commit df585c592c556cea2c56e95df30370773a115f12
from: Stefan Sperling <stsp@stsp.name>
date: Fri Aug 29 15:41:39 2025 UTC

verify the login token's hostname

commit - 3f214499bfd4dab44c4629a310e7e7b75adf5f82
commit + df585c592c556cea2c56e95df30370773a115f12
blob - 192de44710263eea0af8a2c0b6c53c9a5116d341
blob + 3c32e5f0726ecd2ae24607939e2d98ac6393ed9d
--- gotwebd/login.c
+++ gotwebd/login.c
@@ -249,6 +249,12 @@ do_login(struct request *c)
 	    auth_token_secret, sizeof(auth_token_secret));
 	if (token == NULL) {
 		log_warn("%s: auth_gen_token failed", __func__);
+		free(hostname);
+		return -1;
+	}
+
+	if (strcmp(hostname, c->server_name) != 0) {
+		log_warn("bad hostname in login token\n");
 		free(hostname);
 		return -1;
 	}