bad-example.com / microcosm-links
APIs for links and references in the ATmosphere
fork atom

refresh cookie + frame headers

bad-example.com 2e5e17ad a9240e8e

+55 -31
unified split
+55 -31
who-am-i/src/server.rs
··· 4 4 extract::{FromRef, Query, State}, 5 5 http::{ 6 6 StatusCode, 7 - header::{CONTENT_TYPE, HeaderMap, REFERER}, 7 + header::{CONTENT_SECURITY_POLICY, CONTENT_TYPE, HeaderMap, REFERER, X_FRAME_OPTIONS}, 8 8 }, 9 9 response::{IntoResponse, Json, Redirect, Response}, 10 10 routing::get, ··· 29 29 30 30 const DID_COOKIE_KEY: &str = "did"; 31 31 32 + const COOKIE_EXPIRATION: Duration = Duration::from_secs(30 * 86_400); 33 + 32 34 type AppEngine = Engine<Handlebars<'static>>; 33 - type Rendered = RenderHtml<&'static str, AppEngine, Value>; 34 35 35 36 #[derive(Clone)] 36 37 struct AppState { ··· 96 97 .unwrap(); 97 98 } 98 99 99 - async fn hello(State(AppState { engine, .. }): State<AppState>) -> Rendered { 100 - RenderHtml("hello", engine, json!({})) 100 + async fn hello( 101 + State(AppState { engine, .. }): State<AppState>, 102 + mut jar: SignedCookieJar, 103 + ) -> Response { 104 + // push expiry (or clean up) the current cookie 105 + if let Some(did) = jar.get(DID_COOKIE_KEY) { 106 + if let Ok(did) = Did::new(did.value_trimmed().to_string()) { 107 + jar = jar.add(cookie(&did)); 108 + } else { 109 + jar = jar.remove(DID_COOKIE_KEY); 110 + } 111 + } 112 + let frame_headers = [ 113 + (X_FRAME_OPTIONS, "deny"), 114 + (CONTENT_SECURITY_POLICY, "frame-ancestors 'none'"), 115 + ]; 116 + (frame_headers, jar, RenderHtml("hello", engine, json!({}))).into_response() 101 117 } 102 118 103 119 async fn css() -> impl IntoResponse { ··· 110 126 111 127 async fn favicon() -> impl IntoResponse { 112 128 ([(CONTENT_TYPE, "image/x-icon")], FAVICON) 129 + } 130 + 131 + fn cookie(did: &Did) -> Cookie<'static> { 132 + Cookie::build((DID_COOKIE_KEY, did.to_string())) 133 + .http_only(true) 134 + .secure(true) 135 + .same_site(SameSite::None) 136 + .max_age(COOKIE_EXPIRATION.try_into().unwrap()) 137 + .into() 113 138 } 114 139 115 140 async fn prompt( ··· 149 174 if parent_origin == "null" { 150 175 return err("Referer origin is opaque", true); 151 176 } 177 + 178 + let frame_headers = [ 179 + (X_FRAME_OPTIONS, format!("allow-from {parent_origin}")), 180 + ( 181 + CONTENT_SECURITY_POLICY, 182 + format!("frame-ancestors {parent_host}"), 183 + ), 184 + ]; 185 + 152 186 if let Some(did) = jar.get(DID_COOKIE_KEY) { 153 187 let Ok(did) = Did::new(did.value_trimmed().to_string()) else { 154 188 return err("Bad cookie", false); 155 189 }; 156 190 191 + // push cookie expiry 192 + let jar = jar.add(cookie(&did)); 193 + 157 194 let fetch_key = resolve_handles.dispatch( 158 195 { 159 196 let oauth = oauth.clone(); ··· 163 200 shutdown.child_token(), 164 201 ); 165 202 166 - RenderHtml( 167 - "prompt", 168 - engine, 169 - json!({ 170 - "did": did, 171 - "fetch_key": fetch_key, 172 - "parent_host": parent_host, 173 - "parent_origin": parent_origin, 174 - }), 175 - ) 176 - .into_response() 203 + let info = json!({ 204 + "did": did, 205 + "fetch_key": fetch_key, 206 + "parent_host": parent_host, 207 + "parent_origin": parent_origin, 208 + }); 209 + 210 + (frame_headers, jar, RenderHtml("prompt", engine, info)).into_response() 177 211 } else { 178 - RenderHtml( 179 - "prompt", 180 - engine, 181 - json!({ 182 - "parent_host": parent_host, 183 - "parent_origin": parent_origin, 184 - }), 185 - ) 186 - .into_response() 212 + let info = json!({ 213 + "parent_host": parent_host, 214 + "parent_origin": parent_origin, 215 + }); 216 + (frame_headers, RenderHtml("prompt", engine, info)).into_response() 187 217 } 188 218 } 189 219 ··· 316 346 } 317 347 }; 318 348 319 - let cookie = Cookie::build((DID_COOKIE_KEY, did.to_string())) 320 - .http_only(true) 321 - .secure(true) 322 - .same_site(SameSite::None) 323 - .max_age(std::time::Duration::from_secs(86_400).try_into().unwrap()); 324 - 325 - let jar = jar.add(cookie); 349 + let jar = jar.add(cookie(&did)); 326 350 327 351 let fetch_key = resolve_handles.dispatch( 328 352 {