Validate the session token with file uploads

File uploads now check the session token before continuing.

Resolves: https://www.pivotaltracker.com/story/show/186174680
This commit is contained in:
Savanni D'Gerinel 2023-10-03 17:30:43 -04:00
parent 17ad927187
commit 48f8c4aaf5
2 changed files with 38 additions and 33 deletions

View File

@ -97,14 +97,15 @@ pub async fn handle_auth(
}
}
pub async fn handle_upload(
_app: App,
_token: SessionToken,
) -> Result<http::Response<String>, Error> {
println!("handle_upload");
Response::builder()
.status(StatusCode::NOT_IMPLEMENTED)
.body("".to_owned())
pub async fn handle_upload(app: App, token: SessionToken) -> Result<http::Response<String>, Error> {
match app.validate_session(token).await {
Ok(Some(_)) => Response::builder()
.status(StatusCode::NOT_IMPLEMENTED)
.body("".to_owned()),
_ => Response::builder()
.status(StatusCode::UNAUTHORIZED)
.body("".to_owned()),
}
}
fn serve_file<F>(

View File

@ -159,26 +159,25 @@ fn with_app(app: App) -> impl Filter<Extract = (App,), Error = Infallible> + Clo
warp::any().map(move || app.clone())
}
fn parse_cookies(cookie_str: &str) -> Result<HashMap<String, String>, cookie::ParseError> {
Cookie::split_parse(cookie_str)
.map(|c| c.map(|c| (c.name().to_owned(), c.value().to_owned())))
.collect::<Result<HashMap<String, String>, cookie::ParseError>>()
}
fn get_session_token(cookies: HashMap<String, String>) -> Option<SessionToken> {
cookies
.get("session")
.cloned()
.and_then(|session| Some(SessionToken::from(session)))
}
fn maybe_with_session() -> impl Filter<Extract = (Option<SessionToken>,), Error = Rejection> + Copy
{
warp::any()
.and(warp::header::optional::<String>("cookie"))
.map(|cookies| match cookies {
Some(cookies) => {
let c = Cookie::split_parse(cookies)
.collect::<Result<Vec<Cookie>, cookie::ParseError>>();
match c {
Ok(cookies) => {
for c in cookies {
if c.name() == "session" {
return Some(SessionToken::from(c.value()));
}
}
None
}
Err(_) => None,
}
}
.map(|cookie_str: Option<String>| match cookie_str {
Some(cookie_str) => parse_cookies(&cookie_str).ok().and_then(get_session_token),
None => None,
})
}
@ -186,7 +185,12 @@ fn maybe_with_session() -> impl Filter<Extract = (Option<SessionToken>,), Error
fn with_session() -> impl Filter<Extract = (SessionToken,), Error = Rejection> + Copy {
warp::any()
.and(warp::header::<String>("cookie"))
.map(|token: String| SessionToken::from(token))
.and_then(|cookie_str: String| async move {
match parse_cookies(&cookie_str).ok().and_then(get_session_token) {
Some(session_token) => Ok(session_token),
None => Err(warp::reject()),
}
})
}
#[tokio::main]
@ -220,7 +224,7 @@ pub async fn main() {
.and(warp::filters::body::form())
.then(handle_auth);
let upload_handler = warp::path!("upload")
let upload_via_form = warp::path!("upload")
.and(warp::post())
.and(with_app(app.clone()))
.and(with_session())
@ -239,13 +243,13 @@ pub async fn main() {
.then(move |id, old_etags, app: App| file(app, id, old_etags));
let server = warp::serve(
root.or(auth).with(log), /*
root.or(auth)
.or(thumbnail)
.or(file)
.or(upload_handler)
.with(log),
*/
root.or(auth).or(upload_via_form).with(log), /*
root.or(auth)
.or(thumbnail)
.or(file)
.or(upload_handler)
.with(log),
*/
);
server