matrix/authentication-service
1
0
Fork 0
mirror of https://github.com/matrix-org/matrix-authentication-service.git synced 2026-01-03 17:02:28 +03:00
Code Activity

Handle cookies better by setting the right flags & expiration

Browse Source
This commit is contained in:
Quentin Gliech
2023-08-24 17:38:33 +02:00
parent 2405a3c061
commit a39f71c181
31 changed files with 242 additions and 167 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
crates/handlers/src/app_state.rs
View File

@@ -20,7 +20,7 @@ use axum::{
response::IntoResponse,
};
use hyper::StatusCode;
use mas_axum_utils::http_client_factory::HttpClientFactory;
use mas_axum_utils::{cookies::CookieManager, http_client_factory::HttpClientFactory};
use mas_keystore::{Encrypter, Keystore};
use mas_policy::PolicyFactory;
use mas_router::UrlBuilder;
@@ -42,6 +42,7 @@ pub struct AppState {
pub pool: PgPool,
pub templates: Templates,
pub key_store: Keystore,
pub cookie_manager: CookieManager,
pub encrypter: Encrypter,
pub url_builder: UrlBuilder,
pub homeserver: MatrixHomeserver,
@@ -161,6 +162,12 @@ impl FromRef<AppState> for PasswordManager {
}
}
impl FromRef<AppState> for CookieManager {
fn from_ref(input: &AppState) -> Self {
input.cookie_manager.clone()
}
}
#[async_trait]
impl FromRequestParts<AppState> for BoxClock {
type Rejection = Infallible;

7
crates/handlers/src/compat/login_sso_complete.rs
View File

@@ -20,14 +20,13 @@ use axum::{
extract::{Form, Path, Query, State},
response::{Html, IntoResponse, Redirect, Response},
};
use axum_extra::extract::PrivateCookieJar;
use chrono::Duration;
use mas_axum_utils::{
cookies::CookieJar,
csrf::{CsrfExt, ProtectedForm},
FancyError, SessionInfoExt,
};
use mas_data_model::Device;
use mas_keystore::Encrypter;
use mas_router::{CompatLoginSsoAction, PostAuthAction, Route};
use mas_storage::{
compat::{CompatSessionRepository, CompatSsoLoginRepository},
@@ -63,7 +62,7 @@ pub async fn get(
clock: BoxClock,
mut repo: BoxRepository,
State(templates): State<Templates>,
cookie_jar: PrivateCookieJar<Encrypter>,
cookie_jar: CookieJar,
Path(id): Path<Ulid>,
Query(params): Query<Params>,
) -> Result<Response, FancyError> {
@@ -129,7 +128,7 @@ pub async fn post(
clock: BoxClock,
mut repo: BoxRepository,
State(templates): State<Templates>,
cookie_jar: PrivateCookieJar<Encrypter>,
cookie_jar: CookieJar,
Path(id): Path<Ulid>,
Query(params): Query<Params>,
Form(form): Form<ProtectedForm<()>>,

8
crates/handlers/src/graphql/mod.rs
View File

@@ -25,13 +25,11 @@ use axum::{
response::{Html, IntoResponse, Response},
Json, TypedHeader,
};
use axum_extra::extract::PrivateCookieJar;
use futures_util::TryStreamExt;
use headers::{authorization::Bearer, Authorization, ContentType, HeaderValue};
use hyper::header::CACHE_CONTROL;
use mas_axum_utils::{FancyError, SessionInfo, SessionInfoExt};
use mas_axum_utils::{cookies::CookieJar, FancyError, SessionInfo, SessionInfoExt};
use mas_graphql::{Requester, Schema};
use mas_keystore::Encrypter;
use mas_matrix::HomeserverConnection;
use mas_storage::{
BoxClock, BoxRepository, BoxRng, Clock, Repository, RepositoryError, SystemClock,
@@ -228,7 +226,7 @@ pub async fn post(
State(schema): State<Schema>,
clock: BoxClock,
repo: BoxRepository,
cookie_jar: PrivateCookieJar<Encrypter>,
cookie_jar: CookieJar,
content_type: Option<TypedHeader<ContentType>>,
authorization: Option<TypedHeader<Authorization<Bearer>>>,
body: BodyStream,
@@ -268,7 +266,7 @@ pub async fn get(
State(schema): State<Schema>,
clock: BoxClock,
repo: BoxRepository,
cookie_jar: PrivateCookieJar<Encrypter>,
cookie_jar: CookieJar,
authorization: Option<TypedHeader<Authorization<Bearer>>>,
RawQuery(query): RawQuery,
) -> Result<impl IntoResponse, FancyError> {

6
crates/handlers/src/lib.rs
View File

@@ -47,7 +47,7 @@ use hyper::{
},
StatusCode, Version,
};
use mas_axum_utils::FancyError;
use mas_axum_utils::{cookies::CookieJar, FancyError};
use mas_http::CorsLayerExt;
use mas_keystore::{Encrypter, Keystore};
use mas_policy::PolicyFactory;
@@ -87,7 +87,7 @@ macro_rules! impl_from_error_for_route {
};
}
pub use mas_axum_utils::http_client_factory::HttpClientFactory;
pub use mas_axum_utils::{cookies::CookieManager, http_client_factory::HttpClientFactory};
pub use self::{app_state::AppState, compat::MatrixHomeserver, graphql::schema as graphql_schema};
@@ -110,6 +110,7 @@ where
BoxRepository: FromRequestParts<S>,
BoxClock: FromRequestParts<S>,
Encrypter: FromRef<S>,
CookieJar: FromRequestParts<S>,
{
let mut router = Router::new().route(
"/graphql",
@@ -267,6 +268,7 @@ where
UrlBuilder: FromRef<S>,
Arc<PolicyFactory>: FromRef<S>,
BoxRepository: FromRequestParts<S>,
CookieJar: FromRequestParts<S>,
Encrypter: FromRef<S>,
Templates: FromRef<S>,
Keystore: FromRef<S>,

7
crates/handlers/src/oauth2/authorization/complete.rs
View File

@@ -18,11 +18,10 @@ use axum::{
extract::{Path, State},
response::{Html, IntoResponse, Response},
};
use axum_extra::extract::PrivateCookieJar;
use hyper::StatusCode;
use mas_axum_utils::{csrf::CsrfExt, SessionInfoExt};
use mas_axum_utils::{cookies::CookieJar, csrf::CsrfExt, SessionInfoExt};
use mas_data_model::{AuthorizationGrant, BrowserSession, Client, Device};
use mas_keystore::{Encrypter, Keystore};
use mas_keystore::Keystore;
use mas_policy::{EvaluationResult, PolicyFactory};
use mas_router::{PostAuthAction, Route, UrlBuilder};
use mas_storage::{
@@ -96,7 +95,7 @@ pub(crate) async fn get(
State(url_builder): State<UrlBuilder>,
State(key_store): State<Keystore>,
mut repo: BoxRepository,
cookie_jar: PrivateCookieJar<Encrypter>,
cookie_jar: CookieJar,
Path(grant_id): Path<Ulid>,
) -> Result<Response, RouteError> {
let (session_info, cookie_jar) = cookie_jar.session_info();

7
crates/handlers/src/oauth2/authorization/mod.rs
View File

@@ -18,11 +18,10 @@ use axum::{
extract::{Form, State},
response::{Html, IntoResponse, Response},
};
use axum_extra::extract::PrivateCookieJar;
use hyper::StatusCode;
use mas_axum_utils::{csrf::CsrfExt, SessionInfoExt};
use mas_axum_utils::{cookies::CookieJar, csrf::CsrfExt, SessionInfoExt};
use mas_data_model::{AuthorizationCode, Pkce};
use mas_keystore::{Encrypter, Keystore};
use mas_keystore::Keystore;
use mas_policy::PolicyFactory;
use mas_router::{PostAuthAction, Route, UrlBuilder};
use mas_storage::{
@@ -146,7 +145,7 @@ pub(crate) async fn get(
State(key_store): State<Keystore>,
State(url_builder): State<UrlBuilder>,
mut repo: BoxRepository,
cookie_jar: PrivateCookieJar<Encrypter>,
cookie_jar: CookieJar,
Form(params): Form<Params>,
) -> Result<Response, RouteError> {
// First, figure out what client it is

7
crates/handlers/src/oauth2/consent.rs
View File

@@ -18,14 +18,13 @@ use axum::{
extract::{Form, Path, State},
response::{Html, IntoResponse, Response},
};
use axum_extra::extract::PrivateCookieJar;
use hyper::StatusCode;
use mas_axum_utils::{
cookies::CookieJar,
csrf::{CsrfExt, ProtectedForm},
SessionInfoExt,
};
use mas_data_model::{AuthorizationGrantStage, Device};
use mas_keystore::Encrypter;
use mas_policy::PolicyFactory;
use mas_router::{PostAuthAction, Route};
use mas_storage::{
@@ -84,7 +83,7 @@ pub(crate) async fn get(
State(policy_factory): State<Arc<PolicyFactory>>,
State(templates): State<Templates>,
mut repo: BoxRepository,
cookie_jar: PrivateCookieJar<Encrypter>,
cookie_jar: CookieJar,
Path(grant_id): Path<Ulid>,
) -> Result<Response, RouteError> {
let (session_info, cookie_jar) = cookie_jar.session_info();
@@ -149,7 +148,7 @@ pub(crate) async fn post(
clock: BoxClock,
State(policy_factory): State<Arc<PolicyFactory>>,
mut repo: BoxRepository,
cookie_jar: PrivateCookieJar<Encrypter>,
cookie_jar: CookieJar,
Path(grant_id): Path<Ulid>,
Form(form): Form<ProtectedForm<()>>,
) -> Result<Response, RouteError> {

12
crates/handlers/src/test_utils.rs
View File

@@ -24,7 +24,7 @@ use axum::{
};
use headers::{Authorization, ContentType, HeaderMapExt, HeaderName};
use hyper::{header::CONTENT_TYPE, Request, Response, StatusCode};
use mas_axum_utils::http_client_factory::HttpClientFactory;
use mas_axum_utils::{cookies::CookieManager, http_client_factory::HttpClientFactory};
use mas_keystore::{Encrypter, JsonWebKey, JsonWebKeySet, Keystore, PrivateKey};
use mas_matrix::{HomeserverConnection, MockHomeserverConnection};
use mas_policy::PolicyFactory;
@@ -59,6 +59,7 @@ pub(crate) struct TestState {
pub pool: PgPool,
pub templates: Templates,
pub key_store: Keystore,
pub cookie_manager: CookieManager,
pub encrypter: Encrypter,
pub url_builder: UrlBuilder,
pub homeserver: MatrixHomeserver,
@@ -95,6 +96,8 @@ impl TestState {
let key_store = Keystore::new(jwks);
let encrypter = Encrypter::new(&[0x42; 32]);
let cookie_manager =
CookieManager::derive_from("https://example.com".parse()?, &[0x42; 32]);
let password_manager = PasswordManager::new([(1, Hasher::argon2id(None))])?;
@@ -135,6 +138,7 @@ impl TestState {
pool,
templates,
key_store,
cookie_manager,
encrypter,
url_builder,
homeserver,
@@ -317,6 +321,12 @@ impl FromRef<TestState> for PasswordManager {
}
}
impl FromRef<TestState> for CookieManager {
fn from_ref(input: &TestState) -> Self {
input.cookie_manager.clone()
}
}
#[async_trait]
impl FromRequestParts<TestState> for BoxClock {
type Rejection = Infallible;

6
crates/handlers/src/upstream_oauth2/authorize.rs
View File

@@ -16,10 +16,8 @@ use axum::{
extract::{Path, Query, State},
response::{IntoResponse, Redirect},
};
use axum_extra::extract::PrivateCookieJar;
use hyper::StatusCode;
use mas_axum_utils::http_client_factory::HttpClientFactory;
use mas_keystore::Encrypter;
use mas_axum_utils::{cookies::CookieJar, http_client_factory::HttpClientFactory};
use mas_oidc_client::requests::authorization_code::AuthorizationRequestData;
use mas_router::UrlBuilder;
use mas_storage::{
@@ -68,7 +66,7 @@ pub(crate) async fn get(
State(http_client_factory): State<HttpClientFactory>,
mut repo: BoxRepository,
State(url_builder): State<UrlBuilder>,
cookie_jar: PrivateCookieJar<Encrypter>,
cookie_jar: CookieJar,
Path(provider_id): Path<Ulid>,
Query(query): Query<OptionalPostAuthAction>,
) -> Result<impl IntoResponse, RouteError> {

5
crates/handlers/src/upstream_oauth2/callback.rs
View File

@@ -16,9 +16,8 @@ use axum::{
extract::{Path, Query, State},
response::IntoResponse,
};
use axum_extra::extract::PrivateCookieJar;
use hyper::StatusCode;
use mas_axum_utils::http_client_factory::HttpClientFactory;
use mas_axum_utils::{cookies::CookieJar, http_client_factory::HttpClientFactory};
use mas_jose::claims::ClaimError;
use mas_keystore::{Encrypter, Keystore};
use mas_oidc_client::requests::{
@@ -133,7 +132,7 @@ pub(crate) async fn get(
State(url_builder): State<UrlBuilder>,
State(encrypter): State<Encrypter>,
State(keystore): State<Keystore>,
cookie_jar: PrivateCookieJar<Encrypter>,
cookie_jar: CookieJar,
Path(provider_id): Path<Ulid>,
Query(params): Query<QueryParams>,
) -> Result<impl IntoResponse, RouteError> {

34
crates/handlers/src/upstream_oauth2/cookie.rs
View File

@@ -14,14 +14,12 @@
// TODO: move that to a standalone cookie manager
use axum_extra::extract::{cookie::Cookie, PrivateCookieJar};
use chrono::{DateTime, Duration, NaiveDateTime, Utc};
use mas_axum_utils::CookieExt;
use mas_axum_utils::cookies::CookieJar;
use mas_router::PostAuthAction;
use mas_storage::Clock;
use serde::{Deserialize, Serialize};
use thiserror::Error;
use time::OffsetDateTime;
use ulid::Ulid;
/// Name of the cookie
@@ -62,30 +60,24 @@ pub struct UpstreamSessionNotFound;
impl UpstreamSessions {
/// Load the upstreams sessions cookie
pub fn load<K>(cookie_jar: &PrivateCookieJar<K>) -> Self {
cookie_jar
.get(COOKIE_NAME)
.and_then(|c| c.decode().ok())
.unwrap_or_default()
pub fn load(cookie_jar: &CookieJar) -> Self {
match cookie_jar.load(COOKIE_NAME) {
Ok(Some(sessions)) => sessions,
Ok(None) => Self::default(),
Err(e) => {
tracing::warn!("Invalid upstream sessions cookie: {}", e);
Self::default()
}
}
}
/// Save the upstreams sessions to the cookie jar
pub fn save<K, C>(self, cookie_jar: PrivateCookieJar<K>, clock: &C) -> PrivateCookieJar<K>
pub fn save<C>(self, cookie_jar: CookieJar, clock: &C) -> CookieJar
where
C: Clock,
{
let now = clock.now();
let this = self.expire(now);
let mut cookie = Cookie::named(COOKIE_NAME).encode(&this);
cookie.set_path("/");
cookie.set_http_only(true);
let expiration = now + Duration::seconds(SESSION_MAX_TIME_SECS);
let expiration = OffsetDateTime::from_unix_timestamp(expiration.timestamp())
.expect("invalid unix timestamp");
cookie.set_expires(expiration);
cookie_jar.add(cookie)
let this = self.expire(clock.now());
cookie_jar.save(COOKIE_NAME, &this, false)
}
fn expire(mut self, now: DateTime<Utc>) -> Self {

7
crates/handlers/src/upstream_oauth2/link.rs
View File

@@ -17,15 +17,14 @@ use axum::{
response::{Html, IntoResponse},
Form,
};
use axum_extra::extract::PrivateCookieJar;
use hyper::StatusCode;
use mas_axum_utils::{
cookies::CookieJar,
csrf::{CsrfExt, ProtectedForm},
SessionInfoExt,
};
use mas_data_model::{UpstreamOAuthProviderImportPreference, User};
use mas_jose::jwt::Jwt;
use mas_keystore::Encrypter;
use mas_storage::{
job::{JobRepositoryExt, ProvisionUserJob},
upstream_oauth2::{UpstreamOAuthLinkRepository, UpstreamOAuthSessionRepository},
@@ -170,7 +169,7 @@ pub(crate) async fn get(
clock: BoxClock,
mut repo: BoxRepository,
State(templates): State<Templates>,
cookie_jar: PrivateCookieJar<Encrypter>,
cookie_jar: CookieJar,
Path(link_id): Path<Ulid>,
) -> Result<impl IntoResponse, RouteError> {
let sessions_cookie = UpstreamSessionsCookie::load(&cookie_jar);
@@ -350,7 +349,7 @@ pub(crate) async fn post(
mut rng: BoxRng,
clock: BoxClock,
mut repo: BoxRepository,
cookie_jar: PrivateCookieJar<Encrypter>,
cookie_jar: CookieJar,
Path(link_id): Path<Ulid>,
Form(form): Form<ProtectedForm<FormData>>,
) -> Result<impl IntoResponse, RouteError> {

7
crates/handlers/src/views/account/emails/add.rs
View File

@@ -16,12 +16,11 @@ use axum::{
extract::{Form, Query, State},
response::{Html, IntoResponse, Response},
};
use axum_extra::extract::PrivateCookieJar;
use mas_axum_utils::{
cookies::CookieJar,
csrf::{CsrfExt, ProtectedForm},
FancyError, SessionInfoExt,
};
use mas_keystore::Encrypter;
use mas_router::Route;
use mas_storage::{
job::{JobRepositoryExt, VerifyEmailJob},
@@ -44,7 +43,7 @@ pub(crate) async fn get(
clock: BoxClock,
State(templates): State<Templates>,
mut repo: BoxRepository,
cookie_jar: PrivateCookieJar<Encrypter>,
cookie_jar: CookieJar,
) -> Result<Response, FancyError> {
let (csrf_token, cookie_jar) = cookie_jar.csrf_token(&clock, &mut rng);
let (session_info, cookie_jar) = cookie_jar.session_info();
@@ -70,7 +69,7 @@ pub(crate) async fn post(
mut rng: BoxRng,
clock: BoxClock,
mut repo: BoxRepository,
cookie_jar: PrivateCookieJar<Encrypter>,
cookie_jar: CookieJar,
Query(query): Query<OptionalPostAuthAction>,
Form(form): Form<ProtectedForm<EmailForm>>,
) -> Result<Response, FancyError> {

7
crates/handlers/src/views/account/emails/verify.rs
View File

@@ -17,12 +17,11 @@ use axum::{
extract::{Form, Path, Query, State},
response::{Html, IntoResponse, Response},
};
use axum_extra::extract::PrivateCookieJar;
use mas_axum_utils::{
cookies::CookieJar,
csrf::{CsrfExt, ProtectedForm},
FancyError, SessionInfoExt,
};
use mas_keystore::Encrypter;
use mas_router::Route;
use mas_storage::{
job::{JobRepositoryExt, ProvisionUserJob},
@@ -53,7 +52,7 @@ pub(crate) async fn get(
mut repo: BoxRepository,
Query(query): Query<OptionalPostAuthAction>,
Path(id): Path<Ulid>,
cookie_jar: PrivateCookieJar<Encrypter>,
cookie_jar: CookieJar,
) -> Result<Response, FancyError> {
let (csrf_token, cookie_jar) = cookie_jar.csrf_token(&clock, &mut rng);
let (session_info, cookie_jar) = cookie_jar.session_info();
@@ -96,7 +95,7 @@ pub(crate) async fn get(
pub(crate) async fn post(
clock: BoxClock,
mut repo: BoxRepository,
cookie_jar: PrivateCookieJar<Encrypter>,
cookie_jar: CookieJar,
Query(query): Query<OptionalPostAuthAction>,
Path(id): Path<Ulid>,
Form(form): Form<ProtectedForm<CodeForm>>,

9
crates/handlers/src/views/account/password.rs
View File

@@ -18,13 +18,12 @@ use axum::{
http::StatusCode,
response::{Html, IntoResponse, Response},
};
use axum_extra::extract::PrivateCookieJar;
use mas_axum_utils::{
cookies::CookieJar,
csrf::{CsrfExt, ProtectedForm},
FancyError, SessionInfoExt,
};
use mas_data_model::BrowserSession;
use mas_keystore::Encrypter;
use mas_router::Route;
use mas_storage::{
user::{BrowserSessionRepository, UserPasswordRepository},
@@ -51,7 +50,7 @@ pub(crate) async fn get(
State(templates): State<Templates>,
State(password_manager): State<PasswordManager>,
mut repo: BoxRepository,
cookie_jar: PrivateCookieJar<Encrypter>,
cookie_jar: CookieJar,
) -> Result<Response, FancyError> {
// If the password manager is disabled, we can go back to the account page.
if !password_manager.is_enabled() {
@@ -75,7 +74,7 @@ async fn render(
clock: &impl Clock,
templates: Templates,
session: BrowserSession,
cookie_jar: PrivateCookieJar<Encrypter>,
cookie_jar: CookieJar,
) -> Result<Response, FancyError> {
let (csrf_token, cookie_jar) = cookie_jar.csrf_token(clock, rng);
@@ -95,7 +94,7 @@ pub(crate) async fn post(
State(password_manager): State<PasswordManager>,
State(templates): State<Templates>,
mut repo: BoxRepository,
cookie_jar: PrivateCookieJar<Encrypter>,
cookie_jar: CookieJar,
Form(form): Form<ProtectedForm<ChangeForm>>,
) -> Result<Response, FancyError> {
if !password_manager.is_enabled() {

6
crates/handlers/src/views/app.rs
View File

@@ -16,9 +16,7 @@ use axum::{
extract::State,
response::{Html, IntoResponse},
};
use axum_extra::extract::PrivateCookieJar;
use mas_axum_utils::{FancyError, SessionInfoExt};
use mas_keystore::Encrypter;
use mas_axum_utils::{cookies::CookieJar, FancyError, SessionInfoExt};
use mas_router::{PostAuthAction, Route};
use mas_storage::BoxRepository;
use mas_templates::{AppContext, Templates};
@@ -27,7 +25,7 @@ use mas_templates::{AppContext, Templates};
pub async fn get(
State(templates): State<Templates>,
mut repo: BoxRepository,
cookie_jar: PrivateCookieJar<Encrypter>,
cookie_jar: CookieJar,
) -> Result<impl IntoResponse, FancyError> {
let (session_info, cookie_jar) = cookie_jar.session_info();
let session = session_info.load_session(&mut repo).await?;

6
crates/handlers/src/views/index.rs
View File

@@ -16,9 +16,7 @@ use axum::{
extract::State,
response::{Html, IntoResponse},
};
use axum_extra::extract::PrivateCookieJar;
use mas_axum_utils::{csrf::CsrfExt, FancyError, SessionInfoExt};
use mas_keystore::Encrypter;
use mas_axum_utils::{cookies::CookieJar, csrf::CsrfExt, FancyError, SessionInfoExt};
use mas_router::UrlBuilder;
use mas_storage::{BoxClock, BoxRepository, BoxRng};
use mas_templates::{IndexContext, TemplateContext, Templates};
@@ -30,7 +28,7 @@ pub async fn get(
State(templates): State<Templates>,
State(url_builder): State<UrlBuilder>,
mut repo: BoxRepository,
cookie_jar: PrivateCookieJar<Encrypter>,
cookie_jar: CookieJar,
) -> Result<impl IntoResponse, FancyError> {
let (csrf_token, cookie_jar) = cookie_jar.csrf_token(&clock, &mut rng);
let (session_info, cookie_jar) = cookie_jar.session_info();

7
crates/handlers/src/views/login.rs
View File

@@ -16,14 +16,13 @@ use axum::{
extract::{Form, Query, State},
response::{Html, IntoResponse, Response},
};
use axum_extra::extract::PrivateCookieJar;
use hyper::StatusCode;
use mas_axum_utils::{
cookies::CookieJar,
csrf::{CsrfExt, CsrfToken, ProtectedForm},
FancyError, SessionInfoExt,
};
use mas_data_model::BrowserSession;
use mas_keystore::Encrypter;
use mas_router::{Route, UpstreamOAuth2Authorize};
use mas_storage::{
upstream_oauth2::UpstreamOAuthProviderRepository,
@@ -58,7 +57,7 @@ pub(crate) async fn get(
State(templates): State<Templates>,
mut repo: BoxRepository,
Query(query): Query<OptionalPostAuthAction>,
cookie_jar: PrivateCookieJar<Encrypter>,
cookie_jar: CookieJar,
) -> Result<Response, FancyError> {
let (csrf_token, cookie_jar) = cookie_jar.csrf_token(&clock, &mut rng);
let (session_info, cookie_jar) = cookie_jar.session_info();
@@ -109,7 +108,7 @@ pub(crate) async fn post(
State(templates): State<Templates>,
mut repo: BoxRepository,
Query(query): Query<OptionalPostAuthAction>,
cookie_jar: PrivateCookieJar<Encrypter>,
cookie_jar: CookieJar,
Form(form): Form<ProtectedForm<LoginForm>>,
) -> Result<Response, FancyError> {
if !password_manager.is_enabled() {

5
crates/handlers/src/views/logout.rs
View File

@@ -13,12 +13,11 @@
// limitations under the License.
use axum::{extract::Form, response::IntoResponse};
use axum_extra::extract::PrivateCookieJar;
use mas_axum_utils::{
cookies::CookieJar,
csrf::{CsrfExt, ProtectedForm},
FancyError, SessionInfoExt,
};
use mas_keystore::Encrypter;
use mas_router::{PostAuthAction, Route};
use mas_storage::{user::BrowserSessionRepository, BoxClock, BoxRepository};
@@ -26,7 +25,7 @@ use mas_storage::{user::BrowserSessionRepository, BoxClock, BoxRepository};
pub(crate) async fn post(
clock: BoxClock,
mut repo: BoxRepository,
cookie_jar: PrivateCookieJar<Encrypter>,
cookie_jar: CookieJar,
Form(form): Form<ProtectedForm<Option<PostAuthAction>>>,
) -> Result<impl IntoResponse, FancyError> {
let form = cookie_jar.verify_form(&clock, form)?;

7
crates/handlers/src/views/reauth.rs
View File

@@ -17,13 +17,12 @@ use axum::{
extract::{Form, Query, State},
response::{Html, IntoResponse, Response},
};
use axum_extra::extract::PrivateCookieJar;
use hyper::StatusCode;
use mas_axum_utils::{
cookies::CookieJar,
csrf::{CsrfExt, ProtectedForm},
FancyError, SessionInfoExt,
};
use mas_keystore::Encrypter;
use mas_router::Route;
use mas_storage::{
user::{BrowserSessionRepository, UserPasswordRepository},
@@ -49,7 +48,7 @@ pub(crate) async fn get(
State(templates): State<Templates>,
mut repo: BoxRepository,
Query(query): Query<OptionalPostAuthAction>,
cookie_jar: PrivateCookieJar<Encrypter>,
cookie_jar: CookieJar,
) -> Result<Response, FancyError> {
if !password_manager.is_enabled() {
// XXX: do something better here
@@ -89,7 +88,7 @@ pub(crate) async fn post(
State(password_manager): State<PasswordManager>,
mut repo: BoxRepository,
Query(query): Query<OptionalPostAuthAction>,
cookie_jar: PrivateCookieJar<Encrypter>,
cookie_jar: CookieJar,
Form(form): Form<ProtectedForm<ReauthForm>>,
) -> Result<Response, FancyError> {
if !password_manager.is_enabled() {

7
crates/handlers/src/views/register.rs
View File

@@ -18,14 +18,13 @@ use axum::{
extract::{Form, Query, State},
response::{Html, IntoResponse, Response},
};
use axum_extra::extract::PrivateCookieJar;
use hyper::StatusCode;
use lettre::Address;
use mas_axum_utils::{
cookies::CookieJar,
csrf::{CsrfExt, CsrfToken, ProtectedForm},
FancyError, SessionInfoExt,
};
use mas_keystore::Encrypter;
use mas_policy::PolicyFactory;
use mas_router::Route;
use mas_storage::{
@@ -63,7 +62,7 @@ pub(crate) async fn get(
State(password_manager): State<PasswordManager>,
mut repo: BoxRepository,
Query(query): Query<OptionalPostAuthAction>,
cookie_jar: PrivateCookieJar<Encrypter>,
cookie_jar: CookieJar,
) -> Result<Response, FancyError> {
let (csrf_token, cookie_jar) = cookie_jar.csrf_token(&clock, &mut rng);
let (session_info, cookie_jar) = cookie_jar.session_info();
@@ -104,7 +103,7 @@ pub(crate) async fn post(
State(templates): State<Templates>,
mut repo: BoxRepository,
Query(query): Query<OptionalPostAuthAction>,
cookie_jar: PrivateCookieJar<Encrypter>,
cookie_jar: CookieJar,
Form(form): Form<ProtectedForm<RegisterForm>>,
) -> Result<Response, FancyError> {
if !password_manager.is_enabled() {