Login fixes:

1. Stop rejecting login attempts when there's an identity cookie already set. This looked like a good idea, but in practice it's not a sufficient check, as it doesnt' ensure the identity cookie is actually valid. Validating it is an option, but the do-nothing alternative (which I went with) is that a login request while already logged in overwrites your identity cookie, instead. It's less code, semantically not bonkers, and doesn't _appear_ to introduce any interesting user security issues. 2. Redirect to / after successful login/logout, instead of dropping the user on a useless text page.
author: Owen Jacobson <owen@grimoire.ca> 2024-09-04 11:00:48 -0400
committer: Owen Jacobson <owen@grimoire.ca> 2024-09-04 11:00:48 -0400
commit: 4259e7406aec128bfb45fbb46eefa501f12870da (patch)
tree: 876277de0211d2cdfbe9a21ba2f84b14829b1e5f /src/login/extract/login.rs
parent: 636d5ff79a45c33d27f62b99edc905b847750ac1 (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/src/login/extract/login.rs b/src/login/extract/login.rs
index ce820f1..b756fa6 100644
--- a/src/login/extract/login.rs
+++ b/src/login/extract/login.rs
@@ -22,6 +22,10 @@ impl FromRequestParts<SqlitePool> for Login {
         parts: &mut Parts,
         state: &SqlitePool,
     ) -> Result<Self, Self::Rejection> {
+        // After Rust 1.82 (and #[feature(min_exhaustive_patterns)] lands on
+        // stable), the following can be replaced:
+        //
+        // let Ok(identity_token) = IdentityToken::from_request_parts(parts, state).await;
         let identity_token = IdentityToken::from_request_parts(parts, state).await?;
         let requested_at = RequestedAt::from_request_parts(parts, state).await?;
author	Owen Jacobson <owen@grimoire.ca>	2024-09-04 11:00:48 -0400
committer	Owen Jacobson <owen@grimoire.ca>	2024-09-04 11:00:48 -0400
commit	4259e7406aec128bfb45fbb46eefa501f12870da (patch)
tree	876277de0211d2cdfbe9a21ba2f84b14829b1e5f /src/login/extract/login.rs
parent	636d5ff79a45c33d27f62b99edc905b847750ac1 (diff)