Turbo/peer-group-grading
9
3
Fork 0
Code Issues 44 Pull requests 2 Projects 1 Releases Packages Wiki Activity Actions

fix: sessions and enhance security for prod builds
Some checks failed
ci/woodpecker/pr/cargo_check Pipeline was successful
Details
ci/woodpecker/pr/cargo_clippy Pipeline was successful
Details
ci/woodpecker/pr/cargo_test Pipeline was successful
Details
ci/woodpecker/pr/check_fmt Pipeline failed
Details

Browse source
This commit is contained in:
Mika 2025-04-09 11:52:23 +02:00
parent fe87593b9b
commit e80e4c50bf
3 changed files with 39 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
bruno/user/Logout User.bru Normal file
View file

@ -0,0 +1,11 @@
meta {
name: Logout User
type: http
seq: 5
}
post {
url: {{api_base}}/auth/logout
body: none
auth: inherit
}

17
crates/backend/src/controller/auth.rs
View file

@ -1,12 +1,12 @@
use actix_session::Session; use actix_session::Session;
use actix_web::{ use actix_web::{
post, HttpRequest, HttpResponse, Responder, post,
web::{self, ServiceConfig}, web::{self, ServiceConfig},
HttpResponse, Responder,
}; };
use log::debug;
use serde::Deserialize; use serde::Deserialize;
use crate::{error::ApiError, Database}; use crate::{Database, error::ApiError};
#[derive(Deserialize)] #[derive(Deserialize)]
struct LoginRequest { struct LoginRequest {
@ -15,7 +15,7 @@ struct LoginRequest {
} }
pub fn setup(cfg: &mut ServiceConfig) { pub fn setup(cfg: &mut ServiceConfig) {
cfg.service(login); cfg.service(login).service(logout);
} }
#[post("/login")] #[post("/login")]
@ -34,3 +34,12 @@ async fn login(
Ok(HttpResponse::Ok()) Ok(HttpResponse::Ok())
} }
#[post("/logout")]
async fn logout(session: Session, request: HttpRequest) -> Result<impl Responder, ApiError> {
debug!("request cookies: {:?}", request.cookies());
debug!("Session entries: {:?}", session.entries());
session.purge();
debug!("Session entries after purge: {:?}", session.entries());
Ok(HttpResponse::Ok().body("Logged out successfully"))
}

19
crates/backend/src/main.rs
View file

@ -1,5 +1,7 @@
use actix_files::NamedFile; use actix_files::NamedFile;
use actix_session::Session;
use actix_session::{SessionMiddleware, storage::RedisSessionStore}; use actix_session::{SessionMiddleware, storage::RedisSessionStore};
use actix_web::cookie::SameSite;
use actix_web::{App, HttpResponse, HttpServer, cookie::Key, middleware::Logger, web}; use actix_web::{App, HttpResponse, HttpServer, cookie::Key, middleware::Logger, web};
use log::debug; use log::debug;
@ -40,14 +42,23 @@ async fn main() -> std::io::Result<()> {
debug!("Secret Key {:?}", secret_key.master()); debug!("Secret Key {:?}", secret_key.master());
HttpServer::new(move || { HttpServer::new(move || {
let session_middleware = SessionMiddleware::builder(redis_conn.clone(), secret_key.clone());
let session_middleware = if cfg!(debug_assertions) {
session_middleware.cookie_secure(false)
} else {
session_middleware
.cookie_same_site(SameSite::Strict)
.cookie_secure(true)
};
let session_middleware = session_middleware.build();
let app = App::new() let app = App::new()
.app_data(web::Data::new(database.clone())) .app_data(web::Data::new(database.clone()))
.app_data(web::Data::new(app_config.clone())) .app_data(web::Data::new(app_config.clone()))
.wrap(Logger::default()) .wrap(Logger::default())
.wrap(SessionMiddleware::new( .wrap(session_middleware)
redis_conn.clone(),
secret_key.clone(),
))
.service(web::scope("/api/v1").configure(controller::register_controllers)); .service(web::scope("/api/v1").configure(controller::register_controllers));
#[cfg(feature = "serve")] #[cfg(feature = "serve")]