From 895d7246f09e73426cdfcd3c3411100898c9d681 Mon Sep 17 00:00:00 2001
From: shockrah <alejandros714@protonmail.com>
Date: Tue, 19 May 2020 20:13:56 -0700
Subject: [PATCH] auth::create_new_session_key => impl not tested auth::login
 now generates a 500 on db insertion failure auth::login returning single json
 value instead of full struct

---
 server/src/auth.rs   | 34 +++++++++++++++++++++++++++++-----
 server/src/schema.rs |  3 +--
 2 files changed, 30 insertions(+), 7 deletions(-)

diff --git a/server/src/auth.rs b/server/src/auth.rs
index 899fe49..6742761 100644
--- a/server/src/auth.rs
+++ b/server/src/auth.rs
@@ -13,6 +13,8 @@ use rocket::response::{self, Responder, Response};
 use rocket::request::{Form, Request};
 use rocket_contrib::json::{Json, JsonValue};
 use diesel::{self, prelude::*};
+
+use chrono::{Duration, Utc};
 use std::{error, fmt};
 
 #[allow(dead_code)] // added because these fields are read through rocket, not directly; and rls keeps complainin
@@ -117,9 +119,24 @@ fn blind_remove_session(conn: &MysqlConnection, sesh_secret: &str) {
         .execute(conn);
 }
 
-fn create_new_session_key() -> String {
-    let key_raw = utils::new_key();
-    utils::encode_param(&key_raw)
+fn create_new_session_key(conn: &MysqlConnection) -> Option<String> {
+    use crate::models::InsertableSession;
+
+    let new_session = InsertableSession {
+        secret: utils::new_key(),
+        expires: (Utc::now() + Duration::hours(1)).timestamp() as u64
+    };
+
+    // insert the new key into our db 
+    let db_result = diesel::insert_into(schema::sessions::table)
+        .values(&new_session)
+        .execute(conn);
+
+    // finally return the key assuming everything went well
+    match db_result {
+        Ok(_val) => Some(new_session.secret),
+        Err(_e) => None
+    }
 }
 
 #[post("/login", data = "<api_key>")]
@@ -131,8 +148,14 @@ pub fn login(conn: DBConn, api_key: Form<AuthKey>) -> AuthResult<JsonValue, Auth
 
     if confirm_user_api_access(&conn.0, api_key.id, &api_key.secret) {
         blind_remove_session(&conn.0, &api_key.secret);
-        let key = create_new_session_key();
-        Ok(json!({"key": key}))
+        let key = create_new_session_key(&conn.0);
+        match key {
+            Some(data) => Ok(json!({"key": data})),
+            None => Err(AuthErr {
+                msg: "Could not create session",
+                status: 500
+            })
+        }
     }
     else {
         Err(AuthErr {
@@ -178,6 +201,7 @@ mod auth_tests {
             Err(e) => panic!("`.env` could not be loaded: {:?}", e)
         }
     }
+
     #[test]
     fn feed_n_leave() {
         // Create an invite in our db manually
diff --git a/server/src/schema.rs b/server/src/schema.rs
index 09e4ead..7fc4738 100644
--- a/server/src/schema.rs
+++ b/server/src/schema.rs
@@ -18,8 +18,7 @@ table! {
 }
 
 table! {
-    sessions (id) {
-        id -> Unsigned<Bigint>,
+    sessions (secret) {
         secret -> Varchar,
         expires -> Unsigned<Bigint>,
     }