From 21d79d292b6cf324e242c16fb5b5de778cd1a916 Mon Sep 17 00:00:00 2001 From: Alex Kotov Date: Sat, 17 Oct 2020 02:33:24 +0500 Subject: [PATCH] Move CSRF protection to separate crate --- Cargo.lock | 12 +- Cargo.toml | 3 +- contrib/rocket_csrf/.gitignore | 1 + contrib/rocket_csrf/Cargo.lock | 791 --------------------------------- contrib/rocket_csrf/src/lib.rs | 89 +++- src/csrf.rs | 86 ---- src/main.rs | 1 - src/routes/home.rs | 3 +- src/routes/sessions.rs | 15 +- src/routes/users.rs | 9 +- src/web.rs | 3 +- 11 files changed, 109 insertions(+), 904 deletions(-) delete mode 100644 contrib/rocket_csrf/Cargo.lock delete mode 100644 src/csrf.rs diff --git a/Cargo.lock b/Cargo.lock index 6454c29..0636fa4 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -305,15 +305,14 @@ checksum = "e88a8acf291dafb59c2d96e8f59828f3838bb1a70398823ade51a84de6a6deed" name = "fedihub-registry" version = "0.0.0" dependencies = [ - "base64 0.13.0", "bcrypt", "diesel", "dotenv", "r2d2", - "rand", "regex", "rocket", "rocket_contrib", + "rocket_csrf", "serde", "serde_derive", "serde_json", @@ -1089,6 +1088,15 @@ dependencies = [ "yansi", ] +[[package]] +name = "rocket_csrf" +version = "0.0.0" +dependencies = [ + "base64 0.13.0", + "rand", + "rocket", +] + [[package]] name = "rocket_http" version = "0.4.5" diff --git a/Cargo.toml b/Cargo.toml index 2831453..5e73a6c 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -13,12 +13,11 @@ categories = [] publish = true [dependencies] -base64 = "0.13.0" bcrypt = "0.8.2" dotenv = "0.15.0" r2d2 = "0.8.9" -rand = "0.7.3" regex = "1.4.1" +rocket_csrf = { path = "contrib/rocket_csrf" } serde = "1.0" serde_derive = "1.0" serde_json = "1.0" diff --git a/contrib/rocket_csrf/.gitignore b/contrib/rocket_csrf/.gitignore index b83d222..042776a 100644 --- a/contrib/rocket_csrf/.gitignore +++ b/contrib/rocket_csrf/.gitignore @@ -1 +1,2 @@ +/Cargo.lock /target/ diff --git a/contrib/rocket_csrf/Cargo.lock b/contrib/rocket_csrf/Cargo.lock deleted file mode 100644 index de3243b..0000000 --- a/contrib/rocket_csrf/Cargo.lock +++ /dev/null @@ -1,791 +0,0 @@ -# This file is automatically @generated by Cargo. -# It is not intended for manual editing. -[[package]] -name = "aead" -version = "0.2.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4cf01b9b56e767bb57b94ebf91a58b338002963785cdd7013e21c0d4679471e4" -dependencies = [ - "generic-array", -] - -[[package]] -name = "aes" -version = "0.3.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "54eb1d8fe354e5fc611daf4f2ea97dd45a765f4f1e4512306ec183ae2e8f20c9" -dependencies = [ - "aes-soft", - "aesni", - "block-cipher-trait", -] - -[[package]] -name = "aes-gcm" -version = "0.5.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "834a6bda386024dbb7c8fc51322856c10ffe69559f972261c868485f5759c638" -dependencies = [ - "aead", - "aes", - "block-cipher-trait", - "ghash", - "subtle 2.3.0", - "zeroize", -] - -[[package]] -name = "aes-soft" -version = "0.3.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cfd7e7ae3f9a1fb5c03b389fc6bb9a51400d0c13053f0dca698c832bfd893a0d" -dependencies = [ - "block-cipher-trait", - "byteorder", - "opaque-debug", -] - -[[package]] -name = "aesni" -version = "0.6.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2f70a6b5f971e473091ab7cfb5ffac6cde81666c4556751d8d5620ead8abf100" -dependencies = [ - "block-cipher-trait", - "opaque-debug", -] - -[[package]] -name = "atty" -version = "0.2.14" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d9b39be18770d11421cdb1b9947a45dd3f37e93092cbf377614828a319d5fee8" -dependencies = [ - "hermit-abi", - "libc", - "winapi", -] - -[[package]] -name = "autocfg" -version = "1.0.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cdb031dd78e28731d87d56cc8ffef4a8f36ca26c38fe2de700543e627f8a464a" - -[[package]] -name = "base64" -version = "0.9.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "489d6c0ed21b11d038c31b6ceccca973e65d73ba3bd8ecb9a2babf5546164643" -dependencies = [ - "byteorder", - "safemem", -] - -[[package]] -name = "base64" -version = "0.12.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3441f0f7b02788e948e47f457ca01f1d7e6d92c693bc132c22b087d3141c03ff" - -[[package]] -name = "base64" -version = "0.13.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "904dfeac50f3cdaba28fc6f57fdcddb75f49ed61346676a78c4ffe55877802fd" - -[[package]] -name = "bitflags" -version = "1.2.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cf1de2fe8c75bc145a2f577add951f8134889b4795d47466a54a5c846d691693" - -[[package]] -name = "block-buffer" -version = "0.7.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c0940dc441f31689269e10ac70eb1002a3a1d3ad1390e030043662eb7fe4688b" -dependencies = [ - "block-padding", - "byte-tools", - "byteorder", - "generic-array", -] - -[[package]] -name = "block-cipher-trait" -version = "0.6.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1c924d49bd09e7c06003acda26cd9742e796e34282ec6c1189404dee0c1f4774" -dependencies = [ - "generic-array", -] - -[[package]] -name = "block-padding" -version = "0.1.5" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fa79dedbb091f449f1f39e53edf88d5dbe95f895dae6135a8d7b881fb5af73f5" -dependencies = [ - "byte-tools", -] - -[[package]] -name = "byte-tools" -version = "0.3.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e3b5ca7a04898ad4bcd41c90c5285445ff5b791899bb1b0abdd2a2aa791211d7" - -[[package]] -name = "byteorder" -version = "1.3.4" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "08c48aae112d48ed9f069b33538ea9e3e90aa263cfa3d1c24309612b1f7472de" - -[[package]] -name = "cfg-if" -version = "0.1.10" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4785bdd1c96b2a846b2bd7cc02e86b6b3dbf14e7e53446c4f54c92a361040822" - -[[package]] -name = "cookie" -version = "0.11.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5795cda0897252e34380a27baf884c53aa7ad9990329cdad96d4c5d027015d44" -dependencies = [ - "aes-gcm", - "base64 0.12.3", - "hkdf", - "hmac", - "percent-encoding 2.1.0", - "rand", - "sha2", - "time", -] - -[[package]] -name = "crypto-mac" -version = "0.7.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4434400df11d95d556bac068ddfedd482915eb18fe8bea89bc80b6e4b1c179e5" -dependencies = [ - "generic-array", - "subtle 1.0.0", -] - -[[package]] -name = "devise" -version = "0.2.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "74e04ba2d03c5fa0d954c061fc8c9c288badadffc272ebb87679a89846de3ed3" -dependencies = [ - "devise_codegen", - "devise_core", -] - -[[package]] -name = "devise_codegen" -version = "0.2.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "066ceb7928ca93a9bedc6d0e612a8a0424048b0ab1f75971b203d01420c055d7" -dependencies = [ - "devise_core", - "quote", -] - -[[package]] -name = "devise_core" -version = "0.2.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cf41c59b22b5e3ec0ea55c7847e5f358d340f3a8d6d53a5cf4f1564967f96487" -dependencies = [ - "bitflags", - "proc-macro2", - "quote", - "syn", -] - -[[package]] -name = "digest" -version = "0.8.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f3d0c8c8752312f9713efd397ff63acb9f85585afbf179282e720e7704954dd5" -dependencies = [ - "generic-array", -] - -[[package]] -name = "fake-simd" -version = "0.1.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e88a8acf291dafb59c2d96e8f59828f3838bb1a70398823ade51a84de6a6deed" - -[[package]] -name = "generic-array" -version = "0.12.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c68f0274ae0e023facc3c97b2e00f076be70e254bc851d972503b328db79b2ec" -dependencies = [ - "typenum", -] - -[[package]] -name = "getrandom" -version = "0.1.15" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fc587bc0ec293155d5bfa6b9891ec18a1e330c234f896ea47fbada4cadbe47e6" -dependencies = [ - "cfg-if", - "libc", - "wasi 0.9.0+wasi-snapshot-preview1", -] - -[[package]] -name = "ghash" -version = "0.2.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9f0930ed19a7184089ea46d2fedead2f6dc2b674c5db4276b7da336c7cd83252" -dependencies = [ - "polyval", -] - -[[package]] -name = "glob" -version = "0.3.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9b919933a397b79c37e33b77bb2aa3dc8eb6e165ad809e58ff75bc7db2e34574" - -[[package]] -name = "hashbrown" -version = "0.9.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d7afe4a420e3fe79967a00898cc1f4db7c8a49a9333a29f8a4bd76a253d5cd04" - -[[package]] -name = "hermit-abi" -version = "0.1.17" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5aca5565f760fb5b220e499d72710ed156fdb74e631659e99377d9ebfbd13ae8" -dependencies = [ - "libc", -] - -[[package]] -name = "hkdf" -version = "0.8.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3fa08a006102488bd9cd5b8013aabe84955cf5ae22e304c2caf655b633aefae3" -dependencies = [ - "digest", - "hmac", -] - -[[package]] -name = "hmac" -version = "0.7.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5dcb5e64cda4c23119ab41ba960d1e170a774c8e4b9d9e6a9bc18aabf5e59695" -dependencies = [ - "crypto-mac", - "digest", -] - -[[package]] -name = "httparse" -version = "1.3.4" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cd179ae861f0c2e53da70d892f5f3029f9594be0c41dc5269cd371691b1dc2f9" - -[[package]] -name = "hyper" -version = "0.10.16" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0a0652d9a2609a968c14be1a9ea00bf4b1d64e2e1f53a1b51b6fff3a6e829273" -dependencies = [ - "base64 0.9.3", - "httparse", - "language-tags", - "log 0.3.9", - "mime", - "num_cpus", - "time", - "traitobject", - "typeable", - "unicase", - "url", -] - -[[package]] -name = "idna" -version = "0.1.5" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "38f09e0f0b1fb55fdee1f17470ad800da77af5186a1a76c026b679358b7e844e" -dependencies = [ - "matches", - "unicode-bidi", - "unicode-normalization", -] - -[[package]] -name = "indexmap" -version = "1.6.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "55e2e4c765aa53a0424761bf9f41aa7a6ac1efa87238f59560640e27fca028f2" -dependencies = [ - "autocfg", - "hashbrown", -] - -[[package]] -name = "language-tags" -version = "0.2.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a91d884b6667cd606bb5a69aa0c99ba811a115fc68915e7056ec08a46e93199a" - -[[package]] -name = "libc" -version = "0.2.79" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2448f6066e80e3bfc792e9c98bf705b4b0fc6e8ef5b43e5889aff0eaa9c58743" - -[[package]] -name = "log" -version = "0.3.9" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e19e8d5c34a3e0e2223db8e060f9e8264aeeb5c5fc64a4ee9965c062211c024b" -dependencies = [ - "log 0.4.11", -] - -[[package]] -name = "log" -version = "0.4.11" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4fabed175da42fed1fa0746b0ea71f412aa9d35e76e95e59b192c64b9dc2bf8b" -dependencies = [ - "cfg-if", -] - -[[package]] -name = "matches" -version = "0.1.8" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7ffc5c5338469d4d3ea17d269fa8ea3512ad247247c30bd2df69e68309ed0a08" - -[[package]] -name = "memchr" -version = "2.3.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3728d817d99e5ac407411fa471ff9800a778d88a24685968b36824eaf4bee400" - -[[package]] -name = "mime" -version = "0.2.6" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ba626b8a6de5da682e1caa06bdb42a335aee5a84db8e5046a3e8ab17ba0a3ae0" -dependencies = [ - "log 0.3.9", -] - -[[package]] -name = "num_cpus" -version = "1.13.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "05499f3756671c15885fee9034446956fff3f243d6077b91e5767df161f766b3" -dependencies = [ - "hermit-abi", - "libc", -] - -[[package]] -name = "opaque-debug" -version = "0.2.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2839e79665f131bdb5782e51f2c6c9599c133c6098982a54c794358bf432529c" - -[[package]] -name = "pear" -version = "0.1.4" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5320f212db967792b67cfe12bd469d08afd6318a249bd917d5c19bc92200ab8a" -dependencies = [ - "pear_codegen", -] - -[[package]] -name = "pear_codegen" -version = "0.1.4" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bfc1c836fdc3d1ef87c348b237b5b5c4dff922156fb2d968f57734f9669768ca" -dependencies = [ - "proc-macro2", - "quote", - "syn", - "version_check 0.9.2", - "yansi", -] - -[[package]] -name = "percent-encoding" -version = "1.0.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "31010dd2e1ac33d5b46a5b413495239882813e0369f8ed8a5e266f173602f831" - -[[package]] -name = "percent-encoding" -version = "2.1.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d4fd5641d01c8f18a23da7b6fe29298ff4b55afcccdf78973b24cf3175fee32e" - -[[package]] -name = "polyval" -version = "0.3.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7ec3341498978de3bfd12d1b22f1af1de22818f5473a11e8a6ef997989e3a212" -dependencies = [ - "cfg-if", - "universal-hash", -] - -[[package]] -name = "ppv-lite86" -version = "0.2.9" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c36fa947111f5c62a733b652544dd0016a43ce89619538a8ef92724a6f501a20" - -[[package]] -name = "proc-macro2" -version = "0.4.30" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cf3d2011ab5c909338f7887f4fc896d35932e29146c12c8d01da6b22a80ba759" -dependencies = [ - "unicode-xid", -] - -[[package]] -name = "quote" -version = "0.6.13" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6ce23b6b870e8f94f81fb0a363d65d86675884b34a09043c81e5562f11c1f8e1" -dependencies = [ - "proc-macro2", -] - -[[package]] -name = "rand" -version = "0.7.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6a6b1679d49b24bbfe0c803429aa1874472f50d9b363131f0e89fc356b544d03" -dependencies = [ - "getrandom", - "libc", - "rand_chacha", - "rand_core", - "rand_hc", -] - -[[package]] -name = "rand_chacha" -version = "0.2.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f4c8ed856279c9737206bf725bf36935d8666ead7aa69b52be55af369d193402" -dependencies = [ - "ppv-lite86", - "rand_core", -] - -[[package]] -name = "rand_core" -version = "0.5.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "90bde5296fc891b0cef12a6d03ddccc162ce7b2aff54160af9338f8d40df6d19" -dependencies = [ - "getrandom", -] - -[[package]] -name = "rand_hc" -version = "0.2.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ca3129af7b92a17112d59ad498c6f81eaf463253766b90396d39ea7a39d6613c" -dependencies = [ - "rand_core", -] - -[[package]] -name = "rocket" -version = "0.4.5" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6130967b369cfb8411b0b73e96fcba1229c32a9cc6f295d144f879bfced13c6e" -dependencies = [ - "atty", - "base64 0.12.3", - "log 0.4.11", - "memchr", - "num_cpus", - "pear", - "rocket_codegen", - "rocket_http", - "state", - "time", - "toml", - "version_check 0.9.2", - "yansi", -] - -[[package]] -name = "rocket_codegen" -version = "0.4.5" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cb852e6da168fb948a8f2b798ba2e2f0e4fc860eae0efa9cf2bf0f5466bb0425" -dependencies = [ - "devise", - "glob", - "indexmap", - "quote", - "rocket_http", - "version_check 0.9.2", - "yansi", -] - -[[package]] -name = "rocket_csrf" -version = "0.0.0" -dependencies = [ - "base64 0.13.0", - "rand", - "rocket", -] - -[[package]] -name = "rocket_http" -version = "0.4.5" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1aff5a5480175f2f553a876b251e9350c74196128806d176da3a51c82aab5428" -dependencies = [ - "cookie", - "hyper", - "indexmap", - "pear", - "percent-encoding 1.0.1", - "smallvec", - "state", - "time", - "unicode-xid", -] - -[[package]] -name = "safemem" -version = "0.3.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ef703b7cb59335eae2eb93ceb664c0eb7ea6bf567079d843e09420219668e072" - -[[package]] -name = "serde" -version = "1.0.117" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b88fa983de7720629c9387e9f517353ed404164b1e482c970a90c1a4aaf7dc1a" - -[[package]] -name = "sha2" -version = "0.8.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a256f46ea78a0c0d9ff00077504903ac881a1dafdc20da66545699e7776b3e69" -dependencies = [ - "block-buffer", - "digest", - "fake-simd", - "opaque-debug", -] - -[[package]] -name = "smallvec" -version = "1.4.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fbee7696b84bbf3d89a1c2eccff0850e3047ed46bfcd2e92c29a2d074d57e252" - -[[package]] -name = "state" -version = "0.4.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7345c971d1ef21ffdbd103a75990a15eb03604fc8b8852ca8cb418ee1a099028" - -[[package]] -name = "subtle" -version = "1.0.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2d67a5a62ba6e01cb2192ff309324cb4875d0c451d55fe2319433abe7a05a8ee" - -[[package]] -name = "subtle" -version = "2.3.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "343f3f510c2915908f155e94f17220b19ccfacf2a64a2a5d8004f2c3e311e7fd" - -[[package]] -name = "syn" -version = "0.15.44" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9ca4b3b69a77cbe1ffc9e198781b7acb0c7365a883670e8f1c1bc66fba79a5c5" -dependencies = [ - "proc-macro2", - "quote", - "unicode-xid", -] - -[[package]] -name = "time" -version = "0.1.44" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6db9e6914ab8b1ae1c260a4ae7a49b6c5611b40328a735b21862567685e73255" -dependencies = [ - "libc", - "wasi 0.10.0+wasi-snapshot-preview1", - "winapi", -] - -[[package]] -name = "tinyvec" -version = "0.3.4" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "238ce071d267c5710f9d31451efec16c5ee22de34df17cc05e56cbc92e967117" - -[[package]] -name = "toml" -version = "0.4.10" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "758664fc71a3a69038656bee8b6be6477d2a6c315a6b81f7081f591bffa4111f" -dependencies = [ - "serde", -] - -[[package]] -name = "traitobject" -version = "0.1.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "efd1f82c56340fdf16f2a953d7bda4f8fdffba13d93b00844c25572110b26079" - -[[package]] -name = "typeable" -version = "0.1.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1410f6f91f21d1612654e7cc69193b0334f909dcf2c790c4826254fbb86f8887" - -[[package]] -name = "typenum" -version = "1.12.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "373c8a200f9e67a0c95e62a4f52fbf80c23b4381c05a17845531982fa99e6b33" - -[[package]] -name = "unicase" -version = "1.4.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7f4765f83163b74f957c797ad9253caf97f103fb064d3999aea9568d09fc8a33" -dependencies = [ - "version_check 0.1.5", -] - -[[package]] -name = "unicode-bidi" -version = "0.3.4" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "49f2bd0c6468a8230e1db229cff8029217cf623c767ea5d60bfbd42729ea54d5" -dependencies = [ - "matches", -] - -[[package]] -name = "unicode-normalization" -version = "0.1.13" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6fb19cf769fa8c6a80a162df694621ebeb4dafb606470b2b2fce0be40a98a977" -dependencies = [ - "tinyvec", -] - -[[package]] -name = "unicode-xid" -version = "0.1.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fc72304796d0818e357ead4e000d19c9c174ab23dc11093ac919054d20a6a7fc" - -[[package]] -name = "universal-hash" -version = "0.3.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "df0c900f2f9b4116803415878ff48b63da9edb268668e08cf9292d7503114a01" -dependencies = [ - "generic-array", - "subtle 2.3.0", -] - -[[package]] -name = "url" -version = "1.7.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "dd4e7c0d531266369519a4aa4f399d748bd37043b00bde1e4ff1f60a120b355a" -dependencies = [ - "idna", - "matches", - "percent-encoding 1.0.1", -] - -[[package]] -name = "version_check" -version = "0.1.5" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "914b1a6776c4c929a602fafd8bc742e06365d4bcbe48c30f9cca5824f70dc9dd" - -[[package]] -name = "version_check" -version = "0.9.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b5a972e5669d67ba988ce3dc826706fb0a8b01471c088cb0b6110b805cc36aed" - -[[package]] -name = "wasi" -version = "0.9.0+wasi-snapshot-preview1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cccddf32554fecc6acb585f82a32a72e28b48f8c4c1883ddfeeeaa96f7d8e519" - -[[package]] -name = "wasi" -version = "0.10.0+wasi-snapshot-preview1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1a143597ca7c7793eff794def352d41792a93c481eb1042423ff7ff72ba2c31f" - -[[package]] -name = "winapi" -version = "0.3.9" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5c839a674fcd7a98952e593242ea400abe93992746761e38641405d28b00f419" -dependencies = [ - "winapi-i686-pc-windows-gnu", - "winapi-x86_64-pc-windows-gnu", -] - -[[package]] -name = "winapi-i686-pc-windows-gnu" -version = "0.4.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6" - -[[package]] -name = "winapi-x86_64-pc-windows-gnu" -version = "0.4.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f" - -[[package]] -name = "yansi" -version = "0.5.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9fc79f4a1e39857fc00c3f662cbf2651c771f00e9c15fe2abc341806bd46bd71" - -[[package]] -name = "zeroize" -version = "1.1.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "05f33972566adbd2d3588b0491eb94b98b43695c4ef897903470ede4f3f5a28a" diff --git a/contrib/rocket_csrf/src/lib.rs b/contrib/rocket_csrf/src/lib.rs index 31e1bb2..0df9f95 100644 --- a/contrib/rocket_csrf/src/lib.rs +++ b/contrib/rocket_csrf/src/lib.rs @@ -1,7 +1,86 @@ -#[cfg(test)] -mod tests { - #[test] - fn it_works() { - assert_eq!(2 + 2, 4); +use rand::RngCore; +use rocket::{Data, Request}; +use rocket::fairing::{Fairing as RocketFairing, Info, Kind}; +use rocket::http::{Cookie, Status}; +use rocket::request::{FromRequest, Outcome}; + +const COOKIE_NAME: &str = "csrf_token"; +const _PARAM_NAME: &str = "authenticity_token"; +const _HEADER_NAME: &str = "X-CSRF-Token"; +const _PARAM_META_NAME: &str = "csrf-param"; +const _TOKEN_META_NAME: &str = "csrf-token"; +const RAW_TOKEN_LENGTH: usize = 32; + +pub struct Fairing; + +pub struct Guard(pub String); + +pub struct VerificationFailure; + +impl Fairing { + pub fn new() -> Self { + Self {} + } +} + +impl Guard { + pub fn verify(&self, form_authenticity_token: &String) + -> Result<(), VerificationFailure> + { + if self.0 == *form_authenticity_token { + Ok(()) + } + else { + Err(VerificationFailure {}) + } + } +} + +impl RocketFairing for Fairing { + fn info(&self) -> Info { + Info { + name: "CSRF (Cross-Site Request Forgery) protection", + kind: Kind::Request, + } + } + + fn on_request(&self, request: &mut Request, _: &Data) { + if let Some(_) = request.valid_csrf_token_from_session() { return } + + let mut raw = [0u8; RAW_TOKEN_LENGTH]; + rand::thread_rng().fill_bytes(&mut raw); + + let encoded = base64::encode(raw); + + request.cookies().add_private(Cookie::new(COOKIE_NAME, encoded)); + } +} + +impl<'a, 'r> FromRequest<'a, 'r> for Guard { + type Error = (); + + fn from_request(request: &'a Request<'r>) -> Outcome { + match request.valid_csrf_token_from_session() { + None => Outcome::Failure((Status::Forbidden, ())), + Some(token) => Outcome::Success(Self(base64::encode(token))), + } + } +} + +trait RequestCsrf { + fn valid_csrf_token_from_session(&self) -> Option> { + self.csrf_token_from_session() + .and_then(|raw| + if raw.len() >= RAW_TOKEN_LENGTH { Some(raw) } else { None } + ) + } + + fn csrf_token_from_session(&self) -> Option>; +} + +impl RequestCsrf for Request<'_> { + fn csrf_token_from_session(&self) -> Option> { + self.cookies().get_private(COOKIE_NAME) + .and_then(|cookie| base64::decode(cookie.value()).ok()) } } diff --git a/src/csrf.rs b/src/csrf.rs deleted file mode 100644 index 0df9f95..0000000 --- a/src/csrf.rs +++ /dev/null @@ -1,86 +0,0 @@ -use rand::RngCore; -use rocket::{Data, Request}; -use rocket::fairing::{Fairing as RocketFairing, Info, Kind}; -use rocket::http::{Cookie, Status}; -use rocket::request::{FromRequest, Outcome}; - -const COOKIE_NAME: &str = "csrf_token"; -const _PARAM_NAME: &str = "authenticity_token"; -const _HEADER_NAME: &str = "X-CSRF-Token"; -const _PARAM_META_NAME: &str = "csrf-param"; -const _TOKEN_META_NAME: &str = "csrf-token"; -const RAW_TOKEN_LENGTH: usize = 32; - -pub struct Fairing; - -pub struct Guard(pub String); - -pub struct VerificationFailure; - -impl Fairing { - pub fn new() -> Self { - Self {} - } -} - -impl Guard { - pub fn verify(&self, form_authenticity_token: &String) - -> Result<(), VerificationFailure> - { - if self.0 == *form_authenticity_token { - Ok(()) - } - else { - Err(VerificationFailure {}) - } - } -} - -impl RocketFairing for Fairing { - fn info(&self) -> Info { - Info { - name: "CSRF (Cross-Site Request Forgery) protection", - kind: Kind::Request, - } - } - - fn on_request(&self, request: &mut Request, _: &Data) { - if let Some(_) = request.valid_csrf_token_from_session() { return } - - let mut raw = [0u8; RAW_TOKEN_LENGTH]; - rand::thread_rng().fill_bytes(&mut raw); - - let encoded = base64::encode(raw); - - request.cookies().add_private(Cookie::new(COOKIE_NAME, encoded)); - } -} - -impl<'a, 'r> FromRequest<'a, 'r> for Guard { - type Error = (); - - fn from_request(request: &'a Request<'r>) -> Outcome { - match request.valid_csrf_token_from_session() { - None => Outcome::Failure((Status::Forbidden, ())), - Some(token) => Outcome::Success(Self(base64::encode(token))), - } - } -} - -trait RequestCsrf { - fn valid_csrf_token_from_session(&self) -> Option> { - self.csrf_token_from_session() - .and_then(|raw| - if raw.len() >= RAW_TOKEN_LENGTH { Some(raw) } else { None } - ) - } - - fn csrf_token_from_session(&self) -> Option>; -} - -impl RequestCsrf for Request<'_> { - fn csrf_token_from_session(&self) -> Option> { - self.cookies().get_private(COOKIE_NAME) - .and_then(|cookie| base64::decode(cookie.value()).ok()) - } -} diff --git a/src/main.rs b/src/main.rs index 709ae9e..d60d091 100644 --- a/src/main.rs +++ b/src/main.rs @@ -2,7 +2,6 @@ #[cfg(test)] mod tests; -mod csrf; mod config; mod web; mod database; diff --git a/src/routes/home.rs b/src/routes/home.rs index b934432..25ca608 100644 --- a/src/routes/home.rs +++ b/src/routes/home.rs @@ -1,4 +1,3 @@ -use crate::csrf; use crate::database; use crate::states; use crate::models; @@ -7,7 +6,7 @@ use rocket_contrib::templates::Template; #[get("/")] pub fn index( - csrf: csrf::Guard, + csrf: rocket_csrf::Guard, db_conn: database::DbConn, current_user: states::MaybeCurrentUser, ) -> Result { diff --git a/src/routes/sessions.rs b/src/routes/sessions.rs index 0fc874d..19b322a 100644 --- a/src/routes/sessions.rs +++ b/src/routes/sessions.rs @@ -1,4 +1,3 @@ -use crate::csrf; use crate::database; use crate::states; use crate::models; @@ -11,7 +10,7 @@ use rocket_contrib::templates::Template; #[get("/sign_in")] pub fn new( - csrf: csrf::Guard, + csrf: rocket_csrf::Guard, current_user: states::MaybeCurrentUser, ) -> Result { if let Some(_) = current_user.0 { @@ -26,7 +25,7 @@ pub fn new( #[post("/sign_in", data = "
")] pub fn create( - csrf: csrf::Guard, + csrf: rocket_csrf::Guard, db_conn: database::DbConn, current_user: states::MaybeCurrentUser, form: Form, @@ -58,7 +57,7 @@ pub fn create( #[delete("/sign_out", data = "")] pub fn delete( - csrf: csrf::Guard, + csrf: rocket_csrf::Guard, current_user: states::MaybeCurrentUser, form: Form, mut cookies: Cookies, @@ -108,14 +107,14 @@ impl From for UserSignInResponse { } } -impl From for UserSignInResponse { - fn from(_: csrf::VerificationFailure) -> UserSignInResponse { +impl From for UserSignInResponse { + fn from(_: rocket_csrf::VerificationFailure) -> UserSignInResponse { Self::InvalidAuthenticityToken(()) } } -impl From for UserSignOutResponse { - fn from(_: csrf::VerificationFailure) -> UserSignOutResponse { +impl From for UserSignOutResponse { + fn from(_: rocket_csrf::VerificationFailure) -> UserSignOutResponse { Self::InvalidAuthenticityToken(()) } } diff --git a/src/routes/users.rs b/src/routes/users.rs index f68bcdf..8bb0137 100644 --- a/src/routes/users.rs +++ b/src/routes/users.rs @@ -1,4 +1,3 @@ -use crate::csrf; use crate::database; use crate::states; use crate::models; @@ -11,7 +10,7 @@ use rocket_contrib::templates::Template; #[get("/sign_up")] pub fn new( - csrf: csrf::Guard, + csrf: rocket_csrf::Guard, current_user: states::MaybeCurrentUser, ) -> Result { if let Some(_) = current_user.0 { @@ -26,7 +25,7 @@ pub fn new( #[post("/sign_up", data = "")] pub fn create( - csrf: csrf::Guard, + csrf: rocket_csrf::Guard, db_conn: database::DbConn, current_user: states::MaybeCurrentUser, form: Form, @@ -102,8 +101,8 @@ impl From for UserSignUpResponse { } } -impl From for UserSignUpResponse { - fn from(_: csrf::VerificationFailure) -> Self { +impl From for UserSignUpResponse { + fn from(_: rocket_csrf::VerificationFailure) -> Self { Self::InvalidAuthenticityToken(()) } } diff --git a/src/web.rs b/src/web.rs index 3423850..fd8693b 100644 --- a/src/web.rs +++ b/src/web.rs @@ -1,4 +1,3 @@ -use crate::csrf; use crate::config; use crate::database; use crate::routes; @@ -13,7 +12,7 @@ pub fn rocket(config: &config::Config) -> Result { let result = rocket::custom(rocket_config) .manage(database::create_db_pool(config)) - .attach(csrf::Fairing::new()) + .attach(rocket_csrf::Fairing::new()) .attach(Template::fairing()) .mount("/", routes::routes()) .mount("/", StaticFiles::new(public_path, ServeOptions::None));