Improve anonymous authentication logic (#8165)

* Improve anonymous authentication logic * forgot to git add * Fix incorrect token check Because an empty parameter could be just passed if token for the user wasn't set: `&token=`
author: Inverle <inverle@proton.me> 2025-12-04 08:46:11 +0100
committer: GitHub <noreply@github.com> 2025-12-04 08:46:11 +0100
commit: 60cf5ea297a17db861e73cd65d7b7862bd6bcc24 (patch)
tree: e1f9a123f79a3f5b449777ea2c17d98ca897adfb /lib/Minz/Request.php
parent: 1621f12a15855b3e1b98d58b6e8effe959926b46 (diff)
1 files changed, 16 insertions, 0 deletions
diff --git a/lib/Minz/Request.php b/lib/Minz/Request.php
index 3355058f1..0e8dc28d0 100644
--- a/lib/Minz/Request.php
+++ b/lib/Minz/Request.php
@@ -560,6 +560,22 @@ class Minz_Request {
 		return 'POST' === ($_SERVER['REQUEST_METHOD'] ?? '');
 	}
 
+	public static function tokenIsOk(): bool {
+		$token_param = self::paramString('token');
+		if ($token_param == '') {
+			return false;
+		}
+		$username = self::paramString('user');
+		if ($username == '') {
+			return false;
+		}
+		$conf = FreshRSS_UserConfiguration::getForUser($username);
+		if ($conf === null || !hash_equals($conf->token, $token_param)) {
+			return false;
+		}
+		return true;
+	}
+
 	/**
 	 * @return list<string>
 	 */
author	Inverle <inverle@proton.me>	2025-12-04 08:46:11 +0100
committer	GitHub <noreply@github.com>	2025-12-04 08:46:11 +0100
commit	60cf5ea297a17db861e73cd65d7b7862bd6bcc24 (patch)
tree	e1f9a123f79a3f5b449777ea2c17d98ca897adfb /lib/Minz/Request.php
parent	1621f12a15855b3e1b98d58b6e8effe959926b46 (diff)