Remove signing login token

It’s enough to use a safe crypto lib. But augment the token size to
upper bound.

1 files changed, 10 insertions, 8 deletions

diff --git a/src/utils/cookie.rs b/src/utils/cookie.rs
index e21e7d4..1ca3b73 100644
--- a/src/utils/cookie.rs
+++ b/src/utils/cookie.rs
@@ -1,25 +1,27 @@
 use hex;
 use rand_core::{OsRng, TryRngCore};
 
-use crate::crypto::signed;
 use crate::model::config::Config;
 
-const TOKEN_BYTES: usize = 20;
+// We consider that it’s unfeasible to guess a token from 128 bit long (=16 bytes) to 256 bit (=32 bytes) with safe margin.
+const TOKEN_BYTES: usize = 32;
 
 pub fn login(config: &Config, token: &str) -> Result<String, String> {
-    let signed_token = signed::sign(&config.auth_secret, token)?;
-    Ok(cookie(config, &signed_token, 365 * 24 * 60 * 60))
+    Ok(cookie(config, &token, 365 * 24 * 60 * 60))
 }
 
 pub fn logout(config: &Config) -> String {
     cookie(config, "", 0)
 }
 
-pub fn extract_token(config: &Config, cookie: &str) -> Result<String, String> {
+pub fn extract_token(cookie: &str) -> Result<String, String> {
     let mut xs = cookie.split('=');
-    xs.next();
-    let signed_cookie = xs.next().ok_or("Error extracting cookie")?;
-    signed::verify(&config.auth_secret, signed_cookie)
+    if xs.next() != Some("TOKEN") {
+        Err("Error extracting cookie".to_string())
+    } else {
+        let token = xs.next().ok_or("Error extracting cookie")?;
+        Ok(token.to_string())
+    }
 }
 
 pub fn generate_token() -> Result<String, String> {