Preventing outsiders from refreshing someone else's token

! Unless their id/secret combo is robbed in which case they're screwed anyway /shrug
2020-12-28 22:16:55 -08:00 · 2020-12-28 22:16:55 -08:00 · 7263ae0980
commit 7263ae0980
parent 5366ba9690
2 changed files with 3 additions and 4 deletions
--- a/server-api/src/auth.rs
+++ b/server-api/src/auth.rs
@ -42,6 +42,7 @@ pub enum AuthReason {
    OpenAuth, // route does not require auth
    NoKey,    // key missing 
    BadKey,   // key is bad
+    LoginValid, // used only to access the login route which is also our refresh
    ServerIssue(String) // for well 500's
 }

@ -168,7 +169,7 @@ pub async fn wall_entry<'path, 'pool, 'params>(
            return match Member::get(pool, id).await {
                Response::Row(user) => {
                    if valid_secret(secret, &user.secret) && valid_perms(user, path){
-                        AuthReason::Good
+                        AuthReason::LoginValid
                    }
                    else {
                        AuthReason::BadKey
@ -194,7 +195,6 @@ pub async fn login_get_jwt(p: &Pool, response: &mut hyper::Response<hyper::Body>
    let id = params.get("id").unwrap().as_u64().unwrap(); // only route where we have the "id is there guarantee"
    let claim = Claim::new(id);
    let header = Header::new(Algorithm::HS512);
-    println!("{:?}-{:?}", header, claim);
    let encoded = encode(
        &header, 
        &claim, 
--- a/server-api/src/main.rs
+++ b/server-api/src/main.rs
@ -50,8 +50,6 @@ async fn route_dispatcher(pool: &Pool, resp: &mut Response<Body>, meth: &Method,
    const POST: &Method = &Method::POST;
    const DELETE: &Method = &Method::DELETE;
    match (meth, path) {
-        /* AUTHENTICATION */
-        (POST, routes::AUTH_LOGIN) => auth::login_get_jwt(pool, resp, params).await,
        /* INVITES */
        (GET, routes::INVITE_CREATE) => invites::create(pool, resp, params).await,
        (GET, routes::INVITE_JOIN) => invites::join(pool, resp, params).await,
@ -89,6 +87,7 @@ async fn main_responder(request: Request<Body>) -> Result<Response<Body>, hyper:
        let mysql_pool = Pool::new(&env::var("DATABASE_URL").unwrap());
        match auth::wall_entry(path, &mysql_pool, &params).await {
            OpenAuth | Good =>  route_dispatcher(&mysql_pool, &mut response, &method, path, params).await,
+            LoginValid => auth::login_get_jwt(&mysql_pool, &mut response, params).await,
            NoKey | BadKey =>   *response.status_mut() = StatusCode::UNAUTHORIZED,
            ServerIssue(msg) => {
                println!("\tAUTH : 500 [{}]", msg);