diff --git a/nixin_farm_ssr/src/controllers/home.rs b/nixin_farm_ssr/src/controllers/home.rs index d0b3e06..6a8bd27 100644 --- a/nixin_farm_ssr/src/controllers/home.rs +++ b/nixin_farm_ssr/src/controllers/home.rs @@ -11,7 +11,7 @@ use axum::{ //Json, http::{StatusCode, header::{self, HeaderValue, HeaderMap}}, Form}; -use axum_extra::extract::cookie::{CookieJar, Cookie}; +use axum_extra::extract::cookie::{CookieJar, Cookie, SameSite}; use serde::{Deserialize, Serialize}; use loco_rs::{ @@ -183,10 +183,6 @@ pub async fn do_login( else { return Ok((jar, views::home::error(&v,"Login failed: invalid email or password"))); }; - let mut headers = HeaderMap::new(); - //ToDo: modifiy below to avoid using ugly unwrap - headers.insert(header::AUTHORIZATION, HeaderValue::from_str(&token).unwrap()); - headers.insert("HX-Location", "/".parse().unwrap()); // We do not really need to return the index view in the response body // because the HX-Location header will trigger htmx to fetch it from @@ -195,12 +191,32 @@ pub async fn do_login( // on java script disabled clients. // See do_register() for an implementation of htmx redirect with // an empty body + + // Also we tried returning the JWT token both in an authorisation header + // But only the cookie version is working. Web browsers do not seem to be + // able to get the token from the header to send it back. + // Anyway, using a cookie, with attributes Secure, HttpOnly and + // SameSite=Strict is the recommended way to send the JWT tokens nowaday + // to avoid XSS and CSRF attacks + // ToDo: manage reset token + + //ToDo: modifiy below to avoid using ugly unwraps + + let mut headers = HeaderMap::new(); + //headers.insert(header::AUTHORIZATION, HeaderValue::from_str(&format!("Bearer {}", token)).unwrap()); + headers.insert("HX-Location", "/".parse().unwrap()); + //This is how to set the token cookie without using the CookieJar : + //headers.insert(header::SET_COOKIE, HeaderValue::from_str(&format!("token={}; Secure; HttpOnly; SameSite=Strict", token)).unwrap()); + let index_view = views::home::index(&v,&user).unwrap(); - // Also we are returning the JWT token both in a header and in a cookie - // This is also done for test purposes only. - // Only one of these should be done, the one used in the auth configuration. + + let mut cookie = Cookie::new("token", token); + cookie.set_secure(true); + cookie.set_http_only(true); + cookie.set_same_site(SameSite::Strict); + Ok(( - jar.add(Cookie::new("token", token)), + jar.add(cookie), Ok((headers, index_view).into_response()),)) } _ => {