diff --git a/crates/ezidam/src/routes/admin/settings.rs b/crates/ezidam/src/routes/admin/settings.rs index 7321a75..abff756 100644 --- a/crates/ezidam/src/routes/admin/settings.rs +++ b/crates/ezidam/src/routes/admin/settings.rs @@ -1,9 +1,13 @@ use crate::routes::prelude::*; use crate::tokens::{generate_jwt, generate_refresh_token}; +use crate::tokens::{ + JWT_COOKIE_NAME, JWT_DURATION_MINUTES, REFRESH_TOKEN_COOKIE_NAME, REFRESH_TOKEN_DURATION_DAYS, +}; use apps::App; use refresh_tokens::RefreshToken; use rocket::fs::TempFile; -use rocket::http::CookieJar; +use rocket::http::{Cookie, CookieJar, SameSite}; +use rocket::time::Duration; use rocket::{get, post}; use settings::Settings; use std::net::IpAddr; @@ -120,15 +124,18 @@ pub async fn settings_security_form( RefreshToken::revoke_all(&mut transaction).await?; // Generate refresh token - generate_refresh_token( - &mut transaction, - ip_address, - user.id(), - app.id(), - cookie_jar, - ) - .await - .map_err(Error::internal_server_error)?; + let refresh_token = + generate_refresh_token(&mut transaction, ip_address, user.id(), app.id()) + .await + .map_err(Error::internal_server_error)?; + + // Add refresh token as a cookie + let mut cookie = Cookie::new(REFRESH_TOKEN_COOKIE_NAME, refresh_token); + cookie.set_secure(true); + cookie.set_http_only(true); + cookie.set_same_site(SameSite::Strict); + cookie.set_max_age(Duration::days(REFRESH_TOKEN_DURATION_DAYS)); + cookie_jar.add(cookie); // Get base url let settings = Settings::get(&mut transaction).await?; @@ -138,16 +145,23 @@ pub async fn settings_security_form( .ok_or_else(|| Error::bad_request("Server url is not set"))?; // Generate jwt - generate_jwt( + let jwt = generate_jwt( &mut transaction, &private_key, &home_page, &app.id().0, &user, - cookie_jar, ) .await .map_err(Error::internal_server_error)?; + + // Add jwt as a cookie + let mut cookie = Cookie::new(JWT_COOKIE_NAME, jwt); + cookie.set_secure(true); + cookie.set_http_only(true); + cookie.set_same_site(SameSite::Strict); + cookie.set_max_age(Duration::minutes(JWT_DURATION_MINUTES)); + cookie_jar.add(cookie); } } transaction.commit().await?; diff --git a/crates/ezidam/src/routes/oauth/redirect.rs b/crates/ezidam/src/routes/oauth/redirect.rs index 9d229c4..8432ed6 100644 --- a/crates/ezidam/src/routes/oauth/redirect.rs +++ b/crates/ezidam/src/routes/oauth/redirect.rs @@ -5,17 +5,15 @@ use authorization_codes::AuthorizationCode; use jwt::database::Key; use jwt::PrivateKey; use refresh_tokens::RefreshToken; -use rocket::http::CookieJar; -use rocket::{get, UriDisplayQuery}; +use rocket::get; use settings::Settings; use std::net::IpAddr; use users::User; - -#[derive(Debug, FromForm, UriDisplayQuery)] -pub struct RedirectRequest<'r> { - pub code: &'r str, - pub state: &'r str, -} +use crate::tokens::{ + JWT_COOKIE_NAME, JWT_DURATION_MINUTES, REFRESH_TOKEN_COOKIE_NAME, REFRESH_TOKEN_DURATION_DAYS, +}; +use rocket::http::{Cookie, CookieJar, SameSite}; +use rocket::time::Duration; #[get("/oauth/redirect?")] pub async fn redirect_page( @@ -79,15 +77,22 @@ pub async fn redirect_page( // TODO: refactor for "code" route // Generate refresh token - generate_refresh_token( + let refresh_token = generate_refresh_token( &mut transaction, ip_address, user.id(), app.id(), - cookie_jar, ) .await .map_err(Error::internal_server_error)?; + + // Add refresh token as a cookie + let mut cookie = Cookie::new(REFRESH_TOKEN_COOKIE_NAME, refresh_token); + cookie.set_secure(true); + cookie.set_http_only(true); + cookie.set_same_site(SameSite::Strict); + cookie.set_max_age(Duration::days(REFRESH_TOKEN_DURATION_DAYS)); + cookie_jar.add(cookie); // Get latest key from database let key = Key::get_most_recent(&mut transaction) @@ -105,16 +110,23 @@ pub async fn redirect_page( .await??; // Generate jwt - generate_jwt( + let jwt = generate_jwt( &mut transaction, &private_key, &home_page, &app.id().0, &user, - cookie_jar, ) .await .map_err(Error::internal_server_error)?; + + // Add jwt as a cookie + let mut cookie = Cookie::new(JWT_COOKIE_NAME, jwt); + cookie.set_secure(true); + cookie.set_http_only(true); + cookie.set_same_site(SameSite::Strict); + cookie.set_max_age(Duration::minutes(JWT_DURATION_MINUTES)); + cookie_jar.add(cookie); } transaction.commit().await?; diff --git a/crates/ezidam/src/tokens.rs b/crates/ezidam/src/tokens.rs index e169163..1f368b1 100644 --- a/crates/ezidam/src/tokens.rs +++ b/crates/ezidam/src/tokens.rs @@ -2,8 +2,6 @@ use hash::SecretString; use id::{AppID, UserID}; use jwt::{JwtClaims, PrivateKey}; use refresh_tokens::RefreshToken; -use rocket::http::{Cookie, CookieJar, SameSite}; -use rocket::time::Duration; use rocket::tokio::task; use rocket_db_pools::sqlx::SqliteExecutor; use std::net::IpAddr; @@ -17,8 +15,7 @@ pub async fn generate_refresh_token( ip_address: IpAddr, user_id: &UserID, app_id: &AppID, - cookie_jar: &CookieJar<'_>, -) -> Result<(), String> { +) -> Result { // Generate refresh token let refresh_token = task::spawn_blocking(|| SecretString::new(64)) .await @@ -36,18 +33,7 @@ pub async fn generate_refresh_token( .await .map_err(|e| e.to_string())?; - // Add refresh token as a cookie - let mut cookie = Cookie::new( - REFRESH_TOKEN_COOKIE_NAME, - refresh_token.as_ref().to_string(), - ); - cookie.set_secure(true); - cookie.set_http_only(true); - cookie.set_same_site(SameSite::Strict); - cookie.set_max_age(Duration::days(REFRESH_TOKEN_DURATION_DAYS)); - cookie_jar.add(cookie); - - Ok(()) + Ok(refresh_token.to_string()) } pub const JWT_DURATION_MINUTES: i64 = 15; @@ -59,8 +45,7 @@ pub async fn generate_jwt( issuer: &str, audience: &str, user: &User, - cookie_jar: &CookieJar<'_>, -) -> Result<(), String> { +) -> Result { // TODO: get user roles let roles = vec![]; @@ -69,13 +54,5 @@ pub async fn generate_jwt( .sign_serialize(private_key, JWT_DURATION_MINUTES) .map_err(|e| e.to_string())?; - // Add jwt as a cookie - let mut cookie = Cookie::new(JWT_COOKIE_NAME, jwt); - cookie.set_secure(true); - cookie.set_http_only(true); - cookie.set_same_site(SameSite::Strict); - cookie.set_max_age(Duration::minutes(JWT_DURATION_MINUTES)); - cookie_jar.add(cookie); - - Ok(()) + Ok(jwt) }