From 519e800b33b29ba435815b2c6d2c37b87275f863 Mon Sep 17 00:00:00 2001 From: SleeplessOne1917 Date: Fri, 22 Sep 2023 21:26:27 -0400 Subject: [PATCH] feat: Replace ad hoc auth header with internet standard bearer token auth header --- Cargo.lock | 17 +++++++++++++++++ Cargo.toml | 2 ++ crates/api_crud/Cargo.toml | 1 + crates/utils/translations | 2 +- src/session_middleware.rs | 18 ++++++------------ 5 files changed, 27 insertions(+), 13 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 6426d317d..a8f97c146 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -314,6 +314,21 @@ dependencies = [ "syn 1.0.103", ] +[[package]] +name = "actix-web-httpauth" +version = "0.8.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1d613edf08a42ccc6864c941d30fe14e1b676a77d16f1dbadc1174d065a0a775" +dependencies = [ + "actix-utils", + "actix-web", + "base64 0.21.2", + "futures-core", + "futures-util", + "log", + "pin-project-lite", +] + [[package]] name = "actix-web-prom" version = "0.6.0" @@ -2672,6 +2687,7 @@ version = "0.18.1" dependencies = [ "activitypub_federation", "actix-web", + "actix-web-httpauth", "async-trait", "bcrypt", "chrono", @@ -2867,6 +2883,7 @@ dependencies = [ "activitypub_federation", "actix-cors", "actix-web", + "actix-web-httpauth", "actix-web-prom", "chrono", "clap", diff --git a/Cargo.toml b/Cargo.toml index 723d7aabf..704044788 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -83,6 +83,7 @@ actix-web = { version = "4.3.1", default-features = false, features = [ "compress-gzip", "compress-zstd", ] } +actix-web-httpauth = "0.8.1" tracing = "0.1.37" tracing-actix-web = { version = "0.7.5", default-features = false } tracing-error = "0.2.0" @@ -169,3 +170,4 @@ actix-web-prom = { version = "0.6.0", optional = true } serial_test = { workspace = true } clap = { version = "4.3.19", features = ["derive"] } lemmy_federate = { version = "0.18.1", path = "crates/federate" } +actix-web-httpauth = { workspace = true } diff --git a/crates/api_crud/Cargo.toml b/crates/api_crud/Cargo.toml index 06e29044b..f39c76ca5 100644 --- a/crates/api_crud/Cargo.toml +++ b/crates/api_crud/Cargo.toml @@ -18,6 +18,7 @@ activitypub_federation = { workspace = true } bcrypt = { workspace = true } serde = { workspace = true } actix-web = { workspace = true } +actix-web-httpauth = { workspace = true } tracing = { workspace = true } url = { workspace = true } async-trait = { workspace = true } diff --git a/crates/utils/translations b/crates/utils/translations index 1c42c5794..a0f95fc29 160000 --- a/crates/utils/translations +++ b/crates/utils/translations @@ -1 +1 @@ -Subproject commit 1c42c579460871de7b4ea18e58dc25543b80d289 +Subproject commit a0f95fc29b7501156b6d8bbb504b1e787b5769e7 diff --git a/src/session_middleware.rs b/src/session_middleware.rs index c48f6f1c7..e17f597e6 100644 --- a/src/session_middleware.rs +++ b/src/session_middleware.rs @@ -2,17 +2,15 @@ use actix_web::{ body::MessageBody, cookie::SameSite, dev::{forward_ready, Service, ServiceRequest, ServiceResponse, Transform}, - http::header::CACHE_CONTROL, - Error, - HttpMessage, + http::header::{Header, CACHE_CONTROL}, + Error, HttpMessage, }; +use actix_web_httpauth::headers::authorization::{Authorization, Bearer}; use chrono::{DateTime, Utc}; use core::future::Ready; use futures_util::future::LocalBoxFuture; use lemmy_api_common::{ - context::LemmyContext, - lemmy_db_views::structs::LocalUserView, - utils::check_user_valid, + context::LemmyContext, lemmy_db_views::structs::LocalUserView, utils::check_user_valid, }; use lemmy_db_schema::newtypes::LocalUserId; use lemmy_utils::{ @@ -76,13 +74,9 @@ where let context = self.context.clone(); Box::pin(async move { - // Try reading jwt from auth header - let auth_header = req - .headers() - .get(AUTH_COOKIE_NAME) - .and_then(|h| h.to_str().ok()); + let auth_header = Authorization::::parse(&req).ok(); let jwt = if let Some(a) = auth_header { - Some(a.to_string()) + Some(a.as_ref().token().to_string()) } // If that fails, try auth cookie. Dont use the `jwt` cookie from lemmy-ui because // its not http-only.