Verify CSRF token

src/csrf.rs

@@ -15,12 +15,27 @@ pub struct Fairing;
 
 pub struct Guard(pub String);
 
+pub struct VerificationFailure;
+
 impl Fairing {
     pub fn new() -> Self {
         Self {}
     }
 }
 
+impl Guard {
+    pub fn verify(&self, form_authenticity_token: &String)
+        -> Result<(), VerificationFailure>
+    {
+        if self.0 == *form_authenticity_token {
+            Ok(())
+        }
+        else {
+            Err(VerificationFailure {})
+        }
+    }
+}
+
 impl RocketFairing for Fairing {
     fn info(&self) -> Info {
         Info {

src/routes/sessions.rs

@@ -32,6 +32,8 @@ pub fn create(
     form: Form<forms::UserSignIn>,
     mut cookies: Cookies,
 ) -> Result<Redirect, UserSignInResponse> {
+    csrf.verify(&form.authenticity_token)?;
+
     if let Some(_) = current_user.0 {
         return Err(UserSignInResponse::AlreadySignedIn(
             Redirect::to(uri!(super::home::index))
@@ -54,15 +56,19 @@ pub fn create(
     Ok(Redirect::to(uri!(super::home::index)))
 }
 
-#[delete("/sign_out", data = "<_form>")]
+#[delete("/sign_out", data = "<form>")]
 pub fn delete(
-    _csrf: csrf::Guard,
+    csrf: csrf::Guard,
     current_user: states::MaybeCurrentUser,
-    _form: Form<forms::UserSignOut>,
+    form: Form<forms::UserSignOut>,
     mut cookies: Cookies,
-) -> Result<Redirect, Redirect> {
+) -> Result<Redirect, UserSignOutResponse> {
+    csrf.verify(&form.authenticity_token)?;
+
     if let None = current_user.0 {
-        return Err(Redirect::to(uri!(super::home::index)));
+        return Err(UserSignOutResponse::NoUserSignedIn(
+            Redirect::to(uri!(super::home::index))
+        ));
     }
 
     cookies.remove_private(Cookie::named("user_id"));
@@ -74,12 +80,22 @@ pub fn delete(
 #[response(content_type = "text/html")]
 pub enum UserSignInResponse {
     AlreadySignedIn(Redirect),
+    #[response(status = 403)]
+    InvalidAuthenticityToken(()),
     #[response(status = 422)]
     InvalidCredentials(Template),
     #[response(status = 500)]
     UnknownError(()),
 }
 
+#[derive(Debug, rocket::response::Responder)]
+#[response(context_type = "text/html")]
+pub enum UserSignOutResponse {
+    NoUserSignedIn(Redirect),
+    #[response(status = 403)]
+    InvalidAuthenticityToken(()),
+}
+
 #[derive(Serialize)]
 struct BasicTemplateContext {
     csrf_token: String,
@@ -91,3 +107,15 @@ impl From<diesel::result::Error> for UserSignInResponse {
         Self::UnknownError(())
     }
 }
+
+impl From<csrf::VerificationFailure> for UserSignInResponse {
+    fn from(_: csrf::VerificationFailure) -> UserSignInResponse {
+        Self::InvalidAuthenticityToken(())
+    }
+}
+
+impl From<csrf::VerificationFailure> for UserSignOutResponse {
+    fn from(_: csrf::VerificationFailure) -> UserSignOutResponse {
+        Self::InvalidAuthenticityToken(())
+    }
+}

src/routes/users.rs

@@ -32,6 +32,8 @@ pub fn create(
     form: Form<forms::UserSignUp>,
     mut cookies: Cookies,
 ) -> Result<Redirect, UserSignUpResponse> {
+    csrf.verify(&form.authenticity_token)?;
+
     if let Some(_) = current_user.0 {
         return Err(UserSignUpResponse::AlreadySignedIn(
             Redirect::to(uri!(super::home::index))
@@ -51,6 +53,8 @@ pub fn create(
 #[response(content_type = "text/html")]
 pub enum UserSignUpResponse {
     AlreadySignedIn(Redirect),
+    #[response(status = 403)]
+    InvalidAuthenticityToken(()),
     #[response(status = 422)]
     InvalidForm(Template),
     #[response(status = 500)]
@@ -97,3 +101,9 @@ impl From<diesel::result::Error> for UserSignUpResponse {
         Self::UnknownError(())
     }
 }
+
+impl From<csrf::VerificationFailure> for UserSignUpResponse {
+    fn from(_: csrf::VerificationFailure) -> Self {
+        Self::InvalidAuthenticityToken(())
+    }
+}