make session key unguessable

Cargo.lock

@@ -466,6 +466,12 @@ dependencies = [
  "syn 1.0.109",
 ]
 
+[[package]]
+name = "lazy_static"
+version = "1.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646"
+
 [[package]]
 name = "libc"
 version = "0.2.153"
@@ -674,6 +680,8 @@ dependencies = [
  "askama_axum",
  "axum",
  "justerror",
+ "lazy_static",
+ "rand",
  "serde",
  "thiserror",
  "time",

Cargo.toml

@@ -8,6 +8,8 @@ askama = { version = "0.12", default-features = false, features = ["with-axum",
 askama_axum = { version = "0.4.0", default-features = false }
 axum = { version = "0.7", default-features = false, features = ["tokio", "http1", "form"] }
 justerror = { version = "1" }
+lazy_static = "1.4.0"
+rand = { version = "0.8.5", default-features = false, features = ["getrandom"] }
 serde = { version = "1", default-features = false, features = ["derive"] }
 thiserror = { version = "1" }
 time = { version = "0.3.34", default-features = false }

src/handlers.rs

@@ -5,19 +5,22 @@ use axum::{
     http::StatusCode,
     response::{IntoResponse, Redirect, Response},
 };
+use rand::random;
 use serde::Deserialize;
 use tower_sessions::Session;
 use unicode_segmentation::UnicodeSegmentation;
 
 use crate::{templates::*, User};
 
-const SIGNUP_KEY: &str = "meow";
-
 const PASSWORD_LEN: RangeInclusive<usize> = 4..=100;
 const USERNAME_LEN: RangeInclusive<usize> = 1..=50;
 const DISPLAYNAME_LEN: RangeInclusive<usize> = 0..=100;
 const EMAIL_LEN: RangeInclusive<usize> = 4..=50;
 
+lazy_static! {
+    static ref SIGNUP_KEY: String = format!("meow-{}", random::<u128>());
+}
+
 #[Error(desc = "Could not create user.")]
 #[non_exhaustive]
 pub struct CreateUserError(#[from] CreateUserErrorKind);
@@ -66,7 +69,7 @@ pub async fn post_signup(
     Form(form): Form<SignupForm>,
 ) -> Result<impl IntoResponse, CreateUserError> {
     let user = validate_signup(&form).await?;
-    session.insert(SIGNUP_KEY, user).await.unwrap();
+    session.insert(&SIGNUP_KEY, user).await.unwrap();
 
     Ok(Redirect::to(
         "https://buy.stripe.com/test_eVa6rrb7ygjNbwk000",
@@ -89,7 +92,7 @@ pub async fn post_edit_signup(
 
 /// Called from Stripe with the receipt of payment.
 pub async fn payment_success(session: Session, receipt: Option<Path<String>>) -> impl IntoResponse {
-    let user: User = session.get(SIGNUP_KEY).await.unwrap().unwrap_or_default();
+    let user: User = session.get(&SIGNUP_KEY).await.unwrap().unwrap_or_default();
     if user == User::default() {
         return SignupErrorPage("who you?".to_string()).into_response();
     }

src/main.rs

@@ -7,6 +7,9 @@ use tower_sessions::{Expiry, MemoryStore, SessionManagerLayer};
 #[macro_use]
 extern crate justerror;
 
+#[macro_use]
+extern crate lazy_static;
+
 mod handlers;
 use handlers::{get_signup, payment_success, post_signup};