 +129,8 @@ pub async fn forward(
 
     // check the response before returning it (unused)
     /*if check_response(route, &response_body) {
-        return Ok(web_redir("/"));
-    }*/
+      return Ok(web_redir("/"));
+      }*/
 }
 
 #[derive(Deserialize)]
@@ -149,13 +149,6 @@ pub async fn forward_login(
     client: web::Data<Client>,
     dbpool: web::Data<DbPool>,
 ) -> Result<HttpResponse, TrainCrash> {
-    // if the user is already logged in, redirect to the Forms app
-    if is_logged_in(&req).is_some() {
-        return Ok(web_redir("/apps/forms").await.map_err(|e| {
-            eprintln!("error_redirect (1:/apps/forms/): {}", e);
-            crash(get_lang(&req), "error_redirect")
-        })?);
-    }
 
     // check if the provided token seems valid. If not, early return.
     if !check_token(&params.token) {
@@ -176,12 +169,24 @@ pub async fn forward_login(
             eprintln!("error_forwardlogin_db_get (diesel error): {}", e);
             crash(get_lang(&req), "error_forwardlogin_db_get")
         })?
-        .ok_or_else(|| {
-            debug("Token not found.");
-            crash(get_lang(&req), "error_forwardlogin_notfound")
-        })?;
+    .ok_or_else(|| {
+        debug("error: Token not found.");
+        crash(get_lang(&req), "error_forwardlogin_notfound")
+    })?;
+    
+    // if the user is already logged in, skip the login process
+    // we don't care if someone edits their cookies, Nextcloud will properly
+    // check them anyway
+    if let Some(nc_username) = is_logged_in(&req) {
+        if nc_username.contains(&format!("nc_username={}", formdata.nc_username)) {
+            return Ok(web_redir("/apps/forms").await.map_err(|e| {
+                eprintln!("error_redirect (1:/apps/forms/): {}", e);
+                crash(get_lang(&req), "error_redirect")
+            })?);
+        }
+    }
 
-    // else, try to log the user in with DB data, then redirect.
+    // try to log the user in with DB data, then redirect.
     login(&client, &req, &formdata.nc_username, &formdata.nc_password).await
 }
 
@@ -352,7 +357,7 @@ pub async fn index(req: HttpRequest, s: Session) -> Result<HttpResponse, TrainCr
     let (csrf_token, csrf_cookie) = seed
         .generate_token_pair(None, 43200)
         .expect("couldn't generate token/cookie pair");
-        
+
     s.set("sncf_csrf_token", &base64::encode_config(&csrf_cookie.value(), base64::URL_SAFE_NO_PAD)).map_err(|e| {
         eprintln!("error_login_setcookie (in index): {}", e);
         crash(get_lang(&req), "error_login_setcookie")