Compare commits

...

2 Commits

Author SHA1 Message Date
4466396259 Enable config option for secure auth cookies
All checks were successful
Push Workflows / rustfmt (push) Successful in 16s
Push Workflows / tailwind-build (push) Successful in 15s
Push Workflows / test (push) Successful in 27s
Push Workflows / docs (push) Successful in 25s
Push Workflows / clippy (push) Successful in 19s
Push Workflows / build (push) Successful in 50s
Push Workflows / nix-build (push) Successful in 5m13s
Enable by default in release mode
2026-06-28 13:48:31 -04:00
142182af74 Allow unauthenticated access to /wasm/ in dev mode 2026-06-28 13:47:46 -04:00
4 changed files with 13 additions and 3 deletions

View File

@@ -109,12 +109,12 @@ pub async fn get_user_by_username(
} }
/// Create the authentication middleware layer /// Create the authentication middleware layer
pub fn build_auth_layer(db_pool: DbPool, key_val_pool: KeyValPool) -> AuthLayer { pub fn build_auth_layer(db_pool: DbPool, key_val_pool: KeyValPool, use_secure: bool) -> AuthLayer {
use axum_login::{AuthManagerLayerBuilder, tower_sessions::SessionManagerLayer}; use axum_login::{AuthManagerLayerBuilder, tower_sessions::SessionManagerLayer};
use tower_sessions_redis_store::RedisStore; use tower_sessions_redis_store::RedisStore;
let auth_session_store = RedisStore::new(key_val_pool); let auth_session_store = RedisStore::new(key_val_pool);
let session_layer = SessionManagerLayer::new(auth_session_store); let session_layer = SessionManagerLayer::new(auth_session_store).with_secure(use_secure);
let auth_backend = AuthBackend { db_pool }; let auth_backend = AuthBackend { db_pool };

View File

@@ -1,8 +1,13 @@
use serde::Deserialize; use serde::Deserialize;
/// Enable secure cookies by default only in release mode
/// (Secure cookies can't be set over HTTP. Rough assumption: development is done over HTTP)
const DEFAULT_COOKIES_SECURE: bool = cfg!(not(debug_assertions));
#[derive(Debug, Clone, Deserialize)] #[derive(Debug, Clone, Deserialize)]
pub struct AuthConfig { pub struct AuthConfig {
pub open_signup: bool, pub open_signup: bool,
pub cookies_secure: bool,
} }
/// Build a connection URI from parts /// Build a connection URI from parts
@@ -153,6 +158,7 @@ pub fn load_config() -> Result<Config, config::ConfigError> {
config::Config::builder() config::Config::builder()
.set_default("server.port", 8080)? .set_default("server.port", 8080)?
.set_default("auth.open_signup", false)? .set_default("auth.open_signup", false)?
.set_default("auth.cookies_secure", DEFAULT_COOKIES_SECURE)?
.add_source(File::with_name(&format!("/etc/{pkg_name}/config")).required(false)) .add_source(File::with_name(&format!("/etc/{pkg_name}/config")).required(false))
.add_source(File::with_name(&format!("/etc/{pkg_name}")).required(false)) .add_source(File::with_name(&format!("/etc/{pkg_name}")).required(false))
.add_source(File::with_name("config").required(false)) .add_source(File::with_name("config").required(false))

View File

@@ -34,7 +34,7 @@ async fn router_setup() -> Result<Router> {
.await .await
.err_context("Failed key-value store setup")?; .err_context("Failed key-value store setup")?;
let auth_layer = build_auth_layer(db_pool.clone(), key_val_pool); let auth_layer = build_auth_layer(db_pool.clone(), key_val_pool, config.auth.cookies_secure);
let router = dioxus::server::router(App) let router = dioxus::server::router(App)
.layer(from_fn(require_auth_middleware)) .layer(from_fn(require_auth_middleware))

View File

@@ -7,8 +7,12 @@ use dioxus::prelude::*;
use crate::server::auth::AuthSession; use crate::server::auth::AuthSession;
#[cfg(not(debug_assertions))]
const ALLOWED_PATH_PREFIX: [&str; 1] = ["/assets/"]; const ALLOWED_PATH_PREFIX: [&str; 1] = ["/assets/"];
#[cfg(debug_assertions)]
const ALLOWED_PATH_PREFIX: [&str; 2] = ["/assets/", "/wasm/"];
const ALLOWED_PATHS: [&str; 5] = [ const ALLOWED_PATHS: [&str; 5] = [
"/login", "/login",
"/signup", "/signup",