auth.c: Fix missing username check

So far, auth_login was looking for a key that matched the expected HMAC,
among all registered users, and therefore without looking up the
username from the cookie key.

This allowed attackers to forge a cookie with a valid key but another
username, and therefore see the contents from other users.

0 files changed, 0 insertions, 0 deletions