2021-01-27 23:00:56 +00:00
|
|
|
use bcrypt::{hash, verify, DEFAULT_COST};
|
2021-01-27 22:00:40 +00:00
|
|
|
use rand::{distributions::Standard, Rng};
|
|
|
|
use rocket::{
|
|
|
|
fairing::{Fairing as RocketFairing, Info, Kind},
|
|
|
|
http::{Cookie, Status},
|
|
|
|
request::{FromRequest, Outcome},
|
|
|
|
Data, Request, Rocket, State,
|
|
|
|
};
|
|
|
|
use std::borrow::Cow;
|
|
|
|
use time::Duration;
|
2020-10-16 21:41:07 +00:00
|
|
|
|
|
|
|
const _PARAM_NAME: &str = "authenticity_token";
|
|
|
|
const _HEADER_NAME: &str = "X-CSRF-Token";
|
|
|
|
const _PARAM_META_NAME: &str = "csrf-param";
|
|
|
|
const _TOKEN_META_NAME: &str = "csrf-token";
|
|
|
|
|
2021-01-27 22:00:40 +00:00
|
|
|
#[derive(Debug, Clone)]
|
|
|
|
pub struct CsrfConfig {
|
|
|
|
/// CSRF Cookie lifespan
|
|
|
|
lifespan: Duration,
|
|
|
|
/// CSRF cookie name
|
|
|
|
cookie_name: Cow<'static, str>,
|
|
|
|
/// CSRF Token character length
|
|
|
|
cookie_len: usize,
|
|
|
|
}
|
|
|
|
|
2021-03-06 02:17:23 +00:00
|
|
|
pub struct Fairing {
|
|
|
|
config: CsrfConfig,
|
|
|
|
}
|
|
|
|
|
|
|
|
pub struct CsrfToken(String);
|
|
|
|
|
|
|
|
pub struct VerificationFailure;
|
|
|
|
|
2021-01-27 22:00:40 +00:00
|
|
|
impl Default for CsrfConfig {
|
|
|
|
fn default() -> Self {
|
|
|
|
Self {
|
|
|
|
/// Set to 6hour for default in Database Session stores.
|
2021-01-27 23:00:56 +00:00
|
|
|
lifespan: Duration::days(1),
|
2021-01-27 22:00:40 +00:00
|
|
|
cookie_name: "csrf_token".into(),
|
|
|
|
cookie_len: 32,
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2020-10-16 21:41:07 +00:00
|
|
|
impl Fairing {
|
|
|
|
pub fn new() -> Self {
|
2021-03-06 02:16:21 +00:00
|
|
|
Self { config: Default::default() }
|
2020-10-16 21:41:07 +00:00
|
|
|
}
|
2021-01-27 22:10:47 +00:00
|
|
|
|
|
|
|
/// Set CSRF lifetime (expiration time) for cookie.
|
|
|
|
///
|
|
|
|
/// Call on the fairing before passing it to `rocket.attach()`
|
|
|
|
pub fn with_lifetime(mut self, time: Duration) -> Self {
|
|
|
|
self.config.lifespan = time;
|
|
|
|
self
|
|
|
|
}
|
|
|
|
|
|
|
|
/// Set CSRF Cookie Name.
|
|
|
|
///
|
|
|
|
/// Call on the fairing before passing it to `rocket.attach()`
|
|
|
|
pub fn with_cookie_name(mut self, name: impl Into<Cow<'static, str>>) -> Self {
|
|
|
|
self.config.cookie_name = name.into();
|
|
|
|
self
|
|
|
|
}
|
|
|
|
|
|
|
|
/// Set CSRF Cookie length, keep this above or equal to 16 in size.
|
|
|
|
///
|
|
|
|
/// Call on the fairing before passing it to `rocket.attach()`
|
|
|
|
pub fn with_cookie_len(mut self, length: usize) -> Self {
|
|
|
|
let length = std::cmp::max(length, 16);
|
|
|
|
self.config.cookie_len = length;
|
|
|
|
self
|
|
|
|
}
|
|
|
|
|
|
|
|
/// Set CSRF Config from CsrfConfig
|
|
|
|
///
|
|
|
|
/// Call on the fairing before passing it to `rocket.attach()`
|
|
|
|
pub fn with_config(mut self, config: CsrfConfig) -> Self {
|
|
|
|
self.config = config;
|
|
|
|
self
|
|
|
|
}
|
2020-10-16 21:41:07 +00:00
|
|
|
}
|
|
|
|
|
2020-10-16 23:56:13 +00:00
|
|
|
impl CsrfToken {
|
2021-01-27 22:00:40 +00:00
|
|
|
pub fn authenticity_token(&self) -> String {
|
|
|
|
hash(&self.0, DEFAULT_COST).unwrap()
|
2020-10-18 07:29:55 +00:00
|
|
|
}
|
|
|
|
|
2021-01-27 22:00:40 +00:00
|
|
|
pub fn verify(&self, form_authenticity_token: &String) -> Result<(), VerificationFailure> {
|
|
|
|
if verify(&self.0, form_authenticity_token).unwrap_or(false) {
|
2020-10-16 21:41:07 +00:00
|
|
|
Ok(())
|
2021-01-27 22:00:40 +00:00
|
|
|
} else {
|
2020-10-16 21:41:07 +00:00
|
|
|
Err(VerificationFailure {})
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
impl RocketFairing for Fairing {
|
|
|
|
fn info(&self) -> Info {
|
|
|
|
Info {
|
2020-10-18 07:38:48 +00:00
|
|
|
name: "CSRF",
|
2021-01-27 22:00:40 +00:00
|
|
|
kind: Kind::Attach | Kind::Request,
|
2020-10-16 21:41:07 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-01-27 22:00:40 +00:00
|
|
|
fn on_attach(&self, rocket: Rocket) -> std::result::Result<Rocket, Rocket> {
|
|
|
|
Ok(rocket.manage(self.config.clone()))
|
|
|
|
}
|
2020-10-16 21:41:07 +00:00
|
|
|
|
2021-01-27 22:00:40 +00:00
|
|
|
fn on_request(&self, request: &mut Request, _: &Data) {
|
|
|
|
let config = request.guard::<State<CsrfConfig>>().unwrap();
|
|
|
|
if let Some(_) = request.valid_csrf_token_from_session(&config) {
|
|
|
|
return;
|
|
|
|
}
|
2020-10-16 21:41:07 +00:00
|
|
|
|
2021-01-27 23:00:56 +00:00
|
|
|
let values: Vec<u8> = rand::thread_rng()
|
|
|
|
.sample_iter(Standard)
|
|
|
|
.take(config.cookie_len)
|
|
|
|
.collect();
|
2021-01-27 22:00:40 +00:00
|
|
|
let encoded = base64::encode(&values[..]);
|
2020-10-16 21:41:07 +00:00
|
|
|
|
2021-01-27 23:00:56 +00:00
|
|
|
//This changed in the latest Rocket so it will be nicer when it is switched.
|
|
|
|
let mut now = time::now_utc();
|
|
|
|
now = now + config.lifespan;
|
|
|
|
|
|
|
|
request.cookies().add_private(
|
|
|
|
Cookie::build(config.cookie_name.clone(), encoded)
|
|
|
|
.expires(now)
|
|
|
|
.finish(),
|
|
|
|
);
|
|
|
|
}
|
2020-10-16 21:41:07 +00:00
|
|
|
}
|
|
|
|
|
2020-10-16 23:56:13 +00:00
|
|
|
impl<'a, 'r> FromRequest<'a, 'r> for CsrfToken {
|
2020-10-16 21:41:07 +00:00
|
|
|
type Error = ();
|
|
|
|
|
|
|
|
fn from_request(request: &'a Request<'r>) -> Outcome<Self, Self::Error> {
|
2021-01-27 22:00:40 +00:00
|
|
|
let config = request.guard::<State<CsrfConfig>>().unwrap();
|
|
|
|
match request.valid_csrf_token_from_session(&config) {
|
2020-10-16 21:41:07 +00:00
|
|
|
None => Outcome::Failure((Status::Forbidden, ())),
|
|
|
|
Some(token) => Outcome::Success(Self(base64::encode(token))),
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
trait RequestCsrf {
|
2021-01-27 22:00:40 +00:00
|
|
|
fn valid_csrf_token_from_session(&self, config: &CsrfConfig) -> Option<Vec<u8>> {
|
|
|
|
self.csrf_token_from_session(config).and_then(|raw| {
|
|
|
|
if raw.len() >= config.cookie_len {
|
|
|
|
Some(raw)
|
|
|
|
} else {
|
|
|
|
None
|
|
|
|
}
|
|
|
|
})
|
2020-10-16 21:41:07 +00:00
|
|
|
}
|
|
|
|
|
2021-01-27 22:00:40 +00:00
|
|
|
fn csrf_token_from_session(&self, config: &CsrfConfig) -> Option<Vec<u8>>;
|
2020-10-16 21:41:07 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
impl RequestCsrf for Request<'_> {
|
2021-01-27 22:00:40 +00:00
|
|
|
fn csrf_token_from_session(&self, config: &CsrfConfig) -> Option<Vec<u8>> {
|
|
|
|
self.cookies()
|
|
|
|
.get_private(&config.cookie_name)
|
2020-10-16 21:41:07 +00:00
|
|
|
.and_then(|cookie| base64::decode(cookie.value()).ok())
|
|
|
|
}
|
|
|
|
}
|