summaryrefslogtreecommitdiff
path: root/src/api/auth/account.rs
diff options
context:
space:
mode:
authorpennae <github@quasiparticle.net>2022-07-17 09:45:23 +0200
committerpennae <github@quasiparticle.net>2022-07-17 17:24:24 +0200
commitc1451924d88d146c7dc00c01d8c5f248978001b2 (patch)
treea9649df4c3e700724fef23fd20a8bb2154aa5472 /src/api/auth/account.rs
parentd4ed52e48eb52566dab91080eb25d8979fbb7d3e (diff)
downloadminor-skulk-c1451924d88d146c7dc00c01d8c5f248978001b2.tar.gz
minor-skulk-c1451924d88d146c7dc00c01d8c5f248978001b2.tar.xz
minor-skulk-c1451924d88d146c7dc00c01d8c5f248978001b2.zip
don't use SecretBytes in HawkKey/SecretKey
Diffstat (limited to 'src/api/auth/account.rs')
-rw-r--r--src/api/auth/account.rs24
1 files changed, 13 insertions, 11 deletions
diff --git a/src/api/auth/account.rs b/src/api/auth/account.rs
index 51dd98e..0f12d49 100644
--- a/src/api/auth/account.rs
+++ b/src/api/auth/account.rs
@@ -103,7 +103,8 @@ pub(crate) async fn create(
ka: ka.clone(),
wrap_kb: stretched.decrypt_wwkb(&wrapwrap_kb),
});
- db.add_key_fetch(KeyFetchID(req.token_id.0), &HawkKey(req.req_hmac_key), &wrapped).await?;
+ db.add_key_fetch(KeyFetchID(req.token_id.0), &HawkKey(req.req_hmac_key.0), &wrapped)
+ .await?;
Some(key_fetch_token)
} else {
None
@@ -112,8 +113,8 @@ pub(crate) async fn create(
.add_user(User {
auth_salt,
email: data.email.to_owned(),
- ka: SecretKey(ka),
- wrapwrap_kb: SecretKey(wrapwrap_kb),
+ ka: SecretKey(ka.0),
+ wrapwrap_kb: SecretKey(wrapwrap_kb.0),
verify_hash: VerifyHash(verify_hash),
display_name: None,
verified: false,
@@ -121,7 +122,7 @@ pub(crate) async fn create(
.await?;
let session_id = SessionID(session.token_id.0);
let auth_at = db
- .add_session(session_id.clone(), &uid, HawkKey(session.req_hmac_key), false, None)
+ .add_session(session_id.clone(), &uid, HawkKey(session.req_hmac_key.0), false, None)
.await?;
let verify_code = hex::encode(&SecretBytes::<16>::generate().0);
db.add_verify_code(&uid, &session_id, &verify_code).await?;
@@ -205,10 +206,11 @@ pub(crate) async fn login(
let key_fetch_token = SecretBytes::generate();
let req = KeyFetchReq::from_token(&key_fetch_token);
let wrapped = req.derive_resp().wrap_keys(&KeyBundle {
- ka: user.ka.0.clone(),
- wrap_kb: stretched.decrypt_wwkb(&user.wrapwrap_kb.0),
+ ka: SecretBytes(user.ka.0),
+ wrap_kb: stretched.decrypt_wwkb(&SecretBytes(user.wrapwrap_kb.0)),
});
- db.add_key_fetch(KeyFetchID(req.token_id.0), &HawkKey(req.req_hmac_key), &wrapped).await?;
+ db.add_key_fetch(KeyFetchID(req.token_id.0), &HawkKey(req.req_hmac_key.0), &wrapped)
+ .await?;
Some(key_fetch_token)
} else {
None
@@ -220,7 +222,7 @@ pub(crate) async fn login(
.add_session(
session_id.clone(),
&uid,
- HawkKey(session.req_hmac_key),
+ HawkKey(session.req_hmac_key.0),
false,
Some(&verify_code),
)
@@ -312,7 +314,7 @@ impl AuthSource for WithKeyFetch {
async fn hawk(r: &Request<'_>, id: &KeyFetchID) -> Result<(SecretBytes<32>, Self::Context)> {
let db = Authenticated::<(), Self>::get_conn(r).await?;
db.always_commit().await?;
- Ok(db.finish_key_fetch(id).await.map(|(h, ks)| (h.0, ks))?)
+ Ok(db.finish_key_fetch(id).await.map(|(h, ks)| (SecretBytes(h.0), ks))?)
}
async fn bearer_token(_: &Request<'_>, _: &OauthToken) -> Result<(KeyFetchID, Self::Context)> {
// key fetch tokens are only valid in hawk requests
@@ -346,7 +348,7 @@ impl AuthSource for WithResetToken {
.await
.success_or_else(|| anyhow!("could not open db connection"))?;
let db = pool.begin().await?;
- let result = db.finish_account_reset(id).await.map(|(h, ctx)| (h.0, ctx))?;
+ let result = db.finish_account_reset(id).await.map(|(h, ctx)| (SecretBytes(h.0), ctx))?;
db.commit().await?;
Ok(result)
}
@@ -390,7 +392,7 @@ pub(crate) async fn reset(
let stretched = data.body.authPW.stretch(auth_salt.as_salt())?;
let verify_hash = stretched.verify_hash();
- db.reset_user_auth(&data.context, auth_salt, SecretKey(wrapwrap_kb), VerifyHash(verify_hash))
+ db.reset_user_auth(&data.context, auth_salt, SecretKey(wrapwrap_kb.0), VerifyHash(verify_hash))
.await?;
defer.spawn_after_success("api::auth/account/reset(post)", {