From f2bbb4e720e5b6f50524d8ddc0a6bd215486c579 Mon Sep 17 00:00:00 2001 From: Savanni D'Gerinel Date: Tue, 3 Oct 2023 17:30:43 -0400 Subject: [PATCH] Validate the session token with file uploads File uploads now check the session token before continuing. Resolves: https://www.pivotaltracker.com/story/show/186174680 --- file-service/src/handlers.rs | 17 ++++++------ file-service/src/main.rs | 54 +++++++++++++++++++----------------- 2 files changed, 38 insertions(+), 33 deletions(-) diff --git a/file-service/src/handlers.rs b/file-service/src/handlers.rs index 6f3fdc7..b9004ee 100644 --- a/file-service/src/handlers.rs +++ b/file-service/src/handlers.rs @@ -97,14 +97,15 @@ pub async fn handle_auth( } } -pub async fn handle_upload( - _app: App, - _token: SessionToken, -) -> Result, Error> { - println!("handle_upload"); - Response::builder() - .status(StatusCode::NOT_IMPLEMENTED) - .body("".to_owned()) +pub async fn handle_upload(app: App, token: SessionToken) -> Result, Error> { + match app.validate_session(token).await { + Ok(Some(_)) => Response::builder() + .status(StatusCode::NOT_IMPLEMENTED) + .body("".to_owned()), + _ => Response::builder() + .status(StatusCode::UNAUTHORIZED) + .body("".to_owned()), + } } fn serve_file( diff --git a/file-service/src/main.rs b/file-service/src/main.rs index 6918cbc..7cc8711 100644 --- a/file-service/src/main.rs +++ b/file-service/src/main.rs @@ -159,26 +159,25 @@ fn with_app(app: App) -> impl Filter + Clo warp::any().map(move || app.clone()) } +fn parse_cookies(cookie_str: &str) -> Result, cookie::ParseError> { + Cookie::split_parse(cookie_str) + .map(|c| c.map(|c| (c.name().to_owned(), c.value().to_owned()))) + .collect::, cookie::ParseError>>() +} + +fn get_session_token(cookies: HashMap) -> Option { + cookies + .get("session") + .cloned() + .and_then(|session| Some(SessionToken::from(session))) +} + fn maybe_with_session() -> impl Filter,), Error = Rejection> + Copy { warp::any() .and(warp::header::optional::("cookie")) - .map(|cookies| match cookies { - Some(cookies) => { - let c = Cookie::split_parse(cookies) - .collect::, cookie::ParseError>>(); - match c { - Ok(cookies) => { - for c in cookies { - if c.name() == "session" { - return Some(SessionToken::from(c.value())); - } - } - None - } - Err(_) => None, - } - } + .map(|cookie_str: Option| match cookie_str { + Some(cookie_str) => parse_cookies(&cookie_str).ok().and_then(get_session_token), None => None, }) } @@ -186,7 +185,12 @@ fn maybe_with_session() -> impl Filter,), Error fn with_session() -> impl Filter + Copy { warp::any() .and(warp::header::("cookie")) - .map(|token: String| SessionToken::from(token)) + .and_then(|cookie_str: String| async move { + match parse_cookies(&cookie_str).ok().and_then(get_session_token) { + Some(session_token) => Ok(session_token), + None => Err(warp::reject()), + } + }) } #[tokio::main] @@ -220,7 +224,7 @@ pub async fn main() { .and(warp::filters::body::form()) .then(handle_auth); - let upload_handler = warp::path!("upload") + let upload_via_form = warp::path!("upload") .and(warp::post()) .and(with_app(app.clone())) .and(with_session()) @@ -239,13 +243,13 @@ pub async fn main() { .then(move |id, old_etags, app: App| file(app, id, old_etags)); let server = warp::serve( - root.or(auth).with(log), /* - root.or(auth) - .or(thumbnail) - .or(file) - .or(upload_handler) - .with(log), - */ + root.or(auth).or(upload_via_form).with(log), /* + root.or(auth) + .or(thumbnail) + .or(file) + .or(upload_handler) + .with(log), + */ ); server