diff options
| author | Joris | 2023-08-12 20:05:09 +0200 |
|---|---|---|
| committer | Joris | 2023-08-12 20:05:09 +0200 |
| commit | 8c689db1c8fa06ddb9119e626e7b1149f3493905 (patch) | |
| tree | cb4029776162387a03a7a131ceee3628ed1ba4ef /src/controller | |
| parent | 459016e70dd4933a8082d27748097de81a3e53ff (diff) | |
Sign cookie with secret key
Diffstat (limited to 'src/controller')
| -rw-r--r-- | src/controller/error.rs | 6 | ||||
| -rw-r--r-- | src/controller/login.rs | 77 | ||||
| -rw-r--r-- | src/controller/payments.rs | 5 | ||||
| -rw-r--r-- | src/controller/utils.rs | 80 |
4 files changed, 80 insertions, 88 deletions
diff --git a/src/controller/error.rs b/src/controller/error.rs index 8dad16b..2a84255 100644 --- a/src/controller/error.rs +++ b/src/controller/error.rs @@ -6,13 +6,13 @@ use tera::{Context, Tera}; use crate::controller::utils; use crate::controller::wallet::Wallet; +// TODO error code pub fn error(wallet: &Wallet, title: &str, message: &str) -> Response<Body> { - utils::with_header( + utils::with_headers( Response::new( template(&wallet.assets, &wallet.templates, title, message).into(), ), - CACHE_CONTROL, - "no-cache", + vec![(CACHE_CONTROL, "no-cache")], ) } diff --git a/src/controller/login.rs b/src/controller/login.rs index 09a2786..9757c25 100644 --- a/src/controller/login.rs +++ b/src/controller/login.rs @@ -1,21 +1,24 @@ use bcrypt; +use hyper::header::SET_COOKIE; use hyper::{Body, Response}; use sqlx::sqlite::SqlitePool; use std::collections::HashMap; use tera::{Context, Tera}; use uuid::Uuid; +use crate::controller::utils::with_headers; use crate::controller::wallet::Wallet; use crate::controller::{error, utils}; use crate::db; use crate::model::config::Config; use crate::model::user::User; +use crate::utils::cookie; use crate::validation; pub async fn page( assets: &HashMap<String, String>, templates: &Tera, - error: Option<String>, + error: Option<&str>, ) -> Response<Body> { let connected_user: Option<User> = None; @@ -26,28 +29,23 @@ pub async fn page( utils::template(assets, templates, "login.html", context) } +// TODO rewrite pub async fn login( - config: Config, + config: &Config, assets: &HashMap<String, String>, templates: &Tera, form: HashMap<String, String>, pool: SqlitePool, ) -> Response<Body> { - let not_authorized = page( - assets, - templates, - Some("Vous n’êtes pas autorisé à vous connecter.".to_string()), - ) - .await; - let server_error = - page(assets, templates, Some("Erreur serveur.".to_string())).await; match validation::login::login(&form) { Some(login) => { match db::users::get_password_hash(&pool, login.email.clone()).await { Some(hash) => match bcrypt::verify(login.password, &hash) { Ok(true) => { + // TODO generate truly random instead of uuid let login_token = Uuid::new_v4(); + if db::users::set_login_token( &pool, login.email, @@ -55,31 +53,66 @@ pub async fn login( ) .await { - utils::with_login_cookie( - config, - login_token, - utils::redirect("/"), - ) + match cookie::login(config, login_token) { + Ok(str) => with_headers( + utils::redirect("/"), + vec![(SET_COOKIE, &str)], + ), + Err(msg) => { + server_error( + assets, + templates, + &format!( + "Error generating cookie: {msg}" + ), + ) + .await + } + } } else { - server_error + server_error(assets, templates, "Erreur server") + .await } } - Ok(false) => not_authorized, + Ok(false) => not_authorized(assets, templates).await, Err(err) => { error!("Error verifying bcrypt password: {:?}", err); - server_error + server_error(assets, templates, "Erreur serveur").await } }, - None => not_authorized, + None => not_authorized(assets, templates).await, } } - None => not_authorized, + None => not_authorized(assets, templates).await, } } -pub async fn logout(config: Config, wallet: &Wallet) -> Response<Body> { +async fn server_error( + assets: &HashMap<String, String>, + templates: &Tera, + msg: &str, +) -> Response<Body> { + page(assets, templates, Some(msg)).await +} + +async fn not_authorized( + assets: &HashMap<String, String>, + templates: &Tera, +) -> Response<Body> { + page( + assets, + templates, + Some("Vous n’êtes pas autorisé à vous connecter."), + ) + .await +} + +pub async fn logout(config: &Config, wallet: &Wallet) -> Response<Body> { if db::users::remove_login_token(&wallet.pool, wallet.user.id).await { - utils::with_logout_cookie(config, utils::redirect("/")) + with_headers( + utils::redirect("/"), + vec![(SET_COOKIE, &cookie::logout(config))], + ) } else { error::error(wallet, "Erreur serveur", "Erreur serveur") } diff --git a/src/controller/payments.rs b/src/controller/payments.rs index 42d3e3c..2663fa7 100644 --- a/src/controller/payments.rs +++ b/src/controller/payments.rs @@ -232,10 +232,9 @@ pub async fn search_category( ) -> Response<Body> { match db::payments::search_category(&wallet.pool, query.payment_name).await { - Some(category_id) => utils::with_header( + Some(category_id) => utils::with_headers( Response::new(format!("{}", category_id).into()), - CONTENT_TYPE, - "application/json", + vec![(CONTENT_TYPE, "application/json")], ), None => utils::not_found(), } diff --git a/src/controller/utils.rs b/src/controller/utils.rs index 26db765..fb1d9ad 100644 --- a/src/controller/utils.rs +++ b/src/controller/utils.rs @@ -1,23 +1,13 @@ use hyper::header::{ - HeaderName, HeaderValue, CACHE_CONTROL, CONTENT_TYPE, LOCATION, SET_COOKIE, + HeaderName, HeaderValue, CACHE_CONTROL, CONTENT_TYPE, LOCATION, }; use hyper::{Body, Response, StatusCode}; use std::collections::HashMap; use tera::{Context, Tera}; use tokio::fs::File; use tokio_util::codec::{BytesCodec, FramedRead}; -use uuid::Uuid; use crate::controller::error; -use crate::model::config::Config; - -pub fn with_header( - response: Response<Body>, - name: HeaderName, - value: &str, -) -> Response<Body> { - with_headers(response, vec![(name, value)]) -} pub fn with_headers( response: Response<Body>, @@ -31,40 +21,6 @@ pub fn with_headers( response } -pub fn with_login_cookie( - config: Config, - login_token: Uuid, - response: Response<Body>, -) -> Response<Body> { - let cookie = format!( - "TOKEN={}; SameSite=Strict; HttpOnly; Max-Age=86400{}", - login_token, - if config.secure_cookies { - "; Secure" - } else { - "" - } - ); - - with_header(response, SET_COOKIE, &cookie) -} - -pub fn with_logout_cookie( - config: Config, - response: Response<Body>, -) -> Response<Body> { - let cookie = format!( - "TOKEN=; SameSite=Strict; HttpOnly; Max-Age=0{}", - if config.secure_cookies { - "; Secure" - } else { - "" - } - ); - - with_header(response, SET_COOKIE, &cookie) -} - pub fn template( assets: &HashMap<String, String>, templates: &Tera, @@ -74,24 +30,28 @@ pub fn template( let mut context = context; context.insert("assets", assets); - let response = match templates.render(path, &context) { - Ok(template) => Response::new(template.into()), - Err(err) => Response::new( - error::template( - assets, - templates, - "Erreur serveur", - &format!( - "Erreur lors de la préparation de la page : {:?}", - err - ), - ) - .into(), + match templates.render(path, &context) { + Ok(template) => with_headers( + Response::new(template.into()), + vec![(CONTENT_TYPE, "text/html"), (CACHE_CONTROL, "no-cache")], ), - }; + Err(err) => server_error( + assets, + templates, + &format!("Erreur lors de la préparation de la page : {:?}", err), + ), + } +} +fn server_error( + assets: &HashMap<String, String>, + templates: &Tera, + msg: &str, +) -> Response<Body> { with_headers( - response, + Response::new( + error::template(assets, templates, "Erreur serveur", msg).into(), + ), vec![(CONTENT_TYPE, "text/html"), (CACHE_CONTROL, "no-cache")], ) } |