Add support for rocket's "secret cookies"

2023-06-26 10:59:37 -04:00 · 2023-06-26 10:59:37 -04:00 · 792779a36d
commit 792779a36d
parent 0a197db93f
5 changed files with 108 additions and 2 deletions
--- a/server/src/api/mod.rs
+++ b/server/src/api/mod.rs
@ -8,11 +8,13 @@ pub(crate) mod update;

 use std::{
    default::default,
+    env, fs,
    net::{IpAddr, Ipv4Addr},
 };

 use crate::error::Error;
 use rocket::{
+    config::SecretKey,
    fs::{FileServer, NamedFile},
    response::stream::EventStream,
    routes, Build, Config, Rocket, State,
@ -61,6 +63,16 @@ async fn spa_index_redirect() -> ApiResult<NamedFile> {
        .map_err(Error::from)?)
 }

+fn get_secret() -> [u8; 32] {
+    let path =
+        env::var("COOKIE_SECRET_FILE").unwrap_or_else(|_| "/run/secrets/cookie-secret".into());
+    let file_contents =
+        fs::read(&path).unwrap_or_else(|err| panic!("failed to read from {path:?}: {err:?}"));
+    let mut data = [0u8; 32];
+    data.copy_from_slice(&file_contents);
+    data
+}
+
 pub(crate) fn start_server(db: DatabaseConnection) -> Rocket<Build> {
    use groups::*;
    use ticks::*;
@ -69,6 +81,7 @@ pub(crate) fn start_server(db: DatabaseConnection) -> Rocket<Build> {
    let it = rocket::build()
        .configure(Config {
            address: IpAddr::V4(Ipv4Addr::new(0, 0, 0, 0)),
+            secret_key: SecretKey::derive_from(&get_secret()),
            ..default()
        })
        .register("/", catchers![spa_index_redirect])