Add back encryption of sessions

jmbaur · Jan 5, 2025 · 4319ce0 · 4319ce0
1 parent 3ef54fc
commit 4319ce0
Show file tree

Hide file tree

Showing 6 changed files with 149 additions and 36 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -21,7 +21,7 @@ serde_json = "1"
 tokio = { version = "1", features = ["macros", "rt-multi-thread"] }
 tokio-rusqlite = "0.6"
 tower-http = { version = "0.6", features = ["trace"] }
-tower-sessions = "0.14.0"
+tower-sessions = { version = "0.14.0", features = ["private"] }
 tracing = "0.1"
 tracing-subscriber = { version = "0.3", features = ["env-filter"] }
 uuid = "1"

diff --git a/flake.lock b/flake.lock
diff --git a/justfile b/justfile
@@ -26,12 +26,12 @@ build:
 update: update_usage
 	cargo update
 
-run:
+run port="8080":
 	#!/usr/bin/env bash
 	export STATE_DIRECTORY={{justfile_directory()}}/state
 	mkdir -p $STATE_DIRECTORY
 	password_file=$STATE_DIRECTORY/passwords
 	[[ -f $password_file ]] || echo user:$(printf "password" | argon2 $(openssl rand -hex 16) -id -e) > $password_file
 	session_secret_file=$STATE_DIRECTORY/session_secret
 	[[ -f $session_secret_file ]] || openssl rand -hex 64 > $session_secret_file
-	cargo watch --exec "run -- --rp-id=localhost --rp-origin=http://localhost:8080 --password-file=$password_file --session-secret-file=$session_secret_file"
+	cargo watch --exec "run -- --address=[::]:{{port}} --rp-id=localhost --rp-origin=http://localhost:{{port}} --password-file=$password_file --session-secret-file=$session_secret_file"
diff --git a/src/app.rs b/src/app.rs
@@ -294,26 +294,27 @@ impl App {
         auth_result: AuthenticationResult,
     ) -> Result<(), AppError> {
         let cred_id = serde_json::to_string(auth_result.cred_id())?;
-        let cred_id_ = cred_id.clone(); // TODO(jared): don't do this
 
         let cred_json = self
             .db
             .call(move |conn| {
                 Ok(conn.query_row(
                     r#"select value from credentials
                        where value->'$.cred.cred_id' = ?1"#,
-                    (cred_id_,),
+                    (cred_id,),
                     |row| row.get::<_, String>(0),
                 ))
             })
             .await??;
 
-        let mut credential = serde_json::from_str::<Passkey>(&cred_json)?;
-        if credential.update_credential(&auth_result).is_none() {
+        let mut passkey = serde_json::from_str::<Passkey>(&cred_json)?;
+        if passkey.update_credential(&auth_result).is_none() {
             return Err(AppError::MismatchingCredential);
         }
 
-        let cred_json = serde_json::to_string(&credential)?;
+        let cred_id = serde_json::to_string(passkey.cred_id())?;
+
+        let cred_json = serde_json::to_string(&passkey)?;
 
         _ = self
             .db

diff --git a/src/main.rs b/src/main.rs
@@ -21,7 +21,7 @@ use std::{collections::HashMap, env, net::SocketAddr, path::PathBuf, sync::Arc};
 use tokio::sync::RwLock;
 use tokio_rusqlite::Connection;
 use tower_http::trace::TraceLayer;
-use tower_sessions::SessionManagerLayer;
+use tower_sessions::{cookie::Key, SessionManagerLayer};
 use tracing::debug;
 use tracing_subscriber::{fmt, prelude::*, EnvFilter};
 use webauthn_rs::{prelude::Url, WebauthnBuilder};
@@ -99,8 +99,10 @@ async fn main() -> anyhow::Result<()> {
     let store = session::SqliteSessionStore::new(db.clone());
     store.init().await?;
 
-    // TODO(jared): std::fs::read_to_string(cli.session_secret_file)?.as_bytes(),
     let session_layer = SessionManagerLayer::new(store)
+        .with_private(Key::try_from(
+            std::fs::read_to_string(cli.session_secret_file)?.as_bytes(),
+        )?)
         .with_always_save(false)
         .with_domain(cli.rp_id);