NixiN/nixin-farm
NixiN/nixin-farm
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

secure the jwt token cookie

Browse source
This commit is contained in:
Douze Bé 2024-10-23 23:39:01 +02:00
parent 09bf058c05
commit a73851d26f
1 changed files with 25 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

34
nixin_farm_ssr/src/controllers/home.rs
View file

@ -11,7 +11,7 @@ use axum::{
//Json, //Json,
http::{StatusCode, header::{self, HeaderValue, HeaderMap}}, http::{StatusCode, header::{self, HeaderValue, HeaderMap}},
Form}; Form};
use axum_extra::extract::cookie::{CookieJar, Cookie}; use axum_extra::extract::cookie::{CookieJar, Cookie, SameSite};
use serde::{Deserialize, Serialize}; use serde::{Deserialize, Serialize};
use loco_rs::{ use loco_rs::{
@ -183,10 +183,6 @@ pub async fn do_login(
else { else {
return Ok((jar, views::home::error(&v,"Login failed: invalid email or password"))); return Ok((jar, views::home::error(&v,"Login failed: invalid email or password")));
}; };
let mut headers = HeaderMap::new();
//ToDo: modifiy below to avoid using ugly unwrap
headers.insert(header::AUTHORIZATION, HeaderValue::from_str(&token).unwrap());
headers.insert("HX-Location", "/".parse().unwrap());
// We do not really need to return the index view in the response body // We do not really need to return the index view in the response body
// because the HX-Location header will trigger htmx to fetch it from // because the HX-Location header will trigger htmx to fetch it from
@ -195,12 +191,32 @@ pub async fn do_login(
// on java script disabled clients. // on java script disabled clients.
// See do_register() for an implementation of htmx redirect with // See do_register() for an implementation of htmx redirect with
// an empty body // an empty body
// Also we tried returning the JWT token both in an authorisation header
// But only the cookie version is working. Web browsers do not seem to be
// able to get the token from the header to send it back.
// Anyway, using a cookie, with attributes Secure, HttpOnly and
// SameSite=Strict is the recommended way to send the JWT tokens nowaday
// to avoid XSS and CSRF attacks
// ToDo: manage reset token
//ToDo: modifiy below to avoid using ugly unwraps
let mut headers = HeaderMap::new();
//headers.insert(header::AUTHORIZATION, HeaderValue::from_str(&format!("Bearer {}", token)).unwrap());
headers.insert("HX-Location", "/".parse().unwrap());
//This is how to set the token cookie without using the CookieJar :
//headers.insert(header::SET_COOKIE, HeaderValue::from_str(&format!("token={}; Secure; HttpOnly; SameSite=Strict", token)).unwrap());
let index_view = views::home::index(&v,&user).unwrap(); let index_view = views::home::index(&v,&user).unwrap();
// Also we are returning the JWT token both in a header and in a cookie
// This is also done for test purposes only. let mut cookie = Cookie::new("token", token);
// Only one of these should be done, the one used in the auth configuration. cookie.set_secure(true);
cookie.set_http_only(true);
cookie.set_same_site(SameSite::Strict);
Ok(( Ok((
jar.add(Cookie::new("token", token)), jar.add(cookie),
Ok((headers, index_view).into_response()),)) Ok((headers, index_view).into_response()),))
} }
_ => { _ => {