be sure that project_id was not modified by verify_token

2025-05-05 20:51:49 +02:00 · 2021-07-25 23:45:18 +02:00 · 2021-07-25 23:45:18 +02:00 · 0a33007adf
commit 0a33007adf
parent 0ff0b03945
1 changed files with 5 additions and 2 deletions
--- a/ihatemoney/web.py
+++ b/ihatemoney/web.py
@ -206,10 +206,13 @@ def authenticate(project_id=None):
    # Try to get project_id from token first
    token = request.args.get("token")
    if token:
-        project_id = Project.verify_token(
+        verified_project_id = Project.verify_token(
            token, token_type="auth", project_id=project_id
        )
+        if verified_project_id == project_id:
            token_auth = True
+        else:
+            project_id = None
    else:
        token_auth = False
    if project_id is None: