From 7263ae0980ff53a0ecc93dc6a4f1a8c54f8d5f97 Mon Sep 17 00:00:00 2001
From: shockrah <alejandros714@protonmail.com>
Date: Mon, 28 Dec 2020 22:16:55 -0800
Subject: [PATCH] Preventing outsiders from refreshing someone else's token !
 Unless their id/secret combo is robbed in which case they're screwed anyway
 /shrug

---
 server-api/src/auth.rs | 4 ++--
 server-api/src/main.rs | 3 +--
 2 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/server-api/src/auth.rs b/server-api/src/auth.rs
index a1f68bd..747a0bd 100644
--- a/server-api/src/auth.rs
+++ b/server-api/src/auth.rs
@@ -42,6 +42,7 @@ pub enum AuthReason {
     OpenAuth, // route does not require auth
     NoKey,    // key missing 
     BadKey,   // key is bad
+    LoginValid, // used only to access the login route which is also our refresh
     ServerIssue(String) // for well 500's
 }
 
@@ -168,7 +169,7 @@ pub async fn wall_entry<'path, 'pool, 'params>(
             return match Member::get(pool, id).await {
                 Response::Row(user) => {
                     if valid_secret(secret, &user.secret) && valid_perms(user, path){
-                        AuthReason::Good
+                        AuthReason::LoginValid
                     }
                     else {
                         AuthReason::BadKey
@@ -194,7 +195,6 @@ pub async fn login_get_jwt(p: &Pool, response: &mut hyper::Response<hyper::Body>
     let id = params.get("id").unwrap().as_u64().unwrap(); // only route where we have the "id is there guarantee"
     let claim = Claim::new(id);
     let header = Header::new(Algorithm::HS512);
-    println!("{:?}-{:?}", header, claim);
     let encoded = encode(
         &header, 
         &claim, 
diff --git a/server-api/src/main.rs b/server-api/src/main.rs
index 2dc2081..41e65cf 100644
--- a/server-api/src/main.rs
+++ b/server-api/src/main.rs
@@ -50,8 +50,6 @@ async fn route_dispatcher(pool: &Pool, resp: &mut Response<Body>, meth: &Method,
     const POST: &Method = &Method::POST;
     const DELETE: &Method = &Method::DELETE;
     match (meth, path) {
-        /* AUTHENTICATION */
-        (POST, routes::AUTH_LOGIN) => auth::login_get_jwt(pool, resp, params).await,
         /* INVITES */
         (GET, routes::INVITE_CREATE) => invites::create(pool, resp, params).await,
         (GET, routes::INVITE_JOIN) => invites::join(pool, resp, params).await,
@@ -89,6 +87,7 @@ async fn main_responder(request: Request<Body>) -> Result<Response<Body>, hyper:
         let mysql_pool = Pool::new(&env::var("DATABASE_URL").unwrap());
         match auth::wall_entry(path, &mysql_pool, &params).await {
             OpenAuth | Good =>  route_dispatcher(&mysql_pool, &mut response, &method, path, params).await,
+            LoginValid => auth::login_get_jwt(&mysql_pool, &mut response, params).await,
             NoKey | BadKey =>   *response.status_mut() = StatusCode::UNAUTHORIZED,
             ServerIssue(msg) => {
                 println!("\tAUTH : 500 [{}]", msg);