Sanitize routes #11
Sanitize routes #11
Conversation
tested: * registering * logging in * accessing login-only routes * accessing admin-only routes * token expiration Co-authored-by: Victor Roest <[email protected]>
server/Cargo.toml
Outdated
| @@ -7,11 +7,17 @@ edition = "2021" | |||
|
|
|||
| [dependencies] | |||
| dotenv = "0.15.0" | |||
| axum = "0.2.8" | |||
| axum = {git="https://github.com/tokio-rs/axum", branch="main"} | |||
There was a problem hiding this comment.
Which features do we get from main, just curious
There was a problem hiding this comment.
there are some pretty major bugs with middleware on not-main. Basically early-returning middleware do not work in any older version of axum.
There was a problem hiding this comment.
also fixes compile times of the generic stuff, even without boxed routes
There was a problem hiding this comment.
axum 0.3 is now available, can we use that instead of pulling from their git
| NotAdmin, | ||
|
|
||
| #[error("this route can only be accessed for your own user or if you are admin")] | ||
| NotSelf, |
There was a problem hiding this comment.
This feels superfluous, as in, this shouldn't be a state that is accessible to a user.
There was a problem hiding this comment.
yes it can be. When you ask for a user's information but that user is not yourself. Then this error is returned.
| Self::Mongo(e) => response_error!(e, internal server error), | ||
| Self::Oid(e) => response_error!(e, internal server error), | ||
| CheeseError::Login(l) => match l { | ||
| e @ LoginError::InvalidCredentials => { |
There was a problem hiding this comment.
Is there a specific reason for using this e @ ... syntax over just using a &a ?
This feels, at face value, like un-needed complexity wrt how easy the code base is to read.
There was a problem hiding this comment.
I want to match the entire error to give the right error message, but also want to print the original error message.
| } | ||
| LoginError::Database(e) => response_error!(e, internal server error), | ||
| LoginError::Bcrypt(e) => response_error!(e, internal server error), | ||
| e @ LoginError::UserWithoutId => response_error!(e, internal server error), |
There was a problem hiding this comment.
What's the work flow that causes this to happen? This shouldn't be possible
There was a problem hiding this comment.
I just don't want the server to crash in these cases. But it can't normally happen unless we have a bug
No description provided.