feat: do not unwrap cookies in guards, use private cookies

2026-06-16 13:01:13 +00:00 · 2022-11-07 13:56:25 +01:00 · 2022-11-07 13:56:25 +01:00 · 0cf6c4418d
commit 0cf6c4418d
parent 6f608fc8df
4 changed files with 23 additions and 10 deletions
--- a/api/src/guards/request/auth/admin.rs
+++ b/api/src/guards/request/auth/admin.rs
@ -19,7 +19,14 @@ impl Into<Admin> for AdminAuth {
 impl<'r> FromRequest<'r> for AdminAuth {
    type Error = Option<String>;
    async fn from_request(req: &'r Request<'_>) -> Outcome<AdminAuth, (Status, Self::Error), ()> {
-        let session_id = req.cookies().get("id").unwrap().name_value().1;
+        let cookie = req.cookies().get_private("id");
+
+        let Some(cookie) = cookie else {
+            return Outcome::Failure((Status::Unauthorized, None));
+        };
+
+        let session_id = cookie.name_value().1;
+        
        let conn = &req.rocket().state::<Db>().unwrap().conn;

        let uuid = match Uuid::parse_str(&session_id) {
--- a/api/src/guards/request/auth/candidate.rs
+++ b/api/src/guards/request/auth/candidate.rs
@ -14,12 +14,21 @@ impl Into<Candidate> for CandidateAuth {
        self.0
    }
 }
-    
+
 #[rocket::async_trait]
 impl<'r> FromRequest<'r> for CandidateAuth {
    type Error = Option<String>;
-    async fn from_request(req: &'r Request<'_>) -> Outcome<CandidateAuth, (Status, Self::Error), ()> {
-        let session_id = req.cookies().get("id").unwrap().name_value().1;
+    async fn from_request(
+        req: &'r Request<'_>,
+    ) -> Outcome<CandidateAuth, (Status, Self::Error), ()> {
+        let cookie = req.cookies().get_private("id");
+
+        let Some(cookie) = cookie else {
+            return Outcome::Failure((Status::Unauthorized, None));
+        };
+
+        let session_id = cookie.name_value().1;
+
        let conn = &req.rocket().state::<Db>().unwrap().conn;

        let uuid = match Uuid::parse_str(&session_id) {
@ -33,6 +42,5 @@ impl<'r> FromRequest<'r> for CandidateAuth {
            Ok(model) => Outcome::Success(CandidateAuth(model)),
            Err(_) => Outcome::Failure((Status::Unauthorized, None)),
        }
-
    }
-}
+}
--- a/api/src/routes/admin.rs
+++ b/api/src/routes/admin.rs
@ -38,8 +38,7 @@ pub async fn login(
        ));
    } else {
        let session_token = session_token.unwrap();
-        // Todo: Add private?
-        cookies.add(Cookie::new("id", session_token.clone()));
+        cookies.add_private(Cookie::new("id", session_token.clone()));

        return Ok(session_token);
    }
--- a/api/src/routes/candidate.rs
+++ b/api/src/routes/candidate.rs
@ -35,8 +35,7 @@ pub async fn login(
        ));
    } else {
        let session_token = session_token.unwrap();
-        // Todo: Add private?
-        cookies.add(Cookie::new("id", session_token.clone()));
+        cookies.add_private(Cookie::new("id", session_token.clone()));

        return Ok(session_token);
    }