phil/ezidam
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

tokens: return result as string, moved cookie handling outside

Browse source
This commit is contained in:
Philippe Loctaux 2023-04-03 17:56:57 +02:00
parent 088a1f0076
commit ba9ecb9f5c
3 changed files with 54 additions and 51 deletions
Download patch file Download diff file Expand all files Collapse all files

38
crates/ezidam/src/routes/admin/settings.rs
View file

@ -1,9 +1,13 @@
use crate::routes::prelude::*;
use crate::tokens::{generate_jwt, generate_refresh_token};
use crate::tokens::{
JWT_COOKIE_NAME, JWT_DURATION_MINUTES, REFRESH_TOKEN_COOKIE_NAME, REFRESH_TOKEN_DURATION_DAYS,
};
use apps::App;
use refresh_tokens::RefreshToken;
use rocket::fs::TempFile;
use rocket::http::CookieJar;
use rocket::http::{Cookie, CookieJar, SameSite};
use rocket::time::Duration;
use rocket::{get, post};
use settings::Settings;
use std::net::IpAddr;
@ -120,15 +124,18 @@ pub async fn settings_security_form(
RefreshToken::revoke_all(&mut transaction).await?;
// Generate refresh token
generate_refresh_token(
&mut transaction,
ip_address,
user.id(),
app.id(),
cookie_jar,
)
.await
.map_err(Error::internal_server_error)?;
let refresh_token =
generate_refresh_token(&mut transaction, ip_address, user.id(), app.id())
.await
.map_err(Error::internal_server_error)?;
// Add refresh token as a cookie
let mut cookie = Cookie::new(REFRESH_TOKEN_COOKIE_NAME, refresh_token);
cookie.set_secure(true);
cookie.set_http_only(true);
cookie.set_same_site(SameSite::Strict);
cookie.set_max_age(Duration::days(REFRESH_TOKEN_DURATION_DAYS));
cookie_jar.add(cookie);
// Get base url
let settings = Settings::get(&mut transaction).await?;
@ -138,16 +145,23 @@ pub async fn settings_security_form(
.ok_or_else(|| Error::bad_request("Server url is not set"))?;
// Generate jwt
generate_jwt(
let jwt = generate_jwt(
&mut transaction,
&private_key,
&home_page,
&app.id().0,
&user,
cookie_jar,
)
.await
.map_err(Error::internal_server_error)?;
// Add jwt as a cookie
let mut cookie = Cookie::new(JWT_COOKIE_NAME, jwt);
cookie.set_secure(true);
cookie.set_http_only(true);
cookie.set_same_site(SameSite::Strict);
cookie.set_max_age(Duration::minutes(JWT_DURATION_MINUTES));
cookie_jar.add(cookie);
}
}
transaction.commit().await?;

36
crates/ezidam/src/routes/oauth/redirect.rs
View file

@ -5,17 +5,15 @@ use authorization_codes::AuthorizationCode;
use jwt::database::Key;
use jwt::PrivateKey;
use refresh_tokens::RefreshToken;
use rocket::http::CookieJar;
use rocket::{get, UriDisplayQuery};
use rocket::get;
use settings::Settings;
use std::net::IpAddr;
use users::User;
#[derive(Debug, FromForm, UriDisplayQuery)]
pub struct RedirectRequest<'r> {
pub code: &'r str,
pub state: &'r str,
}
use crate::tokens::{
JWT_COOKIE_NAME, JWT_DURATION_MINUTES, REFRESH_TOKEN_COOKIE_NAME, REFRESH_TOKEN_DURATION_DAYS,
};
use rocket::http::{Cookie, CookieJar, SameSite};
use rocket::time::Duration;
#[get("/oauth/redirect?<redirect_request..>")]
pub async fn redirect_page(
@ -79,15 +77,22 @@ pub async fn redirect_page(
// TODO: refactor for "code" route
// Generate refresh token
generate_refresh_token(
let refresh_token = generate_refresh_token(
&mut transaction,
ip_address,
user.id(),
app.id(),
cookie_jar,
)
.await
.map_err(Error::internal_server_error)?;
// Add refresh token as a cookie
let mut cookie = Cookie::new(REFRESH_TOKEN_COOKIE_NAME, refresh_token);
cookie.set_secure(true);
cookie.set_http_only(true);
cookie.set_same_site(SameSite::Strict);
cookie.set_max_age(Duration::days(REFRESH_TOKEN_DURATION_DAYS));
cookie_jar.add(cookie);
// Get latest key from database
let key = Key::get_most_recent(&mut transaction)
@ -105,16 +110,23 @@ pub async fn redirect_page(
.await??;
// Generate jwt
generate_jwt(
let jwt = generate_jwt(
&mut transaction,
&private_key,
&home_page,
&app.id().0,
&user,
cookie_jar,
)
.await
.map_err(Error::internal_server_error)?;
// Add jwt as a cookie
let mut cookie = Cookie::new(JWT_COOKIE_NAME, jwt);
cookie.set_secure(true);
cookie.set_http_only(true);
cookie.set_same_site(SameSite::Strict);
cookie.set_max_age(Duration::minutes(JWT_DURATION_MINUTES));
cookie_jar.add(cookie);
}
transaction.commit().await?;

31
crates/ezidam/src/tokens.rs
View file

@ -2,8 +2,6 @@ use hash::SecretString;
use id::{AppID, UserID};
use jwt::{JwtClaims, PrivateKey};
use refresh_tokens::RefreshToken;
use rocket::http::{Cookie, CookieJar, SameSite};
use rocket::time::Duration;
use rocket::tokio::task;
use rocket_db_pools::sqlx::SqliteExecutor;
use std::net::IpAddr;
@ -17,8 +15,7 @@ pub async fn generate_refresh_token(
ip_address: IpAddr,
user_id: &UserID,
app_id: &AppID,
cookie_jar: &CookieJar<'_>,
) -> Result<(), String> {
) -> Result<String, String> {
// Generate refresh token
let refresh_token = task::spawn_blocking(|| SecretString::new(64))
.await
@ -36,18 +33,7 @@ pub async fn generate_refresh_token(
.await
.map_err(|e| e.to_string())?;
// Add refresh token as a cookie
let mut cookie = Cookie::new(
REFRESH_TOKEN_COOKIE_NAME,
refresh_token.as_ref().to_string(),
);
cookie.set_secure(true);
cookie.set_http_only(true);
cookie.set_same_site(SameSite::Strict);
cookie.set_max_age(Duration::days(REFRESH_TOKEN_DURATION_DAYS));
cookie_jar.add(cookie);
Ok(())
Ok(refresh_token.to_string())
}
pub const JWT_DURATION_MINUTES: i64 = 15;
@ -59,8 +45,7 @@ pub async fn generate_jwt(
issuer: &str,
audience: &str,
user: &User,
cookie_jar: &CookieJar<'_>,
) -> Result<(), String> {
) -> Result<String, String> {
// TODO: get user roles
let roles = vec![];
@ -69,13 +54,5 @@ pub async fn generate_jwt(
.sign_serialize(private_key, JWT_DURATION_MINUTES)
.map_err(|e| e.to_string())?;
// Add jwt as a cookie
let mut cookie = Cookie::new(JWT_COOKIE_NAME, jwt);
cookie.set_secure(true);
cookie.set_http_only(true);
cookie.set_same_site(SameSite::Strict);
cookie.set_max_age(Duration::minutes(JWT_DURATION_MINUTES));
cookie_jar.add(cookie);
Ok(())
Ok(jwt)
}