From f106dc580f418edf01e398aebf5297def072f8bb Mon Sep 17 00:00:00 2001
From: aecsocket <aecsocket@tutanota.com>
Date: Tue, 19 May 2026 16:45:58 +0100
Subject: [PATCH] Restrict what tokens can be used for auth init flows (#6137)

---
 apps/labrinth/src/routes/internal/flows.rs | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/apps/labrinth/src/routes/internal/flows.rs b/apps/labrinth/src/routes/internal/flows.rs
index 49c81fdaa..c6b41ba62 100644
--- a/apps/labrinth/src/routes/internal/flows.rs
+++ b/apps/labrinth/src/routes/internal/flows.rs
@@ -1117,7 +1117,14 @@ pub async fn init(
     }
 
     let user_id = if let Some(token) = info.token {
-        let (_, user) = get_user_record_from_bearer_token(
+        // Linking a new auth provider changes how the account can be accessed,
+        // so only first-party session tokens may authorize this flow. OAuth and
+        // PAT tokens can be delegated or stored outside an interactive login.
+        if !token.starts_with("mra_") {
+            return Err(AuthenticationError::InvalidCredentials);
+        }
+
+        let (scopes, user) = get_user_record_from_bearer_token(
             &req,
             Some(&token),
             &**client,
@@ -1128,6 +1135,10 @@ pub async fn init(
         .await?
         .ok_or_else(|| AuthenticationError::InvalidCredentials)?;
 
+        if !scopes.contains(Scopes::USER_AUTH_WRITE) {
+            return Err(AuthenticationError::InvalidCredentials);
+        }
+
         Some(user.id)
     } else {
         None