make session key unguessable

This commit is contained in:
Joe Ardent 2024-02-26 17:07:40 -08:00
parent d985211b66
commit 5e8d2d398f
4 changed files with 20 additions and 4 deletions

8
Cargo.lock generated
View file

@ -466,6 +466,12 @@ dependencies = [
"syn 1.0.109", "syn 1.0.109",
] ]
[[package]]
name = "lazy_static"
version = "1.4.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646"
[[package]] [[package]]
name = "libc" name = "libc"
version = "0.2.153" version = "0.2.153"
@ -674,6 +680,8 @@ dependencies = [
"askama_axum", "askama_axum",
"axum", "axum",
"justerror", "justerror",
"lazy_static",
"rand",
"serde", "serde",
"thiserror", "thiserror",
"time", "time",

View file

@ -8,6 +8,8 @@ askama = { version = "0.12", default-features = false, features = ["with-axum",
askama_axum = { version = "0.4.0", default-features = false } askama_axum = { version = "0.4.0", default-features = false }
axum = { version = "0.7", default-features = false, features = ["tokio", "http1", "form"] } axum = { version = "0.7", default-features = false, features = ["tokio", "http1", "form"] }
justerror = { version = "1" } justerror = { version = "1" }
lazy_static = "1.4.0"
rand = { version = "0.8.5", default-features = false, features = ["getrandom"] }
serde = { version = "1", default-features = false, features = ["derive"] } serde = { version = "1", default-features = false, features = ["derive"] }
thiserror = { version = "1" } thiserror = { version = "1" }
time = { version = "0.3.34", default-features = false } time = { version = "0.3.34", default-features = false }

View file

@ -5,19 +5,22 @@ use axum::{
http::StatusCode, http::StatusCode,
response::{IntoResponse, Redirect, Response}, response::{IntoResponse, Redirect, Response},
}; };
use rand::random;
use serde::Deserialize; use serde::Deserialize;
use tower_sessions::Session; use tower_sessions::Session;
use unicode_segmentation::UnicodeSegmentation; use unicode_segmentation::UnicodeSegmentation;
use crate::{templates::*, User}; use crate::{templates::*, User};
const SIGNUP_KEY: &str = "meow";
const PASSWORD_LEN: RangeInclusive<usize> = 4..=100; const PASSWORD_LEN: RangeInclusive<usize> = 4..=100;
const USERNAME_LEN: RangeInclusive<usize> = 1..=50; const USERNAME_LEN: RangeInclusive<usize> = 1..=50;
const DISPLAYNAME_LEN: RangeInclusive<usize> = 0..=100; const DISPLAYNAME_LEN: RangeInclusive<usize> = 0..=100;
const EMAIL_LEN: RangeInclusive<usize> = 4..=50; const EMAIL_LEN: RangeInclusive<usize> = 4..=50;
lazy_static! {
static ref SIGNUP_KEY: String = format!("meow-{}", random::<u128>());
}
#[Error(desc = "Could not create user.")] #[Error(desc = "Could not create user.")]
#[non_exhaustive] #[non_exhaustive]
pub struct CreateUserError(#[from] CreateUserErrorKind); pub struct CreateUserError(#[from] CreateUserErrorKind);
@ -66,7 +69,7 @@ pub async fn post_signup(
Form(form): Form<SignupForm>, Form(form): Form<SignupForm>,
) -> Result<impl IntoResponse, CreateUserError> { ) -> Result<impl IntoResponse, CreateUserError> {
let user = validate_signup(&form).await?; let user = validate_signup(&form).await?;
session.insert(SIGNUP_KEY, user).await.unwrap(); session.insert(&SIGNUP_KEY, user).await.unwrap();
Ok(Redirect::to( Ok(Redirect::to(
"https://buy.stripe.com/test_eVa6rrb7ygjNbwk000", "https://buy.stripe.com/test_eVa6rrb7ygjNbwk000",
@ -89,7 +92,7 @@ pub async fn post_edit_signup(
/// Called from Stripe with the receipt of payment. /// Called from Stripe with the receipt of payment.
pub async fn payment_success(session: Session, receipt: Option<Path<String>>) -> impl IntoResponse { pub async fn payment_success(session: Session, receipt: Option<Path<String>>) -> impl IntoResponse {
let user: User = session.get(SIGNUP_KEY).await.unwrap().unwrap_or_default(); let user: User = session.get(&SIGNUP_KEY).await.unwrap().unwrap_or_default();
if user == User::default() { if user == User::default() {
return SignupErrorPage("who you?".to_string()).into_response(); return SignupErrorPage("who you?".to_string()).into_response();
} }

View file

@ -7,6 +7,9 @@ use tower_sessions::{Expiry, MemoryStore, SessionManagerLayer};
#[macro_use] #[macro_use]
extern crate justerror; extern crate justerror;
#[macro_use]
extern crate lazy_static;
mod handlers; mod handlers;
use handlers::{get_signup, payment_success, post_signup}; use handlers::{get_signup, payment_success, post_signup};