Update cookie management a bit

Update to latest rocket_csrf
Make user_id a samesite lax cookie (see https://github.com/Plume-org/Plume/issues/233#issuecomment-422660275)
This commit is contained in:
Trinity Pointard 2018-09-30 11:56:12 +02:00
parent 1e3f40833d
commit fceb9ab0cd
4 changed files with 9 additions and 7 deletions

6
Cargo.lock generated
View File

@ -1485,7 +1485,7 @@ dependencies = [
"rocket 0.4.0-dev (git+https://github.com/SergioBenitez/Rocket?rev=55459db7732b9a240826a5c120c650f87e3372ce)", "rocket 0.4.0-dev (git+https://github.com/SergioBenitez/Rocket?rev=55459db7732b9a240826a5c120c650f87e3372ce)",
"rocket_codegen 0.4.0-dev (git+https://github.com/SergioBenitez/Rocket?rev=55459db7732b9a240826a5c120c650f87e3372ce)", "rocket_codegen 0.4.0-dev (git+https://github.com/SergioBenitez/Rocket?rev=55459db7732b9a240826a5c120c650f87e3372ce)",
"rocket_contrib 0.4.0-dev (git+https://github.com/SergioBenitez/Rocket?rev=55459db7732b9a240826a5c120c650f87e3372ce)", "rocket_contrib 0.4.0-dev (git+https://github.com/SergioBenitez/Rocket?rev=55459db7732b9a240826a5c120c650f87e3372ce)",
"rocket_csrf 0.1.0 (git+https://github.com/fdb-hiroshima/rocket_csrf?rev=5d23ba4c6c2ee4c41040d428d24344db3d29997f)", "rocket_csrf 0.1.0 (git+https://github.com/fdb-hiroshima/rocket_csrf?rev=b326a9893a1849c9abdb39cab9fd7c4a52eb9674)",
"rocket_i18n 0.1.1 (git+https://github.com/BaptisteGelez/rocket_i18n?rev=75a3bfd7b847324c078a355a7f101f8241a9f59b)", "rocket_i18n 0.1.1 (git+https://github.com/BaptisteGelez/rocket_i18n?rev=75a3bfd7b847324c078a355a7f101f8241a9f59b)",
"rpassword 2.0.0 (registry+https://github.com/rust-lang/crates.io-index)", "rpassword 2.0.0 (registry+https://github.com/rust-lang/crates.io-index)",
"serde 1.0.77 (registry+https://github.com/rust-lang/crates.io-index)", "serde 1.0.77 (registry+https://github.com/rust-lang/crates.io-index)",
@ -1861,7 +1861,7 @@ dependencies = [
[[package]] [[package]]
name = "rocket_csrf" name = "rocket_csrf"
version = "0.1.0" version = "0.1.0"
source = "git+https://github.com/fdb-hiroshima/rocket_csrf?rev=5d23ba4c6c2ee4c41040d428d24344db3d29997f#5d23ba4c6c2ee4c41040d428d24344db3d29997f" source = "git+https://github.com/fdb-hiroshima/rocket_csrf?rev=b326a9893a1849c9abdb39cab9fd7c4a52eb9674#b326a9893a1849c9abdb39cab9fd7c4a52eb9674"
dependencies = [ dependencies = [
"csrf 0.3.0 (registry+https://github.com/rust-lang/crates.io-index)", "csrf 0.3.0 (registry+https://github.com/rust-lang/crates.io-index)",
"data-encoding 2.1.1 (registry+https://github.com/rust-lang/crates.io-index)", "data-encoding 2.1.1 (registry+https://github.com/rust-lang/crates.io-index)",
@ -2963,7 +2963,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
"checksum rocket_codegen 0.4.0-dev (git+https://github.com/SergioBenitez/Rocket?rev=55459db7732b9a240826a5c120c650f87e3372ce)" = "<none>" "checksum rocket_codegen 0.4.0-dev (git+https://github.com/SergioBenitez/Rocket?rev=55459db7732b9a240826a5c120c650f87e3372ce)" = "<none>"
"checksum rocket_codegen_next 0.4.0-dev (git+https://github.com/SergioBenitez/Rocket?rev=55459db7732b9a240826a5c120c650f87e3372ce)" = "<none>" "checksum rocket_codegen_next 0.4.0-dev (git+https://github.com/SergioBenitez/Rocket?rev=55459db7732b9a240826a5c120c650f87e3372ce)" = "<none>"
"checksum rocket_contrib 0.4.0-dev (git+https://github.com/SergioBenitez/Rocket?rev=55459db7732b9a240826a5c120c650f87e3372ce)" = "<none>" "checksum rocket_contrib 0.4.0-dev (git+https://github.com/SergioBenitez/Rocket?rev=55459db7732b9a240826a5c120c650f87e3372ce)" = "<none>"
"checksum rocket_csrf 0.1.0 (git+https://github.com/fdb-hiroshima/rocket_csrf?rev=5d23ba4c6c2ee4c41040d428d24344db3d29997f)" = "<none>" "checksum rocket_csrf 0.1.0 (git+https://github.com/fdb-hiroshima/rocket_csrf?rev=b326a9893a1849c9abdb39cab9fd7c4a52eb9674)" = "<none>"
"checksum rocket_http 0.4.0-dev (git+https://github.com/SergioBenitez/Rocket?rev=55459db7732b9a240826a5c120c650f87e3372ce)" = "<none>" "checksum rocket_http 0.4.0-dev (git+https://github.com/SergioBenitez/Rocket?rev=55459db7732b9a240826a5c120c650f87e3372ce)" = "<none>"
"checksum rocket_i18n 0.1.1 (git+https://github.com/BaptisteGelez/rocket_i18n?rev=75a3bfd7b847324c078a355a7f101f8241a9f59b)" = "<none>" "checksum rocket_i18n 0.1.1 (git+https://github.com/BaptisteGelez/rocket_i18n?rev=75a3bfd7b847324c078a355a7f101f8241a9f59b)" = "<none>"
"checksum rpassword 2.0.0 (registry+https://github.com/rust-lang/crates.io-index)" = "d127299b02abda51634f14025aec43ae87a7aa7a95202b6a868ec852607d1451" "checksum rpassword 2.0.0 (registry+https://github.com/rust-lang/crates.io-index)" = "d127299b02abda51634f14025aec43ae87a7aa7a95202b6a868ec852607d1451"

View File

@ -56,7 +56,7 @@ rev = "55459db7732b9a240826a5c120c650f87e3372ce"
[dependencies.rocket_csrf] [dependencies.rocket_csrf]
git = "https://github.com/fdb-hiroshima/rocket_csrf" git = "https://github.com/fdb-hiroshima/rocket_csrf"
rev = "5d23ba4c6c2ee4c41040d428d24344db3d29997f" rev = "b326a9893a1849c9abdb39cab9fd7c4a52eb9674"
[dependencies.rocket_i18n] [dependencies.rocket_i18n]
git = "https://github.com/BaptisteGelez/rocket_i18n" git = "https://github.com/BaptisteGelez/rocket_i18n"

View File

@ -165,7 +165,7 @@ fn main() {
.add_exceptions(vec![ .add_exceptions(vec![
("/inbox".to_owned(), "/inbox".to_owned(), rocket::http::Method::Post), ("/inbox".to_owned(), "/inbox".to_owned(), rocket::http::Method::Post),
("/@/<name>/inbox".to_owned(), "/@/<name>/inbox".to_owned(), rocket::http::Method::Post), ("/@/<name>/inbox".to_owned(), "/@/<name>/inbox".to_owned(), rocket::http::Method::Post),
("/~/<blog>/<slug>".to_owned(), "/~/<blog>/<slug>".to_owned(), rocket::http::Method::Post), ("/login".to_owned(), "/login".to_owned(), rocket::http::Method::Post),
]) ])
.finalize().unwrap()) .finalize().unwrap())
.launch(); .launch();

View File

@ -1,5 +1,5 @@
use rocket::{ use rocket::{
http::{Cookie, Cookies, uri::Uri}, http::{Cookie, Cookies, SameSite, uri::Uri},
response::Redirect, response::Redirect,
request::{LenientForm,FlashMessage} request::{LenientForm,FlashMessage}
}; };
@ -72,7 +72,9 @@ fn create(conn: DbConn, data: LenientForm<LoginForm>, flash: Option<FlashMessage
} }
if errors.is_empty() { if errors.is_empty() {
cookies.add_private(Cookie::new(AUTH_COOKIE, user.unwrap().id.to_string())); cookies.add_private(Cookie::build(AUTH_COOKIE, user.unwrap().id.to_string())
.same_site(SameSite::Lax)
.finish());
let destination = flash let destination = flash
.and_then(|f| if f.name() == "callback" { .and_then(|f| if f.name() == "callback" {