From 0a33007adf7b5c506ed84e539589c99beb6a5a8a Mon Sep 17 00:00:00 2001
From: Glandos <bugs-github@antipoul.fr>
Date: Sun, 25 Jul 2021 23:45:18 +0200
Subject: [PATCH] be sure that project_id was not modified by verify_token

---
 ihatemoney/web.py | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/ihatemoney/web.py b/ihatemoney/web.py
index 47df3f49..5af15e08 100644
--- a/ihatemoney/web.py
+++ b/ihatemoney/web.py
@@ -206,10 +206,13 @@ def authenticate(project_id=None):
     # Try to get project_id from token first
     token = request.args.get("token")
     if token:
-        project_id = Project.verify_token(
+        verified_project_id = Project.verify_token(
             token, token_type="auth", project_id=project_id
         )
-        token_auth = True
+        if verified_project_id == project_id:
+            token_auth = True
+        else:
+            project_id = None
     else:
         token_auth = False
     if project_id is None: