Check user_id as part of validating CSRF tokens

src/invidious.cr

@@ -1429,7 +1429,7 @@ post "/delete_account" do |env|
     token = env.params.body["token"]?
 
     begin
-      validate_response(challenge, token, "delete_account", HMAC_KEY)
+      validate_response(challenge, token, user.email, "delete_account", HMAC_KEY)
     rescue ex
       error_message = ex.message
       next templated "error"
@@ -1474,7 +1474,7 @@ post "/clear_watch_history" do |env|
     token = env.params.body["token"]?
 
     begin
-      validate_response(challenge, token, "clear_watch_history", HMAC_KEY)
+      validate_response(challenge, token, user.email, "clear_watch_history", HMAC_KEY)
     rescue ex
       error_message = ex.message
       next templated "error"

src/invidious/helpers/helpers.cr

@@ -403,7 +403,7 @@ def create_response(user_id, operation, key)
   return challenge, token
 end
 
-def validate_response(challenge, token, action, key)
+def validate_response(challenge, token, user_id, operation, key)
   if !challenge
     raise "Hidden field \"challenge\" is a required field"
   end
@@ -414,7 +414,7 @@ def validate_response(challenge, token, action, key)
 
   challenge = Base64.decode_string(challenge)
   if challenge.split("-").size == 4
-    expire, nonce, user_id, operation = challenge.split("-")
+    expire, nonce, challenge_user_id, challenge_operation = challenge.split("-")
 
     expire = expire.to_i?
     expire ||= 0
@@ -429,7 +429,11 @@ def validate_response(challenge, token, action, key)
     raise "Invalid token"
   end
 
-  if operation != action
+  if challenge_operation != operation
+    raise "Invalid token"
+  end
+
+  if challenge_user_id != user_id
     raise "Invalid token"
   end