auth::create_new_session_key => impl not tested

auth::login now generates a 500 on db insertion failure auth::login returning single json value instead of full struct
2020-05-19 20:13:56 -07:00 · 2020-05-19 20:13:56 -07:00 · 895d7246f0
commit 895d7246f0
parent 87fc6700a4
2 changed files with 30 additions and 7 deletions
--- a/server/src/auth.rs
+++ b/server/src/auth.rs
@ -13,6 +13,8 @@ use rocket::response::{self, Responder, Response};
 use rocket::request::{Form, Request};
 use rocket_contrib::json::{Json, JsonValue};
 use diesel::{self, prelude::*};
+
+use chrono::{Duration, Utc};
 use std::{error, fmt};

 #[allow(dead_code)] // added because these fields are read through rocket, not directly; and rls keeps complainin
@ -117,9 +119,24 @@ fn blind_remove_session(conn: &MysqlConnection, sesh_secret: &str) {
        .execute(conn);
 }

-fn create_new_session_key() -> String {
-    let key_raw = utils::new_key();
-    utils::encode_param(&key_raw)
+fn create_new_session_key(conn: &MysqlConnection) -> Option<String> {
+    use crate::models::InsertableSession;
+
+    let new_session = InsertableSession {
+        secret: utils::new_key(),
+        expires: (Utc::now() + Duration::hours(1)).timestamp() as u64
+    };
+
+    // insert the new key into our db 
+    let db_result = diesel::insert_into(schema::sessions::table)
+        .values(&new_session)
+        .execute(conn);
+
+    // finally return the key assuming everything went well
+    match db_result {
+        Ok(_val) => Some(new_session.secret),
+        Err(_e) => None
+    }
 }

 #[post("/login", data = "<api_key>")]
@ -131,8 +148,14 @@ pub fn login(conn: DBConn, api_key: Form<AuthKey>) -> AuthResult<JsonValue, Auth

    if confirm_user_api_access(&conn.0, api_key.id, &api_key.secret) {
        blind_remove_session(&conn.0, &api_key.secret);
-        let key = create_new_session_key();
-        Ok(json!({"key": key}))
+        let key = create_new_session_key(&conn.0);
+        match key {
+            Some(data) => Ok(json!({"key": data})),
+            None => Err(AuthErr {
+                msg: "Could not create session",
+                status: 500
+            })
+        }
    }
    else {
        Err(AuthErr {
@ -178,6 +201,7 @@ mod auth_tests {
            Err(e) => panic!("`.env` could not be loaded: {:?}", e)
        }
    }
+
    #[test]
    fn feed_n_leave() {
        // Create an invite in our db manually
--- a/server/src/schema.rs
+++ b/server/src/schema.rs
@ -18,8 +18,7 @@ table! {
 }

 table! {
-    sessions (id) {
-        id -> Unsigned<Bigint>,
+    sessions (secret) {
        secret -> Varchar,
        expires -> Unsigned<Bigint>,
    }