guard against using someone else's access token in UIAA

src/service/uiaa/mod.rs

@@ -4,7 +4,7 @@ use std::{
 };
 
 use conduwuit::{
-	Error, Result, err, error, implement, utils,
+	Err, Error, Result, err, error, implement, utils,
 	utils::{hash, string::EMPTY},
 };
 use database::{Deserialized, Json, Map};
@@ -150,12 +150,18 @@ pub async fn try_auth(
 				));
 			};
 
-			let user_id = UserId::parse_with_server_name(
+			let user_id_from_username = UserId::parse_with_server_name(
 				username.clone(),
 				self.services.globals.server_name(),
 			)
 			.map_err(|_| Error::BadRequest(ErrorKind::InvalidParam, "User ID is invalid."))?;
 
+			// Check if the access token being used matches the credentials used for UIAA
+			if user_id.localpart() != user_id_from_username.localpart() {
+				return Err!(Request(Forbidden("User ID and access token mismatch.")));
+			}
+			let user_id = user_id_from_username;
+
 			// Check if password is correct
 			if let Ok(hash) = self.services.users.password_hash(&user_id).await {
 				let hash_matches = hash::verify_password(password, &hash).is_ok();

tests/test_results/complement/test_results.jsonl

@@ -127,7 +127,7 @@
 {"Action":"fail","Test":"TestDeviceListsUpdateOverFederationOnRoomJoin"}
 {"Action":"fail","Test":"TestDeviceManagement"}
 {"Action":"fail","Test":"TestDeviceManagement/DELETE_/device/{deviceId}"}
-{"Action":"fail","Test":"TestDeviceManagement/DELETE_/device/{deviceId}_requires_UI_auth_user_to_match_device_owner"}
+{"Action":"pass","Test":"TestDeviceManagement/DELETE_/device/{deviceId}_requires_UI_auth_user_to_match_device_owner"}
 {"Action":"pass","Test":"TestDeviceManagement/GET_/device/{deviceId}"}
 {"Action":"pass","Test":"TestDeviceManagement/GET_/device/{deviceId}_gives_a_404_for_unknown_devices"}
 {"Action":"pass","Test":"TestDeviceManagement/GET_/devices"}