Restrict what tokens can be used for auth init flows (#6137)

apps/labrinth/src/routes/internal/flows.rs

@@ -1117,7 +1117,14 @@ pub async fn init(
     }
 
     let user_id = if let Some(token) = info.token {
-        let (_, user) = get_user_record_from_bearer_token(
+        // Linking a new auth provider changes how the account can be accessed,
+        // so only first-party session tokens may authorize this flow. OAuth and
+        // PAT tokens can be delegated or stored outside an interactive login.
+        if !token.starts_with("mra_") {
+            return Err(AuthenticationError::InvalidCredentials);
+        }
+
+        let (scopes, user) = get_user_record_from_bearer_token(
             &req,
             Some(&token),
             &**client,
@@ -1128,6 +1135,10 @@ pub async fn init(
         .await?
         .ok_or_else(|| AuthenticationError::InvalidCredentials)?;
 
+        if !scopes.contains(Scopes::USER_AUTH_WRITE) {
+            return Err(AuthenticationError::InvalidCredentials);
+        }
+
         Some(user.id)
     } else {
         None