code002lover/game_list
1
0
Fork 0
Code Issues 1 Pull Requests 10 Actions Packages Projects Releases Wiki Activity

Compare commits

base: code002lover:355c719ae67525923667aba33445781f0fe2eaa8
Branches Tags
code002lover:master
code002lover:renovate/node-24.x-lockfile
code002lover:renovate/typescript-eslint-monorepo
code002lover:renovate/ts-proto-2.x-lockfile
code002lover:renovate/react-router-monorepo
code002lover:renovate/react-monorepo
code002lover:renovate/bufbuild-protobuf-2.x-lockfile
code002lover:renovate/bincode-3.x
code002lover:renovate/globals-17.x
code002lover:renovate/bcrypt-0.x
code002lover:renovate/vite-7.x
..
compare: code002lover:022b662d8b5d0ebc4d598c023b9f6098c408fe0a
Branches Tags
code002lover:renovate/node-24.x-lockfile
code002lover:renovate/typescript-eslint-monorepo
code002lover:renovate/ts-proto-2.x-lockfile
code002lover:renovate/react-router-monorepo
code002lover:renovate/react-monorepo
code002lover:renovate/bufbuild-protobuf-2.x-lockfile
code002lover:renovate/bincode-3.x
code002lover:renovate/globals-17.x
code002lover:renovate/bcrypt-0.x
code002lover:renovate/vite-7.x
code002lover:master

2 Commits
355c719ae6 ... 022b662d8b

Author SHA1 Message Date
Renovate Bot
022b662d8b Update dependency globals to v17 2026-01-19 17:04:39 +00:00
code002lover
f3dba4c483 remove csrf 2026-01-19 17:15:34 +01:00
5 changed files with 0 additions and 127 deletions
Show Stats Expand all files Collapse all files

12
backend/src/auth.rs
View File

@ -1,10 +1,8 @@
use crate::auth_persistence::AuthStorage; use crate::auth_persistence::AuthStorage;
use crate::csrf::{CsrfState, set_csrf_cookie};
use crate::items; use crate::items;
use crate::proto_utils::Proto; use crate::proto_utils::Proto;
use rocket::State; use rocket::State;
use rocket::futures::lock::Mutex; use rocket::futures::lock::Mutex;
use rocket::http::CookieJar;
use std::collections::{HashMap, HashSet}; use std::collections::{HashMap, HashSet};
use uuid::Uuid; use uuid::Uuid;
@ -130,9 +128,7 @@ impl<'r> rocket::request::FromRequest<'r> for AdminToken {
#[post("/login", data = "<request>")] #[post("/login", data = "<request>")]
pub async fn login( pub async fn login(
state: &State<AuthState>, state: &State<AuthState>,
csrf_state: &State<CsrfState>,
user_list: &State<Mutex<Vec<crate::User>>>, user_list: &State<Mutex<Vec<crate::User>>>,
jar: &CookieJar<'_>,
request: Proto<items::LoginRequest>, request: Proto<items::LoginRequest>,
) -> items::LoginResponse { ) -> items::LoginResponse {
let req = request.into_inner(); let req = request.into_inner();
@ -148,9 +144,6 @@ pub async fn login(
tokens.insert(token.clone(), req.username.clone()); tokens.insert(token.clone(), req.username.clone());
state.storage.save_tokens(&tokens); state.storage.save_tokens(&tokens);
let csrf_token = csrf_state.generate_token();
set_csrf_cookie(jar, &csrf_token);
return items::LoginResponse { return items::LoginResponse {
token, token,
success: true, success: true,
@ -191,8 +184,6 @@ pub async fn logout(
pub async fn get_auth_status( pub async fn get_auth_status(
state: &State<AuthState>, state: &State<AuthState>,
admin_state: &State<AdminState>, admin_state: &State<AdminState>,
csrf_state: &State<CsrfState>,
jar: &CookieJar<'_>,
request: Proto<items::AuthStatusRequest>, request: Proto<items::AuthStatusRequest>,
) -> items::AuthStatusResponse { ) -> items::AuthStatusResponse {
let req = request.into_inner(); let req = request.into_inner();
@ -202,9 +193,6 @@ pub async fn get_auth_status(
let admins = admin_state.admins.lock().await; let admins = admin_state.admins.lock().await;
let is_admin = crate::store::is_admin(username, &admins); let is_admin = crate::store::is_admin(username, &admins);
let csrf_token = csrf_state.generate_token();
set_csrf_cookie(jar, &csrf_token);
items::AuthStatusResponse { items::AuthStatusResponse {
authenticated: true, authenticated: true,
username: username.clone(), username: username.clone(),

95
backend/src/csrf.rs
View File

@ -1,95 +0,0 @@
use rocket::Build;
use rocket::Request;
use rocket::Rocket;
use rocket::fairing::{Fairing, Info, Kind};
use rocket::http::{Cookie, CookieJar, SameSite, Status};
use rocket::request::{FromRequest, Outcome};
use std::collections::HashSet;
use std::sync::Arc;
use uuid::Uuid;
const CSRF_COOKIE_NAME: &str = "csrf_token";
const CSRF_HEADER_NAME: &str = "X-CSRF-Token";
const CSRF_EXPIRATION_HOURS: u64 = 24;
#[derive(Clone)]
pub struct CsrfToken(pub String);
#[derive(Clone)]
pub struct CsrfState {
tokens: Arc<std::sync::Mutex<HashSet<String>>>,
}
impl CsrfState {
pub fn new() -> Self {
Self {
tokens: Arc::new(std::sync::Mutex::new(HashSet::new())),
}
}
pub fn generate_token(&self) -> String {
let token = Uuid::new_v4().to_string();
self.tokens.lock().unwrap().insert(token.clone());
token
}
pub fn validate_token(&self, token: &str) -> bool {
self.tokens.lock().unwrap().remove(token)
}
}
impl Default for CsrfState {
fn default() -> Self {
Self::new()
}
}
#[rocket::async_trait]
impl<'r> FromRequest<'r> for CsrfToken {
type Error = ();
async fn from_request(request: &'r Request<'_>) -> Outcome<Self, Self::Error> {
let header_token = request.headers().get_one(CSRF_HEADER_NAME);
let cookie_jar = request.guard::<&CookieJar<'_>>().await;
let cookie_token = match cookie_jar {
Outcome::Success(jar) => jar
.get(CSRF_COOKIE_NAME)
.map(|c: &Cookie<'_>| c.value().to_string()),
_ => None,
};
match (header_token, cookie_token) {
(Some(header), Some(cookie)) if header == cookie => {
Outcome::Success(CsrfToken(header.to_string()))
}
_ => Outcome::Error((Status::Forbidden, ())),
}
}
}
pub struct CsrfFairing;
#[rocket::async_trait]
impl Fairing for CsrfFairing {
fn info(&self) -> Info {
Info {
name: "CSRF Protection",
kind: Kind::Ignite,
}
}
async fn on_ignite(&self, rocket: Rocket<Build>) -> Result<Rocket<Build>, Rocket<Build>> {
Ok(rocket.manage(CsrfState::new()))
}
}
pub fn set_csrf_cookie(jar: &CookieJar<'_>, token: &str) {
jar.add(
Cookie::build((CSRF_COOKIE_NAME, token.to_owned()))
.http_only(true)
.same_site(SameSite::Strict)
.max_age(rocket::time::Duration::hours(CSRF_EXPIRATION_HOURS as i64))
.path("/"),
);
}

2
backend/src/lib.rs
View File

@ -7,13 +7,11 @@ pub mod items {
pub mod auth; pub mod auth;
pub mod auth_persistence; pub mod auth_persistence;
pub mod csrf;
pub mod proto_utils; pub mod proto_utils;
pub mod security_headers; pub mod security_headers;
pub mod store; pub mod store;
pub mod validation; pub mod validation;
pub use auth::AdminState; pub use auth::AdminState;
pub use csrf::{CsrfFairing, CsrfState, CsrfToken, set_csrf_cookie};
pub use security_headers::SecurityHeaders; pub use security_headers::SecurityHeaders;
pub use store::User; pub use store::User;

8
backend/src/main.rs
View File

@ -4,7 +4,6 @@ use rocket::futures::lock::Mutex;
use backend::auth; use backend::auth;
use backend::auth::AdminState; use backend::auth::AdminState;
use backend::csrf::{CsrfFairing, CsrfToken};
use backend::items::{self, Game}; use backend::items::{self, Game};
use backend::proto_utils; use backend::proto_utils;
use backend::security_headers::SecurityHeaders; use backend::security_headers::SecurityHeaders;
@ -90,7 +89,6 @@ async fn get_games(
#[post("/game", data = "<game>", rank = 1)] #[post("/game", data = "<game>", rank = 1)]
async fn add_game( async fn add_game(
_token: auth::Token, _token: auth::Token,
_csrf: CsrfToken,
game_list: &rocket::State<Mutex<Vec<Game>>>, game_list: &rocket::State<Mutex<Vec<Game>>>,
user_list: &rocket::State<Mutex<Vec<User>>>, user_list: &rocket::State<Mutex<Vec<User>>>,
game: proto_utils::Proto<items::Game>, game: proto_utils::Proto<items::Game>,
@ -133,7 +131,6 @@ async fn add_game(
#[patch("/game", data = "<game>", rank = 1)] #[patch("/game", data = "<game>", rank = 1)]
async fn update_game( async fn update_game(
_token: auth::AdminToken, _token: auth::AdminToken,
_csrf: CsrfToken,
game_list: &rocket::State<Mutex<Vec<Game>>>, game_list: &rocket::State<Mutex<Vec<Game>>>,
user_list: &rocket::State<Mutex<Vec<User>>>, user_list: &rocket::State<Mutex<Vec<User>>>,
game: proto_utils::Proto<items::Game>, game: proto_utils::Proto<items::Game>,
@ -196,7 +193,6 @@ async fn update_game(
#[delete("/game/<title>", rank = 1)] #[delete("/game/<title>", rank = 1)]
async fn delete_game( async fn delete_game(
_token: auth::AdminToken, _token: auth::AdminToken,
_csrf: CsrfToken,
game_list: &rocket::State<Mutex<Vec<Game>>>, game_list: &rocket::State<Mutex<Vec<Game>>>,
user_list: &rocket::State<Mutex<Vec<User>>>, user_list: &rocket::State<Mutex<Vec<User>>>,
title: &str, title: &str,
@ -227,7 +223,6 @@ async fn delete_game(
#[post("/refresh", rank = 1)] #[post("/refresh", rank = 1)]
async fn refresh_state( async fn refresh_state(
_token: auth::AdminToken, _token: auth::AdminToken,
_csrf: CsrfToken,
game_list: &rocket::State<Mutex<Vec<Game>>>, game_list: &rocket::State<Mutex<Vec<Game>>>,
user_list: &rocket::State<Mutex<Vec<User>>>, user_list: &rocket::State<Mutex<Vec<User>>>,
admin_state: &rocket::State<AdminState>, admin_state: &rocket::State<AdminState>,
@ -256,7 +251,6 @@ async fn refresh_state(
#[post("/opinion", data = "<req>", rank = 1)] #[post("/opinion", data = "<req>", rank = 1)]
async fn add_opinion( async fn add_opinion(
token: auth::Token, token: auth::Token,
_csrf: CsrfToken,
game_list: &rocket::State<Mutex<Vec<Game>>>, game_list: &rocket::State<Mutex<Vec<Game>>>,
user_list: &rocket::State<Mutex<Vec<User>>>, user_list: &rocket::State<Mutex<Vec<User>>>,
req: proto_utils::Proto<items::AddOpinionRequest>, req: proto_utils::Proto<items::AddOpinionRequest>,
@ -309,7 +303,6 @@ async fn add_opinion(
#[patch("/opinion", data = "<req>", rank = 1)] #[patch("/opinion", data = "<req>", rank = 1)]
async fn remove_opinion( async fn remove_opinion(
token: auth::Token, token: auth::Token,
_csrf: CsrfToken,
game_list: &rocket::State<Mutex<Vec<Game>>>, game_list: &rocket::State<Mutex<Vec<Game>>>,
user_list: &rocket::State<Mutex<Vec<User>>>, user_list: &rocket::State<Mutex<Vec<User>>>,
req: proto_utils::Proto<items::RemoveOpinionRequest>, req: proto_utils::Proto<items::RemoveOpinionRequest>,
@ -495,7 +488,6 @@ async fn main() -> Result<(), std::io::Error> {
rocket::build() rocket::build()
.attach(SecurityHeaders) .attach(SecurityHeaders)
.attach(CsrfFairing)
.manage(Mutex::new(user_list)) .manage(Mutex::new(user_list))
.manage(auth::AuthState::new()) .manage(auth::AuthState::new())
.manage(auth::AdminState::new()) .manage(auth::AdminState::new())

10
frontend/src/api.ts
View File

@ -1,26 +1,16 @@
import { AuthStatusRequest, AuthStatusResponse } from "../items"; import { AuthStatusRequest, AuthStatusResponse } from "../items";
export const getCsrfToken = (): string | null => {
const match = document.cookie.match(/csrf_token=([^;]+)/);
return match ? decodeURIComponent(match[1]) : null;
};
export const apiFetch = async ( export const apiFetch = async (
url: string, url: string,
options: RequestInit = {} options: RequestInit = {}
): Promise<Response> => { ): Promise<Response> => {
const token = localStorage.getItem("token"); const token = localStorage.getItem("token");
const csrfToken = getCsrfToken();
const headers = new Headers(options.headers); const headers = new Headers(options.headers);
if (token) { if (token) {
headers.set("Authorization", `Bearer ${token}`); headers.set("Authorization", `Bearer ${token}`);
} }
if (csrfToken) {
headers.set("X-CSRF-Token", csrfToken);
}
const config = { const config = {
...options, ...options,
headers, headers,