From cd36c4996c282b030826d33c86408f593cda08f9 Mon Sep 17 00:00:00 2001
From: lekma <lekmalek@gmail.com>
Date: Wed, 30 Oct 2024 12:54:47 +0000
Subject: [PATCH] crystal is confusing

---
 src/invidious/routes/api/v1/authenticated.cr | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/src/invidious/routes/api/v1/authenticated.cr b/src/invidious/routes/api/v1/authenticated.cr
index a5d093176..2646cf83b 100644
--- a/src/invidious/routes/api/v1/authenticated.cr
+++ b/src/invidious/routes/api/v1/authenticated.cr
@@ -420,11 +420,16 @@ module Invidious::Routes::API::V1::Authenticated
       callback_url = URI.parse(callback_url)
     end
 
-    if sid = env.get?("sid").try &.as(String) && content_type != "application/json"
-      env.response.content_type = "text/html"
+    if content_type != "application/json"
+      if sid = env.get?("sid").try &.as(String)
+        env.response.content_type = "text/html"
 
-      csrf_token = generate_response(sid, {":authorize_token"}, HMAC_KEY, use_nonce: true)
-      return templated "user/authorize_token"
+        csrf_token = generate_response(sid, {":authorize_token"}, HMAC_KEY, use_nonce: true)
+        return templated "user/authorize_token"
+      else
+        # is it enough?
+        env.response.status_code = 403
+      end
     else
       env.response.content_type = "application/json"