Validate the session token with file uploads
File uploads now check the session token before continuing. Resolves: https://www.pivotaltracker.com/story/show/186174680
This commit is contained in:
parent
17ad927187
commit
48f8c4aaf5
|
@ -97,14 +97,15 @@ pub async fn handle_auth(
|
|||
}
|
||||
}
|
||||
|
||||
pub async fn handle_upload(
|
||||
_app: App,
|
||||
_token: SessionToken,
|
||||
) -> Result<http::Response<String>, Error> {
|
||||
println!("handle_upload");
|
||||
Response::builder()
|
||||
.status(StatusCode::NOT_IMPLEMENTED)
|
||||
.body("".to_owned())
|
||||
pub async fn handle_upload(app: App, token: SessionToken) -> Result<http::Response<String>, Error> {
|
||||
match app.validate_session(token).await {
|
||||
Ok(Some(_)) => Response::builder()
|
||||
.status(StatusCode::NOT_IMPLEMENTED)
|
||||
.body("".to_owned()),
|
||||
_ => Response::builder()
|
||||
.status(StatusCode::UNAUTHORIZED)
|
||||
.body("".to_owned()),
|
||||
}
|
||||
}
|
||||
|
||||
fn serve_file<F>(
|
||||
|
|
|
@ -159,26 +159,25 @@ fn with_app(app: App) -> impl Filter<Extract = (App,), Error = Infallible> + Clo
|
|||
warp::any().map(move || app.clone())
|
||||
}
|
||||
|
||||
fn parse_cookies(cookie_str: &str) -> Result<HashMap<String, String>, cookie::ParseError> {
|
||||
Cookie::split_parse(cookie_str)
|
||||
.map(|c| c.map(|c| (c.name().to_owned(), c.value().to_owned())))
|
||||
.collect::<Result<HashMap<String, String>, cookie::ParseError>>()
|
||||
}
|
||||
|
||||
fn get_session_token(cookies: HashMap<String, String>) -> Option<SessionToken> {
|
||||
cookies
|
||||
.get("session")
|
||||
.cloned()
|
||||
.and_then(|session| Some(SessionToken::from(session)))
|
||||
}
|
||||
|
||||
fn maybe_with_session() -> impl Filter<Extract = (Option<SessionToken>,), Error = Rejection> + Copy
|
||||
{
|
||||
warp::any()
|
||||
.and(warp::header::optional::<String>("cookie"))
|
||||
.map(|cookies| match cookies {
|
||||
Some(cookies) => {
|
||||
let c = Cookie::split_parse(cookies)
|
||||
.collect::<Result<Vec<Cookie>, cookie::ParseError>>();
|
||||
match c {
|
||||
Ok(cookies) => {
|
||||
for c in cookies {
|
||||
if c.name() == "session" {
|
||||
return Some(SessionToken::from(c.value()));
|
||||
}
|
||||
}
|
||||
None
|
||||
}
|
||||
Err(_) => None,
|
||||
}
|
||||
}
|
||||
.map(|cookie_str: Option<String>| match cookie_str {
|
||||
Some(cookie_str) => parse_cookies(&cookie_str).ok().and_then(get_session_token),
|
||||
None => None,
|
||||
})
|
||||
}
|
||||
|
@ -186,7 +185,12 @@ fn maybe_with_session() -> impl Filter<Extract = (Option<SessionToken>,), Error
|
|||
fn with_session() -> impl Filter<Extract = (SessionToken,), Error = Rejection> + Copy {
|
||||
warp::any()
|
||||
.and(warp::header::<String>("cookie"))
|
||||
.map(|token: String| SessionToken::from(token))
|
||||
.and_then(|cookie_str: String| async move {
|
||||
match parse_cookies(&cookie_str).ok().and_then(get_session_token) {
|
||||
Some(session_token) => Ok(session_token),
|
||||
None => Err(warp::reject()),
|
||||
}
|
||||
})
|
||||
}
|
||||
|
||||
#[tokio::main]
|
||||
|
@ -220,7 +224,7 @@ pub async fn main() {
|
|||
.and(warp::filters::body::form())
|
||||
.then(handle_auth);
|
||||
|
||||
let upload_handler = warp::path!("upload")
|
||||
let upload_via_form = warp::path!("upload")
|
||||
.and(warp::post())
|
||||
.and(with_app(app.clone()))
|
||||
.and(with_session())
|
||||
|
@ -239,13 +243,13 @@ pub async fn main() {
|
|||
.then(move |id, old_etags, app: App| file(app, id, old_etags));
|
||||
|
||||
let server = warp::serve(
|
||||
root.or(auth).with(log), /*
|
||||
root.or(auth)
|
||||
.or(thumbnail)
|
||||
.or(file)
|
||||
.or(upload_handler)
|
||||
.with(log),
|
||||
*/
|
||||
root.or(auth).or(upload_via_form).with(log), /*
|
||||
root.or(auth)
|
||||
.or(thumbnail)
|
||||
.or(file)
|
||||
.or(upload_handler)
|
||||
.with(log),
|
||||
*/
|
||||
);
|
||||
|
||||
server
|
||||
|
|
Loading…
Reference in New Issue