From 648d073e1b8f4838f147c0520024bd453921a25c Mon Sep 17 00:00:00 2001 From: Joris Guyonvarch Date: Fri, 17 Apr 2026 22:53:02 +0200 Subject: Remove signing login token It’s enough to use a safe crypto lib. But augment the token size to upper bound. --- src/utils/cookie.rs | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) (limited to 'src/utils') diff --git a/src/utils/cookie.rs b/src/utils/cookie.rs index e21e7d4..1ca3b73 100644 --- a/src/utils/cookie.rs +++ b/src/utils/cookie.rs @@ -1,25 +1,27 @@ use hex; use rand_core::{OsRng, TryRngCore}; -use crate::crypto::signed; use crate::model::config::Config; -const TOKEN_BYTES: usize = 20; +// We consider that it’s unfeasible to guess a token from 128 bit long (=16 bytes) to 256 bit (=32 bytes) with safe margin. +const TOKEN_BYTES: usize = 32; pub fn login(config: &Config, token: &str) -> Result { - let signed_token = signed::sign(&config.auth_secret, token)?; - Ok(cookie(config, &signed_token, 365 * 24 * 60 * 60)) + Ok(cookie(config, &token, 365 * 24 * 60 * 60)) } pub fn logout(config: &Config) -> String { cookie(config, "", 0) } -pub fn extract_token(config: &Config, cookie: &str) -> Result { +pub fn extract_token(cookie: &str) -> Result { let mut xs = cookie.split('='); - xs.next(); - let signed_cookie = xs.next().ok_or("Error extracting cookie")?; - signed::verify(&config.auth_secret, signed_cookie) + if xs.next() != Some("TOKEN") { + Err("Error extracting cookie".to_string()) + } else { + let token = xs.next().ok_or("Error extracting cookie")?; + Ok(token.to_string()) + } } pub fn generate_token() -> Result { -- cgit v1.2.3