Switch to private cookies, and make other cookie improvements

Signed-off-by: Erin Nova <erin@the-system.eu.org>

.gitignore

@@ -1,3 +1,5 @@
 /target
 .vscode
 users.json
+message.zsh
+users_db/

Cargo.toml

@@ -7,7 +7,7 @@ edition = "2018"
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 
 [dependencies]
-rocket = "0.4.10"
+rocket = { version = "0.4.10", features = ["private-cookies"] }
 serde = { version = "1.0.126", features = ["derive"] }
 serde_json = "1.0"
 sha1 = "0.6.0"

README.md

@@ -60,9 +60,12 @@ Whenever user sends a message, client will send message & token and backend will
 	- [x] Finish up `chat::create_message()`
 	- [x] Create `chat::fetch_messages()`
 	- [ ] Create `chat::delete_message()`
+- [x] Switch to using sled database to store users
 - [x] Token generation & storage
 	- [x] Sets cookie
 	- [x] Store token in json
+	- [x] Have cookie expire
+	- [x] Remove old cookie
 - [x] Pronouns
 	- [x] Set pronouns
 	- [ ] Change pronouns

src/auth.rs

@@ -98,10 +98,15 @@ pub fn check_pin(mut cookies: Cookies, name: String, pin: i32) -> JsonValue {
         if i.name == name.to_lowercase() {
             if i.pin_hashed == hashed_pin_input {
                 info!("pin correct for user {}", i.name);
+
                 // Create token for user & set a cookie
                 let token = create_token(i.name.clone(), users);
-                cookies.add(Cookie::new("token", token));
-                cookies.add(Cookie::new("user", name));
+                let cookie = Cookie::build("token", token)
+                    .path("/")
+                    .secure(true)
+                    .finish();
+                cookies.remove_private(Cookie::named("token"));
+                cookies.add_private(cookie);
                 info!("set the token cookie");
 
                 return json!({
@@ -109,6 +114,8 @@ pub fn check_pin(mut cookies: Cookies, name: String, pin: i32) -> JsonValue {
                     "reason": "pin matches",
                 });
             } else {
+                cookies.remove_private(Cookie::named("token"));
+                info!("removed private cookie");
                 warn!("pin incorrect for user {}", i.name);
                 return json!({
                     "status": "fail",
@@ -117,6 +124,8 @@ pub fn check_pin(mut cookies: Cookies, name: String, pin: i32) -> JsonValue {
             };
         };
     }
+    cookies.remove_private(Cookie::named("token"));
+    info!("removed private cookie");
     warn!(
         "cannot check pin for user {} as they do not exist",
         name.to_string().to_lowercase()

src/chat.rs

@@ -2,7 +2,8 @@
 extern crate log;
 use once_cell::sync::Lazy;
 use std::sync::Mutex;
-use crate::file_io::read_json;
+use crate::file_io::db_read;
+use rocket::http::{Cookie, Cookies};
 use crate::message::{Message, MessageInput};
 use rocket_contrib::json::{Json, JsonValue};
 use chrono::prelude::*;
@@ -60,14 +61,13 @@ fn create_message(message: Json<MessageInput>, file: &str, user: &User) -> JsonV
 }
 
 // Check if user can create the message, and then create more info about the message
-fn check_token(message: Json<MessageInput>) -> JsonValue {
+fn check_token(token: Cookie, message: Json<MessageInput<'_>>) -> JsonValue {
     // check if token is correct for name given
-    let users: Vec<User> = read_json(); // create vector out of users in json file
-
+    let users: Vec<User> = db_read(); // create vector out of users in json file
     for i in &users {
         // loop through elements
         if i.name == message.name.to_lowercase() { // if it finds the user in the file
-            if i.session_token == message.token { // if token matches
+            if i.session_token == token.value() { // if token matches
                 info!("user exists and given token matches");
                 return create_message(message, "messages.json", i);
             } else {
@@ -88,6 +88,7 @@ fn check_token(message: Json<MessageInput>) -> JsonValue {
 
 // Receive a basic message
 #[post("/message/send", format = "json", data = "<message>")]
-pub fn send_message(message: Json<MessageInput<'_>>) -> JsonValue {
-    check_token(message)
+pub fn send_message(message: Json<MessageInput<'_>>, mut cookies: Cookies) -> JsonValue {
+    let token = cookies.get_private("token").unwrap();
+    check_token(token, message)
 }

src/message.rs

@@ -8,7 +8,6 @@ pub struct MessageInput<'r> {
     pub name: &'r str,
     pub body: &'r str,
     pub date: &'r str,
-    pub token: &'r str,
 }
 
 #[derive(Debug, Deserialize, Serialize, Clone)]