secure the jwt token cookie

2024-10-23 23:39:01 +02:00 · 2024-10-23 23:39:01 +02:00 · a73851d26f
commit a73851d26f
parent 09bf058c05
1 changed files with 25 additions and 9 deletions
--- a/nixin_farm_ssr/src/controllers/home.rs
+++ b/nixin_farm_ssr/src/controllers/home.rs
@ -11,7 +11,7 @@ use axum::{
    //Json,
    http::{StatusCode, header::{self, HeaderValue, HeaderMap}},
    Form};
-use axum_extra::extract::cookie::{CookieJar, Cookie};
+use axum_extra::extract::cookie::{CookieJar, Cookie, SameSite};

 use serde::{Deserialize, Serialize};
 use loco_rs::{
@ -183,10 +183,6 @@ pub async fn do_login(
                else {
                    return Ok((jar, views::home::error(&v,"Login failed: invalid email or password")));
                };
-                let mut headers = HeaderMap::new();
-                //ToDo: modifiy below to avoid using ugly unwrap
-                headers.insert(header::AUTHORIZATION, HeaderValue::from_str(&token).unwrap());
-                headers.insert("HX-Location", "/".parse().unwrap());

                // We do not really need to return the index view in the response body
                // because the HX-Location header will trigger htmx to fetch it from 
@ -195,12 +191,32 @@ pub async fn do_login(
                // on java script disabled clients.
                // See do_register() for an implementation of htmx redirect with
                // an empty body
+
+                // Also we tried returning the JWT token both in an authorisation header
+                // But only the cookie version is working. Web browsers do not seem to be 
+                // able to get the token from the header to send it back.
+                // Anyway, using a cookie, with attributes Secure, HttpOnly and 
+                // SameSite=Strict is the recommended way to send the JWT tokens nowaday
+                // to avoid XSS and CSRF attacks
+                // ToDo: manage reset token
+
+                //ToDo: modifiy below to avoid using ugly unwraps
+
+                let mut headers = HeaderMap::new();
+                //headers.insert(header::AUTHORIZATION, HeaderValue::from_str(&format!("Bearer {}", token)).unwrap());
+                headers.insert("HX-Location", "/".parse().unwrap());
+                //This is how to set the token cookie without using the CookieJar :
+                //headers.insert(header::SET_COOKIE, HeaderValue::from_str(&format!("token={}; Secure; HttpOnly; SameSite=Strict", token)).unwrap());
+                
                let index_view = views::home::index(&v,&user).unwrap();
-                // Also we are returning the JWT token both in a header and in a cookie
-                // This is also done for test purposes only.
-                // Only one of these should be done, the one used in the auth configuration.
+
+                let mut cookie = Cookie::new("token", token);
+                cookie.set_secure(true);
+                cookie.set_http_only(true);
+                cookie.set_same_site(SameSite::Strict);
+
                Ok((
-                jar.add(Cookie::new("token", token)),
+                jar.add(cookie),
                Ok((headers, index_view).into_response()),))
        }
        _ => {