Prevent brute-force token overwriting

lnbits/extensions/twitchalerts/crud.py

@@ -141,15 +141,18 @@ async def authenticate_service(service_id, code, redirect_uri):
         response = (await client.post(url, data=data)).json()
     print(response)
     token = response['access_token']
-    await service_add_token(service_id, token)
+    success = await service_add_token(service_id, token)
-    return f"/twitchalerts/?usr={user}"
+    return f"/twitchalerts/?usr={user}", success
 
 
 async def service_add_token(service_id, token):
+    if (await get_service(service_id)).authenticated:
+        return False
     db.execute(
-        "UPDATE Services SET token = ? where id = ?",
+        "UPDATE Services SET authenticated = 1, token = ? where id = ?",
         (token, service_id,),
     )
+    return True
 
 
 async def delete_service(service_id: int) -> None:

lnbits/extensions/twitchalerts/views_api.py

@@ -77,8 +77,14 @@ async def api_authenticate_service(service_id):
         )
     redirect_uri = request.scheme + "://" + request.headers["Host"]
     redirect_uri += f"/twitchalerts/api/v1/authenticate/{service_id}"
-    url = await authenticate_service(service_id, code, redirect_uri)
+    url, success = await authenticate_service(service_id, code, redirect_uri)
-    return redirect(url)
+    if success:
+        return redirect(url)
+    else:
+        return (
+            jsonify({"message": "Service already authenticated!"}),
+            HTTPStatus.BAD_REQUEST
+        )
 
 
 @twitchalerts_ext.route("/api/v1/createdonation", methods=["POST"])