From 5d7f509f1a98c2d45870e3877b4d7bfa756d2d2a Mon Sep 17 00:00:00 2001 From: pennae Date: Sun, 17 Jul 2022 13:21:16 +0200 Subject: use HawkKey everywhere hawk keys are handled the db already does this, crypto did not. --- src/api/auth/account.rs | 26 +++++++++++--------------- 1 file changed, 11 insertions(+), 15 deletions(-) (limited to 'src/api/auth/account.rs') diff --git a/src/api/auth/account.rs b/src/api/auth/account.rs index c0c2099..bff2a66 100644 --- a/src/api/auth/account.rs +++ b/src/api/auth/account.rs @@ -15,14 +15,14 @@ use crate::crypto::{KeyFetchToken, SessionToken}; use crate::db::{Db, DbConn}; use crate::mailer::Mailer; use crate::push::PushClient; -use crate::types::AccountResetID; +use crate::types::{AccountResetID, HawkKey}; use crate::utils::DeferAction; use crate::Config; use crate::{ api::{auth, serialize_dt}, auth::{AuthSource, Authenticated}, crypto::{AuthPW, KeyBundle, KeyFetchReq, SecretBytes, SessionCredentials}, - types::{HawkKey, KeyFetchID, OauthToken, SecretKey, User, UserID, VerifyHash}, + types::{KeyFetchID, OauthToken, SecretKey, User, UserID, VerifyHash}, }; // TODO better error handling @@ -104,7 +104,7 @@ pub(crate) async fn create( ka: ka.clone(), wrap_kb: stretched.decrypt_wwkb(&wrapwrap_kb), }); - db.add_key_fetch(req.token_id, &HawkKey(req.req_hmac_key.0), &wrapped).await?; + db.add_key_fetch(req.token_id, &req.req_hmac_key, &wrapped).await?; Some(key_fetch_token) } else { None @@ -120,9 +120,8 @@ pub(crate) async fn create( verified: false, }) .await?; - let auth_at = db - .add_session(session.token_id.clone(), &uid, HawkKey(session.req_hmac_key.0), false, None) - .await?; + let auth_at = + db.add_session(session.token_id.clone(), &uid, session.req_hmac_key, false, None).await?; let verify_code = hex::encode(&SecretBytes::<16>::generate().0); db.add_verify_code(&uid, &session.token_id, &verify_code).await?; // NOTE we send the email in this context rather than a spawn to signal @@ -208,7 +207,7 @@ pub(crate) async fn login( ka: SecretBytes(user.ka.0), wrap_kb: stretched.decrypt_wwkb(&SecretBytes(user.wrapwrap_kb.0)), }); - db.add_key_fetch(req.token_id, &HawkKey(req.req_hmac_key.0), &wrapped).await?; + db.add_key_fetch(req.token_id, &req.req_hmac_key, &wrapped).await?; Some(key_fetch_token) } else { None @@ -219,7 +218,7 @@ pub(crate) async fn login( .add_session( session.token_id.clone(), &uid, - HawkKey(session.req_hmac_key.0), + session.req_hmac_key, false, Some(&verify_code), ) @@ -308,10 +307,10 @@ pub(crate) struct WithKeyFetch; impl AuthSource for WithKeyFetch { type ID = KeyFetchID; type Context = Vec; - async fn hawk(r: &Request<'_>, id: &KeyFetchID) -> Result<(SecretBytes<32>, Self::Context)> { + async fn hawk(r: &Request<'_>, id: &KeyFetchID) -> Result<(HawkKey, Self::Context)> { let db = Authenticated::<(), Self>::get_conn(r).await?; db.always_commit().await?; - Ok(db.finish_key_fetch(id).await.map(|(h, ks)| (SecretBytes(h.0), ks))?) + Ok(db.finish_key_fetch(id).await?) } async fn bearer_token(_: &Request<'_>, _: &OauthToken) -> Result<(KeyFetchID, Self::Context)> { // key fetch tokens are only valid in hawk requests @@ -335,17 +334,14 @@ pub(crate) struct WithResetToken; impl AuthSource for WithResetToken { type ID = AccountResetID; type Context = UserID; - async fn hawk( - r: &Request<'_>, - id: &AccountResetID, - ) -> Result<(SecretBytes<32>, Self::Context)> { + async fn hawk(r: &Request<'_>, id: &AccountResetID) -> Result<(HawkKey, Self::Context)> { // unlike key fetch we'll use a separate transaction here since the body of the // handler can fail. let pool = <&Db as FromRequest>::from_request(r) .await .success_or_else(|| anyhow!("could not open db connection"))?; let db = pool.begin().await?; - let result = db.finish_account_reset(id).await.map(|(h, ctx)| (SecretBytes(h.0), ctx))?; + let result = db.finish_account_reset(id).await?; db.commit().await?; Ok(result) } -- cgit v1.2.3