From 40b3e685b00f9a9f25908a85f79960913e668622 Mon Sep 17 00:00:00 2001 From: Kjetil Orbekk Date: Fri, 31 Jan 2020 21:43:39 -0500 Subject: Wipe password from user struct before returning --- src/db.rs | 35 ++++++++++++++++++++--------------- src/main.rs | 5 ++++- src/models.rs | 24 ++++++++---------------- src/schema.rs | 5 +---- src/server.rs | 22 ++++++++++------------ 5 files changed, 43 insertions(+), 48 deletions(-) diff --git a/src/db.rs b/src/db.rs index 3f94ff2..077c165 100644 --- a/src/db.rs +++ b/src/db.rs @@ -1,8 +1,9 @@ use crate::error::Error; use crate::models; -use diesel::dsl::select; -use diesel::dsl::exists; +use bcrypt; use diesel::connection::Connection; +use diesel::dsl::exists; +use diesel::dsl::select; use diesel::pg::PgConnection; use diesel::ExpressionMethods; use diesel::QueryDsl; @@ -25,7 +26,8 @@ pub fn create_config(conn: &PgConnection, config: &models::Config) -> Result<(), pub fn get_config(conn: &PgConnection) -> Result { use crate::schema::config; - config::table.get_result::(conn) + config::table + .get_result::(conn) .map_err(From::from) } @@ -34,7 +36,10 @@ pub fn adduser(conn: &PgConnection, username: &str, password: &str) -> Result<() let hashed = bcrypt::hash(password, COST)?; let rows = diesel::insert_into(users::table) - .values(models::User::new(username, &hashed)) + .values(models::NewUser { + username, + password: &hashed, + }) .execute(conn)?; if rows != 1 { Err(Error::AlreadyExists)?; @@ -45,28 +50,28 @@ pub fn adduser(conn: &PgConnection, username: &str, password: &str) -> Result<() pub fn authenticate( conn: &PgConnection, username: &str, - password: &str, + typed_password: &str, ) -> Result { use crate::schema::users; - let user: models::User = users::table + let mut user = users::table .filter(users::username.eq(username)) - .get_result(conn)?; + .get_result::(conn)?; - if user.verify(password)? { + if bcrypt::verify(typed_password, &user.password)? { + user.password = "".to_string(); Ok(user) } else { Err(Error::NotFound) } } -pub fn user_exists( - conn: &PgConnection, - username: &str) -> Result { +pub fn get_user(conn: &PgConnection, username: &str) -> Result { use crate::schema::users; - let result = select(exists(users::table.filter(users::username.eq(username)))) - .get_result(conn) - .map_err(|err| err)?; - Ok(result) + let mut user = users::table + .filter(users::username.eq(username)) + .get_result::(conn)?; + user.password = "".to_string(); + Ok(user) } diff --git a/src/main.rs b/src/main.rs index 70cd9d6..6026f12 100644 --- a/src/main.rs +++ b/src/main.rs @@ -67,7 +67,10 @@ fn main() { if let Some(matches) = matches.subcommand_matches("init") { let config = pjournal::models::Config { strava_client_id: matches.value_of("strava_client_id").unwrap().to_string(), - strava_client_secret: matches.value_of("strava_client_secret").unwrap().to_string(), + strava_client_secret: matches + .value_of("strava_client_secret") + .unwrap() + .to_string(), rocket_secret_key: matches.value_of("rocket_secret_key").unwrap().to_string(), singleton: true, }; diff --git a/src/models.rs b/src/models.rs index 10f7d68..3b35693 100644 --- a/src/models.rs +++ b/src/models.rs @@ -1,7 +1,6 @@ use crate::error::Error; use crate::schema::config; use crate::schema::users; -use bcrypt; #[derive(Insertable, Queryable)] #[table_name = "config"] @@ -12,22 +11,15 @@ pub struct Config { pub singleton: bool, } -#[derive(Insertable, Queryable)] +#[derive(Insertable)] #[table_name = "users"] -pub struct User { - pub username: String, - password: String, +pub struct NewUser<'a> { + pub username: &'a str, + pub password: &'a str, } -impl User { - pub fn new(username: &str, password: &str) -> User { - User { - username: username.to_string(), - password: password.to_string(), - } - } - - pub fn verify(&self, password: &str) -> Result { - bcrypt::verify(password, &self.password).map_err(|e| From::from(e)) - } +#[derive(Queryable)] +pub struct User { + pub username: String, + pub password: String, } diff --git a/src/schema.rs b/src/schema.rs index 809706c..055d6d0 100644 --- a/src/schema.rs +++ b/src/schema.rs @@ -14,7 +14,4 @@ table! { } } -allow_tables_to_appear_in_same_query!( - config, - users, -); +allow_tables_to_appear_in_same_query!(config, users,); diff --git a/src/server.rs b/src/server.rs index 40e6b87..275ffed 100644 --- a/src/server.rs +++ b/src/server.rs @@ -1,8 +1,8 @@ -use rocket::http::Cookies; -use rocket::http::Cookie; use rocket::config::Config; use rocket::config::Environment; use rocket::config::Value; +use rocket::http::Cookie; +use rocket::http::Cookies; use rocket::http::Status; use rocket::request; use rocket::request::Form; @@ -33,21 +33,19 @@ pub struct LoggedInUser { impl<'a, 'r> FromRequest<'a, 'r> for LoggedInUser { type Error = Error; - fn from_request(request: &'a Request<'r>) - -> request::Outcome { - let conn = request.guard::() + fn from_request(request: &'a Request<'r>) -> request::Outcome { + let conn = request + .guard::() .map_failure(|(s, ())| (s, Error::InternalError))?; let user = (|| { - let username = request.cookies() + let username = request + .cookies() .get_private("user") .map(|cookie| cookie.value().to_string()) .ok_or(Error::NotFound)?; - if db::user_exists(&conn, &username)? { - Ok(LoggedInUser{username: username}) - } else { - Err(Error::NotFound) - } + db::get_user(&conn, &username)?; + Ok(LoggedInUser { username: username }) })(); use request::Outcome; @@ -92,7 +90,7 @@ fn login_submit(conn: Db, data: Form, mut cookies: Cookies) -> Result Ok(_user) => { cookies.add_private(Cookie::new("user", data.username.clone())); Ok(Redirect::to(uri!(index).to_string())) - }, + } Err(Error::NotFound) => Ok(Redirect::to(uri!(login: failed = true).to_string())), Err(e) => Err(e), } -- cgit v1.2.3