shockrah/freechat
shockrah/freechat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Preventing outsiders from refreshing someone else's token

Browse Source 
! Unless their id/secret combo is robbed in which case they're screwed anyway /shrug
This commit is contained in:
shockrah 2020-12-28 22:16:55 -08:00
parent 5366ba9690
commit 7263ae0980
2 changed files with 3 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
server-api/src/auth.rs
View File

@ -42,6 +42,7 @@ pub enum AuthReason {
OpenAuth, // route does not require auth OpenAuth, // route does not require auth
NoKey, // key missing NoKey, // key missing
BadKey, // key is bad BadKey, // key is bad
LoginValid, // used only to access the login route which is also our refresh
ServerIssue(String) // for well 500's ServerIssue(String) // for well 500's
} }
@ -168,7 +169,7 @@ pub async fn wall_entry<'path, 'pool, 'params>(
return match Member::get(pool, id).await { return match Member::get(pool, id).await {
Response::Row(user) => { Response::Row(user) => {
if valid_secret(secret, &user.secret) && valid_perms(user, path){ if valid_secret(secret, &user.secret) && valid_perms(user, path){
AuthReason::Good AuthReason::LoginValid
} }
else { else {
AuthReason::BadKey AuthReason::BadKey
@ -194,7 +195,6 @@ pub async fn login_get_jwt(p: &Pool, response: &mut hyper::Response<hyper::Body>
let id = params.get("id").unwrap().as_u64().unwrap(); // only route where we have the "id is there guarantee" let id = params.get("id").unwrap().as_u64().unwrap(); // only route where we have the "id is there guarantee"
let claim = Claim::new(id); let claim = Claim::new(id);
let header = Header::new(Algorithm::HS512); let header = Header::new(Algorithm::HS512);
println!("{:?}-{:?}", header, claim);
let encoded = encode( let encoded = encode(
&header, &header,
&claim, &claim,

3
server-api/src/main.rs
View File

@ -50,8 +50,6 @@ async fn route_dispatcher(pool: &Pool, resp: &mut Response<Body>, meth: &Method,
const POST: &Method = &Method::POST; const POST: &Method = &Method::POST;
const DELETE: &Method = &Method::DELETE; const DELETE: &Method = &Method::DELETE;
match (meth, path) { match (meth, path) {
/* AUTHENTICATION */
(POST, routes::AUTH_LOGIN) => auth::login_get_jwt(pool, resp, params).await,
/* INVITES */ /* INVITES */
(GET, routes::INVITE_CREATE) => invites::create(pool, resp, params).await, (GET, routes::INVITE_CREATE) => invites::create(pool, resp, params).await,
(GET, routes::INVITE_JOIN) => invites::join(pool, resp, params).await, (GET, routes::INVITE_JOIN) => invites::join(pool, resp, params).await,
@ -89,6 +87,7 @@ async fn main_responder(request: Request<Body>) -> Result<Response<Body>, hyper:
let mysql_pool = Pool::new(&env::var("DATABASE_URL").unwrap()); let mysql_pool = Pool::new(&env::var("DATABASE_URL").unwrap());
match auth::wall_entry(path, &mysql_pool, &params).await { match auth::wall_entry(path, &mysql_pool, &params).await {
OpenAuth | Good => route_dispatcher(&mysql_pool, &mut response, &method, path, params).await, OpenAuth | Good => route_dispatcher(&mysql_pool, &mut response, &method, path, params).await,
LoginValid => auth::login_get_jwt(&mysql_pool, &mut response, params).await,
NoKey | BadKey => *response.status_mut() = StatusCode::UNAUTHORIZED, NoKey | BadKey => *response.status_mut() = StatusCode::UNAUTHORIZED,
ServerIssue(msg) => { ServerIssue(msg) => {
println!("\tAUTH : 500 [{}]", msg); println!("\tAUTH : 500 [{}]", msg);