From aa865e2ed464a1bf8cfecc68a1a3b45230892ba6 Mon Sep 17 00:00:00 2001 From: Radical Date: Sun, 4 May 2025 18:11:12 +0200 Subject: [PATCH 1/8] feat: add utils.rs provides a function that extracts auth header from headers --- src/main.rs | 1 + src/utils.rs | 17 +++++++++++++++++ 2 files changed, 18 insertions(+) create mode 100644 src/utils.rs diff --git a/src/main.rs b/src/main.rs index 4c909b1..b3dfe86 100644 --- a/src/main.rs +++ b/src/main.rs @@ -8,6 +8,7 @@ mod config; use config::{Config, ConfigBuilder}; mod api; pub mod crypto; +pub mod utils; type Error = Box; diff --git a/src/utils.rs b/src/utils.rs new file mode 100644 index 0000000..3b02593 --- /dev/null +++ b/src/utils.rs @@ -0,0 +1,17 @@ +use actix_web::{HttpResponse, http::header::HeaderMap}; + +pub fn get_auth_header(headers: &HeaderMap) -> Result<&str, HttpResponse> { + let auth_token = headers.get(actix_web::http::header::CONTENT_TYPE); + + if let None = auth_token { + return Err(HttpResponse::Unauthorized().finish()); + } + + let auth = auth_token.unwrap().to_str(); + + if let Err(error) = auth { + return Err(HttpResponse::Unauthorized().json(format!(r#" {{ "error": "{}" }} "#, error))); + } + + Ok(auth.unwrap()) +} -- 2.47.2 From 6c706d973edb854f92bb8fcc984cd2be7c87a89c Mon Sep 17 00:00:00 2001 From: Radical Date: Sun, 4 May 2025 19:05:31 +0200 Subject: [PATCH 2/8] style: use created_at instead of created --- src/api/v1/auth/login.rs | 4 ++-- src/api/v1/auth/register.rs | 4 ++-- src/main.rs | 6 +++--- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/src/api/v1/auth/login.rs b/src/api/v1/auth/login.rs index 3be5474..1bd781f 100644 --- a/src/api/v1/auth/login.rs +++ b/src/api/v1/auth/login.rs @@ -160,7 +160,7 @@ async fn login( .as_secs() as i64; if let Err(error) = sqlx::query(&format!( - "INSERT INTO refresh_tokens (token, uuid, created, device_name) VALUES ($1, '{}', $2, $3 )", + "INSERT INTO refresh_tokens (token, uuid, created_at, device_name) VALUES ($1, '{}', $2, $3 )", uuid )) .bind(&refresh_token) @@ -174,7 +174,7 @@ async fn login( } if let Err(error) = sqlx::query(&format!( - "INSERT INTO access_tokens (token, refresh_token, uuid, created) VALUES ($1, $2, '{}', $3 )", + "INSERT INTO access_tokens (token, refresh_token, uuid, created_at) VALUES ($1, $2, '{}', $3 )", uuid )) .bind(&access_token) diff --git a/src/api/v1/auth/register.rs b/src/api/v1/auth/register.rs index 5abe127..3971585 100644 --- a/src/api/v1/auth/register.rs +++ b/src/api/v1/auth/register.rs @@ -139,7 +139,7 @@ pub async fn res(mut payload: web::Payload, data: web::Data) -> Result) -> Result Result<(), Error> { CREATE TABLE IF NOT EXISTS refresh_tokens ( token varchar(64) PRIMARY KEY UNIQUE NOT NULL, uuid uuid NOT NULL REFERENCES users(uuid), - created int8 NOT NULL, + created_at int8 NOT NULL, device_name varchar(16) NOT NULL ); CREATE TABLE IF NOT EXISTS access_tokens ( token varchar(32) PRIMARY KEY UNIQUE NOT NULL, - refresh_token varchar(64) UNIQUE NOT NULL REFERENCES refresh_tokens(token), + refresh_token varchar(64) UNIQUE NOT NULL REFERENCES refresh_tokens(token) ON UPDATE CASCADE ON DELETE CASCADE, uuid uuid NOT NULL REFERENCES users(uuid), - created int8 NOT NULL + created_at int8 NOT NULL ) "#, ) -- 2.47.2 From cbf0131d14d975e50011e6c8a94f8fe02cf128e3 Mon Sep 17 00:00:00 2001 From: Radical Date: Sun, 4 May 2025 19:05:51 +0200 Subject: [PATCH 3/8] feat: switch to headers for auth --- src/api/v1/auth/mod.rs | 27 ++++++++++--------- src/api/v1/auth/refresh.rs | 54 +++++++++++--------------------------- src/api/v1/auth/revoke.rs | 51 +++++++++++++++-------------------- src/api/v1/users/me.rs | 37 ++++++++------------------ src/api/v1/users/mod.rs | 50 +++++++++++++++-------------------- src/api/v1/users/uuid.rs | 36 +++++++++---------------- 6 files changed, 96 insertions(+), 159 deletions(-) diff --git a/src/api/v1/auth/mod.rs b/src/api/v1/auth/mod.rs index ff74c6b..e9b29d1 100644 --- a/src/api/v1/auth/mod.rs +++ b/src/api/v1/auth/mod.rs @@ -34,33 +34,36 @@ pub fn web() -> Scope { } pub async fn check_access_token( - access_token: String, + access_token: &str, pool: &sqlx::Pool, ) -> Result { - let row = sqlx::query_as( - "SELECT CAST(uuid as VARCHAR), created FROM access_tokens WHERE token = $1", - ) - .bind(&access_token) - .fetch_one(pool) - .await; + let row = + sqlx::query_as("SELECT CAST(uuid as VARCHAR), created_at FROM access_tokens WHERE token = $1") + .bind(&access_token) + .fetch_one(pool) + .await; if let Err(error) = row { - if error.to_string() == "no rows returned by a query that expected to return at least one row" { - return Err(HttpResponse::Unauthorized().finish()) + if error.to_string() + == "no rows returned by a query that expected to return at least one row" + { + return Err(HttpResponse::Unauthorized().finish()); } error!("{}", error); - return Err(HttpResponse::InternalServerError().json(r#"{ "error": "Unhandled exception occured, contact the server administrator" }"#)) + return Err(HttpResponse::InternalServerError().json( + r#"{ "error": "Unhandled exception occured, contact the server administrator" }"#, + )); } - let (uuid, created): (String, i64) = row.unwrap(); + let (uuid, created_at): (String, i64) = row.unwrap(); let current_time = SystemTime::now() .duration_since(UNIX_EPOCH) .unwrap() .as_secs() as i64; - let lifetime = current_time - created; + let lifetime = current_time - created_at; if lifetime > 3600 { return Err(HttpResponse::Unauthorized().finish()); diff --git a/src/api/v1/auth/refresh.rs b/src/api/v1/auth/refresh.rs index 5ac2402..e17ecc7 100644 --- a/src/api/v1/auth/refresh.rs +++ b/src/api/v1/auth/refresh.rs @@ -1,7 +1,6 @@ -use actix_web::{Error, HttpResponse, error, post, web}; -use futures::StreamExt; +use actix_web::{post, web, Error, HttpRequest, HttpResponse}; use log::error; -use serde::{Deserialize, Serialize}; +use serde::Serialize; use std::time::{SystemTime, UNIX_EPOCH}; use crate::{ @@ -9,32 +8,21 @@ use crate::{ crypto::{generate_access_token, generate_refresh_token}, }; -#[derive(Deserialize)] -struct RefreshRequest { - refresh_token: String, -} - #[derive(Serialize)] struct Response { refresh_token: String, access_token: String, } -const MAX_SIZE: usize = 262_144; - #[post("/refresh")] -pub async fn res(mut payload: web::Payload, data: web::Data) -> Result { - let mut body = web::BytesMut::new(); - while let Some(chunk) = payload.next().await { - let chunk = chunk?; - // limit max size of in-memory payload - if (body.len() + chunk.len()) > MAX_SIZE { - return Err(error::ErrorBadRequest("overflow")); - } - body.extend_from_slice(&chunk); +pub async fn res(req: HttpRequest, data: web::Data) -> Result { + let refresh_token_cookie = req.cookie("refresh_token"); + + if let None = refresh_token_cookie { + return Ok(HttpResponse::Unauthorized().finish()) } - let refresh_request = serde_json::from_slice::(&body)?; + let mut refresh_token = String::from(refresh_token_cookie.unwrap().value()); let current_time = SystemTime::now() .duration_since(UNIX_EPOCH) @@ -42,26 +30,18 @@ pub async fn res(mut payload: web::Payload, data: web::Data) -> Result 2592000 { if let Err(error) = sqlx::query("DELETE FROM refresh_tokens WHERE token = $1") - .bind(&refresh_request.refresh_token) + .bind(&refresh_token) .execute(&data.pool) .await { @@ -76,8 +56,6 @@ pub async fn res(mut payload: web::Payload, data: web::Data) -> Result 1987200 { let new_refresh_token = generate_refresh_token(); @@ -88,7 +66,7 @@ pub async fn res(mut payload: web::Payload, data: web::Data) -> Result) -> Result) -> Result { +pub async fn res( + req: HttpRequest, + mut payload: web::Payload, + data: web::Data, +) -> Result { + let headers = req.headers(); + + let auth_header = get_auth_header(headers); + + if let Err(error) = auth_header { + return Ok(error); + } + let mut body = web::BytesMut::new(); while let Some(chunk) = payload.next().await { let chunk = chunk?; @@ -40,7 +51,7 @@ pub async fn res(mut payload: web::Payload, data: web::Data) -> Result(&body)?; - let authorized = check_access_token(revoke_request.access_token, &data.pool).await; + let authorized = check_access_token(auth_header.unwrap(), &data.pool).await; if let Err(error) = authorized { return Ok(error); @@ -94,16 +105,9 @@ pub async fn res(mut payload: web::Payload, data: web::Data) -> Result = tokens_raw.unwrap(); - let mut access_tokens_delete = vec![]; let mut refresh_tokens_delete = vec![]; for token in tokens { - access_tokens_delete.push( - sqlx::query("DELETE FROM access_tokens WHERE refresh_token = $1") - .bind(token.clone()) - .execute(&data.pool), - ); - refresh_tokens_delete.push( sqlx::query("DELETE FROM refresh_tokens WHERE token = $1") .bind(token.clone()) @@ -111,29 +115,16 @@ pub async fn res(mut payload: web::Payload, data: web::Data) -> Result> = - results_access_tokens - .iter() - .filter(|r| r.is_err()) - .collect(); - let refresh_tokens_errors: Vec<&Result> = - results_refresh_tokens + let errors: Vec<&Result> = + results .iter() .filter(|r| r.is_err()) .collect(); - if !access_tokens_errors.is_empty() && !refresh_tokens_errors.is_empty() { - error!("{:?}", access_tokens_errors); - error!("{:?}", refresh_tokens_errors); - return Ok(HttpResponse::InternalServerError().finish()); - } else if !access_tokens_errors.is_empty() { - error!("{:?}", access_tokens_errors); - return Ok(HttpResponse::InternalServerError().finish()); - } else if !refresh_tokens_errors.is_empty() { - error!("{:?}", refresh_tokens_errors); + if !errors.is_empty() { + error!("{:?}", errors); return Ok(HttpResponse::InternalServerError().finish()); } diff --git a/src/api/v1/users/me.rs b/src/api/v1/users/me.rs index 18e6ba8..f641678 100644 --- a/src/api/v1/users/me.rs +++ b/src/api/v1/users/me.rs @@ -1,14 +1,8 @@ -use actix_web::{Error, HttpResponse, error, post, web}; -use futures::StreamExt; +use actix_web::{Error, HttpRequest, HttpResponse, get, web}; use log::error; -use serde::{Deserialize, Serialize}; +use serde::Serialize; -use crate::{Data, api::v1::auth::check_access_token}; - -#[derive(Deserialize)] -struct AuthenticationRequest { - access_token: String, -} +use crate::{Data, api::v1::auth::check_access_token, utils::get_auth_header}; #[derive(Serialize)] struct Response { @@ -17,26 +11,17 @@ struct Response { display_name: String, } -const MAX_SIZE: usize = 262_144; +#[get("/me")] +pub async fn res(req: HttpRequest, data: web::Data) -> Result { + let headers = req.headers(); -#[post("/me")] -pub async fn res( - mut payload: web::Payload, - data: web::Data, -) -> Result { - let mut body = web::BytesMut::new(); - while let Some(chunk) = payload.next().await { - let chunk = chunk?; - // limit max size of in-memory payload - if (body.len() + chunk.len()) > MAX_SIZE { - return Err(error::ErrorBadRequest("overflow")); - } - body.extend_from_slice(&chunk); + let auth_header = get_auth_header(headers); + + if let Err(error) = auth_header { + return Ok(error); } - let authentication_request = serde_json::from_slice::(&body)?; - - let authorized = check_access_token(authentication_request.access_token, &data.pool).await; + let authorized = check_access_token(auth_header.unwrap(), &data.pool).await; if let Err(error) = authorized { return Ok(error); diff --git a/src/api/v1/users/mod.rs b/src/api/v1/users/mod.rs index 937d857..d7cb1c6 100644 --- a/src/api/v1/users/mod.rs +++ b/src/api/v1/users/mod.rs @@ -1,18 +1,16 @@ -use actix_web::{error, post, web, Error, HttpResponse, Scope}; -use futures::StreamExt; +use crate::{Data, api::v1::auth::check_access_token, utils::get_auth_header}; +use actix_web::{get, web, Error, HttpRequest, HttpResponse, Scope}; use log::error; use serde::{Deserialize, Serialize}; use sqlx::prelude::FromRow; -use crate::{Data, api::v1::auth::check_access_token}; mod me; mod uuid; #[derive(Deserialize)] -struct Request { - access_token: String, - start: i32, - amount: i32, +struct RequestQuery { + start: Option, + amount: Option, } #[derive(Serialize, FromRow)] @@ -23,8 +21,6 @@ struct Response { email: String, } -const MAX_SIZE: usize = 262_144; - pub fn web() -> Scope { web::scope("/users") .service(res) @@ -32,36 +28,33 @@ pub fn web() -> Scope { .service(uuid::res) } -#[post("")] +#[get("")] pub async fn res( - mut payload: web::Payload, + req: HttpRequest, + request_query: web::Query, data: web::Data, ) -> Result { - let mut body = web::BytesMut::new(); - while let Some(chunk) = payload.next().await { - let chunk = chunk?; - // limit max size of in-memory payload - if (body.len() + chunk.len()) > MAX_SIZE { - return Err(error::ErrorBadRequest("overflow")); - } - body.extend_from_slice(&chunk); + let headers = req.headers(); + + let auth_header = get_auth_header(headers); + + let start = request_query.start.unwrap_or(0); + + let amount = request_query.amount.unwrap_or(10); + + if amount > 100 { + return Ok(HttpResponse::BadRequest().finish()); } - let request = serde_json::from_slice::(&body)?; - - if request.amount > 100 { - return Ok(HttpResponse::BadRequest().finish()) - } - - let authorized = check_access_token(request.access_token, &data.pool).await; + let authorized = check_access_token(auth_header.unwrap(), &data.pool).await; if let Err(error) = authorized { return Ok(error); } let row = sqlx::query_as("SELECT CAST(uuid AS VARCHAR), username, display_name, email FROM users ORDER BY username LIMIT $1 OFFSET $2") - .bind(request.amount) - .bind(request.start) + .bind(amount) + .bind(start) .fetch_all(&data.pool) .await; @@ -74,4 +67,3 @@ pub async fn res( Ok(HttpResponse::Ok().json(accounts)) } - diff --git a/src/api/v1/users/uuid.rs b/src/api/v1/users/uuid.rs index 41d87cc..f4c1f13 100644 --- a/src/api/v1/users/uuid.rs +++ b/src/api/v1/users/uuid.rs @@ -1,15 +1,9 @@ -use actix_web::{Error, HttpResponse, error, post, web}; -use futures::StreamExt; +use actix_web::{Error, HttpRequest, HttpResponse, get, web}; use log::error; -use serde::{Deserialize, Serialize}; +use serde::Serialize; use uuid::Uuid; -use crate::{Data, api::v1::auth::check_access_token}; - -#[derive(Deserialize)] -struct AuthenticationRequest { - access_token: String, -} +use crate::{Data, api::v1::auth::check_access_token, utils::get_auth_header}; #[derive(Serialize)] struct Response { @@ -18,29 +12,23 @@ struct Response { display_name: String, } -const MAX_SIZE: usize = 262_144; - -#[post("/{uuid}")] +#[get("/{uuid}")] pub async fn res( - mut payload: web::Payload, + req: HttpRequest, path: web::Path<(Uuid,)>, data: web::Data, ) -> Result { - let mut body = web::BytesMut::new(); - while let Some(chunk) = payload.next().await { - let chunk = chunk?; - // limit max size of in-memory payload - if (body.len() + chunk.len()) > MAX_SIZE { - return Err(error::ErrorBadRequest("overflow")); - } - body.extend_from_slice(&chunk); - } + let headers = req.headers(); let uuid = path.into_inner().0; - let authentication_request = serde_json::from_slice::(&body)?; + let auth_header = get_auth_header(headers); - let authorized = check_access_token(authentication_request.access_token, &data.pool).await; + if let Err(error) = auth_header { + return Ok(error); + } + + let authorized = check_access_token(auth_header.unwrap(), &data.pool).await; if let Err(error) = authorized { return Ok(error); -- 2.47.2 From a3846a26200625058669afc69785726ad3e70a3b Mon Sep 17 00:00:00 2001 From: Radical Date: Sun, 4 May 2025 20:30:28 +0200 Subject: [PATCH 4/8] fix: use correct header --- src/utils.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/utils.rs b/src/utils.rs index 3b02593..56b43fa 100644 --- a/src/utils.rs +++ b/src/utils.rs @@ -1,7 +1,7 @@ use actix_web::{HttpResponse, http::header::HeaderMap}; pub fn get_auth_header(headers: &HeaderMap) -> Result<&str, HttpResponse> { - let auth_token = headers.get(actix_web::http::header::CONTENT_TYPE); + let auth_token = headers.get(actix_web::http::header::AUTHORIZATION); if let None = auth_token { return Err(HttpResponse::Unauthorized().finish()); -- 2.47.2 From f12f81d584982144a94db396450e2cdbe938d8a5 Mon Sep 17 00:00:00 2001 From: Radical Date: Sun, 4 May 2025 21:30:33 +0200 Subject: [PATCH 5/8] fix: extract auth value --- src/utils.rs | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/utils.rs b/src/utils.rs index 56b43fa..d80bed4 100644 --- a/src/utils.rs +++ b/src/utils.rs @@ -13,5 +13,11 @@ pub fn get_auth_header(headers: &HeaderMap) -> Result<&str, HttpResponse> { return Err(HttpResponse::Unauthorized().json(format!(r#" {{ "error": "{}" }} "#, error))); } - Ok(auth.unwrap()) + let auth_value = auth.unwrap().split_whitespace().nth(1); + + if let None = auth_value { + return Err(HttpResponse::BadRequest().finish()); + } + + Ok(auth_value.unwrap()) } -- 2.47.2 From ebb4286c088158ec4235c5e92dfeaef177131cdb Mon Sep 17 00:00:00 2001 From: Radical Date: Sun, 4 May 2025 22:13:05 +0200 Subject: [PATCH 6/8] refactor: move api to /api serve api under /api --- src/api/mod.rs | 13 +++++++++++-- src/main.rs | 3 +-- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/src/api/mod.rs b/src/api/mod.rs index 80dc442..b79c824 100644 --- a/src/api/mod.rs +++ b/src/api/mod.rs @@ -1,2 +1,11 @@ -pub mod v1; -pub mod versions; +use actix_web::Scope; +use actix_web::web; + +mod v1; +mod versions; + +pub fn web() -> Scope { + web::scope("/api") + .service(v1::web()) + .service(versions::res) +} diff --git a/src/main.rs b/src/main.rs index fbde53b..e967021 100644 --- a/src/main.rs +++ b/src/main.rs @@ -89,8 +89,7 @@ async fn main() -> Result<(), Error> { HttpServer::new(move || { App::new() .app_data(web::Data::new(data.clone())) - .service(api::versions::res) - .service(api::v1::web()) + .service(api::web()) }) .bind((web.url, web.port))? .run() -- 2.47.2 From 0f897dc0c6235d57776ee85aaeee028730273d22 Mon Sep 17 00:00:00 2001 From: Radical Date: Sun, 4 May 2025 22:13:28 +0200 Subject: [PATCH 7/8] feat: return refresh_token in cookie --- src/api/v1/auth/login.rs | 19 ++++++------------- src/api/v1/auth/mod.rs | 6 ++++++ src/api/v1/auth/refresh.rs | 19 ++++++------------- src/api/v1/auth/register.rs | 9 +++------ src/utils.rs | 12 +++++++++++- 5 files changed, 32 insertions(+), 33 deletions(-) diff --git a/src/api/v1/auth/login.rs b/src/api/v1/auth/login.rs index 1bd781f..0ea3d83 100644 --- a/src/api/v1/auth/login.rs +++ b/src/api/v1/auth/login.rs @@ -1,17 +1,17 @@ use std::time::{SystemTime, UNIX_EPOCH}; -use actix_web::{Error, HttpResponse, error, post, web}; +use actix_web::{error, post, web, Error, HttpResponse}; use argon2::{PasswordHash, PasswordVerifier}; use futures::StreamExt; use log::error; -use serde::{Deserialize, Serialize}; +use serde::Deserialize; use crate::{ - Data, - api::v1::auth::{EMAIL_REGEX, PASSWORD_REGEX, USERNAME_REGEX}, - crypto::{generate_access_token, generate_refresh_token}, + api::v1::auth::{EMAIL_REGEX, PASSWORD_REGEX, USERNAME_REGEX}, crypto::{generate_access_token, generate_refresh_token}, utils::refresh_token_cookie, Data }; +use super::Response; + #[derive(Deserialize)] struct LoginInformation { username: String, @@ -19,12 +19,6 @@ struct LoginInformation { device_name: String, } -#[derive(Serialize)] -pub struct Response { - pub access_token: String, - pub refresh_token: String, -} - const MAX_SIZE: usize = 262_144; #[post("/login")] @@ -187,8 +181,7 @@ async fn login( return HttpResponse::InternalServerError().finish() } - HttpResponse::Ok().json(Response { + HttpResponse::Ok().cookie(refresh_token_cookie(refresh_token)).json(Response { access_token, - refresh_token, }) } diff --git a/src/api/v1/auth/mod.rs b/src/api/v1/auth/mod.rs index e9b29d1..bfd32af 100644 --- a/src/api/v1/auth/mod.rs +++ b/src/api/v1/auth/mod.rs @@ -7,6 +7,7 @@ use std::{ use actix_web::{HttpResponse, Scope, web}; use log::error; use regex::Regex; +use serde::Serialize; use sqlx::Postgres; use uuid::Uuid; @@ -15,6 +16,11 @@ mod refresh; mod register; mod revoke; +#[derive(Serialize)] +struct Response { + access_token: String, +} + static EMAIL_REGEX: LazyLock = LazyLock::new(|| { Regex::new(r"[-A-Za-z0-9!#$%&'*+/=?^_`{|}~]+(?:\.[-A-Za-z0-9!#$%&'*+/=?^_`{|}~]+)*@(?:[A-Za-z0-9](?:[-A-Za-z0-9]*[A-Za-z0-9])?\.)+[A-Za-z0-9](?:[-A-Za-z0-9]*[A-Za-z0-9])?").unwrap() }); diff --git a/src/api/v1/auth/refresh.rs b/src/api/v1/auth/refresh.rs index e17ecc7..7e331a2 100644 --- a/src/api/v1/auth/refresh.rs +++ b/src/api/v1/auth/refresh.rs @@ -1,28 +1,22 @@ use actix_web::{post, web, Error, HttpRequest, HttpResponse}; use log::error; -use serde::Serialize; use std::time::{SystemTime, UNIX_EPOCH}; use crate::{ - Data, - crypto::{generate_access_token, generate_refresh_token}, + crypto::{generate_access_token, generate_refresh_token}, utils::refresh_token_cookie, Data }; -#[derive(Serialize)] -struct Response { - refresh_token: String, - access_token: String, -} +use super::Response; #[post("/refresh")] pub async fn res(req: HttpRequest, data: web::Data) -> Result { - let refresh_token_cookie = req.cookie("refresh_token"); + let recv_refresh_token_cookie = req.cookie("refresh_token"); - if let None = refresh_token_cookie { + if let None = recv_refresh_token_cookie { return Ok(HttpResponse::Unauthorized().finish()) } - let mut refresh_token = String::from(refresh_token_cookie.unwrap().value()); + let mut refresh_token = String::from(recv_refresh_token_cookie.unwrap().value()); let current_time = SystemTime::now() .duration_since(UNIX_EPOCH) @@ -101,8 +95,7 @@ pub async fn res(req: HttpRequest, data: web::Data) -> Result) -> Result { diff --git a/src/utils.rs b/src/utils.rs index d80bed4..b432d19 100644 --- a/src/utils.rs +++ b/src/utils.rs @@ -1,4 +1,4 @@ -use actix_web::{HttpResponse, http::header::HeaderMap}; +use actix_web::{cookie::{time::Duration, Cookie, SameSite}, http::header::HeaderMap, HttpResponse}; pub fn get_auth_header(headers: &HeaderMap) -> Result<&str, HttpResponse> { let auth_token = headers.get(actix_web::http::header::AUTHORIZATION); @@ -21,3 +21,13 @@ pub fn get_auth_header(headers: &HeaderMap) -> Result<&str, HttpResponse> { Ok(auth_value.unwrap()) } + +pub fn refresh_token_cookie(refresh_token: String) -> Cookie<'static> { + Cookie::build("refresh_token", refresh_token) + .http_only(true) + .secure(true) + .same_site(SameSite::None) + .path("/api") + .max_age(Duration::days(30)) + .finish() +} -- 2.47.2 From c61f96ffe7b516643e8e31bc5c39bd71021a698d Mon Sep 17 00:00:00 2001 From: Radical Date: Sun, 4 May 2025 23:02:17 +0200 Subject: [PATCH 8/8] feat: expire refresh_token immediately on unauthorized response --- src/api/v1/auth/refresh.rs | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/src/api/v1/auth/refresh.rs b/src/api/v1/auth/refresh.rs index 7e331a2..8c3e7d0 100644 --- a/src/api/v1/auth/refresh.rs +++ b/src/api/v1/auth/refresh.rs @@ -42,7 +42,11 @@ pub async fn res(req: HttpRequest, data: web::Data) -> Result) -> Result