From 45efa94ba46ca70f20cb37fd8908be76bbb65dac Mon Sep 17 00:00:00 2001
From: Dessalines <dessalines@users.noreply.github.com>
Date: Tue, 1 Dec 2020 12:48:39 -0500
Subject: [PATCH] Making sure image uploads have jwt cookie. Fixes #1291
 (#1299)

---
 src/routes/images.rs | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/src/routes/images.rs b/src/routes/images.rs
index deaf11eb..eb3a773f 100644
--- a/src/routes/images.rs
+++ b/src/routes/images.rs
@@ -1,6 +1,7 @@
 use actix::clock::Duration;
 use actix_web::{body::BodyStream, http::StatusCode, *};
 use awc::Client;
+use lemmy_api::claims::Claims;
 use lemmy_rate_limit::RateLimit;
 use lemmy_utils::settings::Settings;
 use serde::{Deserialize, Serialize};
@@ -46,7 +47,14 @@ async fn upload(
   body: web::Payload,
   client: web::Data<Client>,
 ) -> Result<HttpResponse, Error> {
-  // TODO: check auth and rate limit here
+  // TODO: check rate limit here
+  let jwt = req
+    .cookie("jwt")
+    .expect("No auth header for picture upload");
+
+  if Claims::decode(jwt.value()).is_err() {
+    return Ok(HttpResponse::Unauthorized().finish());
+  };
 
   let mut res = client
     .request_from(format!("{}/image", Settings::get().pictrs_url), req.head())
-- 
2.44.1