From 37aacef762b22da97a7ced7e769a47150825be9b Mon Sep 17 00:00:00 2001 From: Farooq Karimi Zadeh Date: Sat, 8 Jul 2023 18:51:41 +0330 Subject: [PATCH 1/2] invalidate session after authorize to fix #17 --- src/main.rs | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/src/main.rs b/src/main.rs index d1ab7fd..80e26dc 100644 --- a/src/main.rs +++ b/src/main.rs @@ -321,7 +321,7 @@ async fn webhook_fn() -> &'static str { async fn authorize_fn( Query(queries): Query, State(state): State, - session: ReadableSession, + mut session: WritableSession, ) -> Result { let config = &state.config; if queries.client_id != config.oauth.client_id { @@ -336,9 +336,8 @@ async fn authorize_fn( let tree = state.db.open_tree("default")?; if let Some(contact_id) = session.get::("contact_id") { tree.insert(&auth_code, &contact_id.to_le_bytes())?; - tree.insert(contact_id.to_le_bytes(), &*auth_code)?; - // is it really required to save both pairs? - log::info!("/authorize Redirected"); + log::info!("/authorize Redirected. Removing contact_id from session"); + session.remove("contact_id"); Ok(Redirect::temporary(&format!( "{}?state={}&code={auth_code}", queries.redirect_uri, queries.state From 499a2473add3ebd40c17150c49dbf08ffdc43c35 Mon Sep 17 00:00:00 2001 From: Farooq Karimi Zadeh Date: Sat, 8 Jul 2023 18:54:48 +0330 Subject: [PATCH 2/2] let's make clippy a bit happy --- src/main.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main.rs b/src/main.rs index 80e26dc..6bf5c95 100644 --- a/src/main.rs +++ b/src/main.rs @@ -53,7 +53,7 @@ use tower::ServiceBuilder; use tower_http::{services::ServeDir, trace::TraceLayer}; use crate::config::BotConfig; -use crate::queries::*; +use crate::queries::{AuthorizeQuery, TokenQuery}; // Short expiry is important, because right now we don't have an logout button on the login page // And even if we did have one, users would never get the idea that they not only need to logout of discourse,