From 0cf6c4418d65648f5fb4ed1fe1eafbf06b0c30cf Mon Sep 17 00:00:00 2001
From: EETagent <vojta.jungmann@gmail.com>
Date: Mon, 7 Nov 2022 13:56:25 +0100
Subject: [PATCH] feat: do not unwrap cookies in guards, use private cookies

---
 api/src/guards/request/auth/admin.rs     |  9 ++++++++-
 api/src/guards/request/auth/candidate.rs | 18 +++++++++++++-----
 api/src/routes/admin.rs                  |  3 +--
 api/src/routes/candidate.rs              |  3 +--
 4 files changed, 23 insertions(+), 10 deletions(-)

diff --git a/api/src/guards/request/auth/admin.rs b/api/src/guards/request/auth/admin.rs
index 18ce925..0918ed7 100644
--- a/api/src/guards/request/auth/admin.rs
+++ b/api/src/guards/request/auth/admin.rs
@@ -19,7 +19,14 @@ impl Into<Admin> for AdminAuth {
 impl<'r> FromRequest<'r> for AdminAuth {
     type Error = Option<String>;
     async fn from_request(req: &'r Request<'_>) -> Outcome<AdminAuth, (Status, Self::Error), ()> {
-        let session_id = req.cookies().get("id").unwrap().name_value().1;
+        let cookie = req.cookies().get_private("id");
+
+        let Some(cookie) = cookie else {
+            return Outcome::Failure((Status::Unauthorized, None));
+        };
+
+        let session_id = cookie.name_value().1;
+        
         let conn = &req.rocket().state::<Db>().unwrap().conn;
 
         let uuid = match Uuid::parse_str(&session_id) {
diff --git a/api/src/guards/request/auth/candidate.rs b/api/src/guards/request/auth/candidate.rs
index 5b3200c..f02a1e8 100644
--- a/api/src/guards/request/auth/candidate.rs
+++ b/api/src/guards/request/auth/candidate.rs
@@ -14,12 +14,21 @@ impl Into<Candidate> for CandidateAuth {
         self.0
     }
 }
-    
+
 #[rocket::async_trait]
 impl<'r> FromRequest<'r> for CandidateAuth {
     type Error = Option<String>;
-    async fn from_request(req: &'r Request<'_>) -> Outcome<CandidateAuth, (Status, Self::Error), ()> {
-        let session_id = req.cookies().get("id").unwrap().name_value().1;
+    async fn from_request(
+        req: &'r Request<'_>,
+    ) -> Outcome<CandidateAuth, (Status, Self::Error), ()> {
+        let cookie = req.cookies().get_private("id");
+
+        let Some(cookie) = cookie else {
+            return Outcome::Failure((Status::Unauthorized, None));
+        };
+
+        let session_id = cookie.name_value().1;
+
         let conn = &req.rocket().state::<Db>().unwrap().conn;
 
         let uuid = match Uuid::parse_str(&session_id) {
@@ -33,6 +42,5 @@ impl<'r> FromRequest<'r> for CandidateAuth {
             Ok(model) => Outcome::Success(CandidateAuth(model)),
             Err(_) => Outcome::Failure((Status::Unauthorized, None)),
         }
-
     }
-}
\ No newline at end of file
+}
diff --git a/api/src/routes/admin.rs b/api/src/routes/admin.rs
index ee06626..9f4f1ba 100644
--- a/api/src/routes/admin.rs
+++ b/api/src/routes/admin.rs
@@ -38,8 +38,7 @@ pub async fn login(
         ));
     } else {
         let session_token = session_token.unwrap();
-        // Todo: Add private?
-        cookies.add(Cookie::new("id", session_token.clone()));
+        cookies.add_private(Cookie::new("id", session_token.clone()));
 
         return Ok(session_token);
     }
diff --git a/api/src/routes/candidate.rs b/api/src/routes/candidate.rs
index ccdc0df..1f2ccfb 100644
--- a/api/src/routes/candidate.rs
+++ b/api/src/routes/candidate.rs
@@ -35,8 +35,7 @@ pub async fn login(
         ));
     } else {
         let session_token = session_token.unwrap();
-        // Todo: Add private?
-        cookies.add(Cookie::new("id", session_token.clone()));
+        cookies.add_private(Cookie::new("id", session_token.clone()));
 
         return Ok(session_token);
     }