From 4d0bb0709b168a24ab6a8dbc86da45d7503596ee Mon Sep 17 00:00:00 2001
From: Owen Jacobson <owen@grimoire.ca>
Date: Sat, 28 Sep 2024 01:40:22 -0400
Subject: Wrap credential and credential-holding types to prevent `Debug`
 leaks.

The following values are considered confidential, and should never be logged, even by accident:

* `Password`, which is a durable bearer token for a specific Login;
* `IdentitySecret`, which is an ephemeral but potentially long-lived bearer token for a specific Login; or
* `IdentityToken`, which may hold cookies containing an `IdentitySecret`.

These values are now wrapped in types whose `Debug` impls output opaque values, so that they can be included in structs that `#[derive(Debug)]` without requiring any additional care. The wrappers also avoid implementing `Display`, to prevent inadvertent `to_string()`s.

We don't bother obfuscating `IdentitySecret`s in memory or in the `.hi` database. There's no point: we'd also need to store the information needed to de-obfuscate them, and they can be freely invalidated and replaced by blanking that table and asking everyone to log in again. Passwords _are_ obfuscated for storage, as they're intended to be durable.
---
 ...2a73a90e3912d23bf952740fe32544bc70a44e6a2744.json | 20 ++++++++++++++++++++
 ...83b68a8abceb822eb5db2e7dd8e509d4f79c106f8561.json | 20 --------------------
 2 files changed, 20 insertions(+), 20 deletions(-)
 create mode 100644 .sqlx/query-c28b9bffa73d6a861e122a73a90e3912d23bf952740fe32544bc70a44e6a2744.json
 delete mode 100644 .sqlx/query-df84b2afcb1493b3643a83b68a8abceb822eb5db2e7dd8e509d4f79c106f8561.json

(limited to '.sqlx')

diff --git a/.sqlx/query-c28b9bffa73d6a861e122a73a90e3912d23bf952740fe32544bc70a44e6a2744.json b/.sqlx/query-c28b9bffa73d6a861e122a73a90e3912d23bf952740fe32544bc70a44e6a2744.json
new file mode 100644
index 0000000..5927248
--- /dev/null
+++ b/.sqlx/query-c28b9bffa73d6a861e122a73a90e3912d23bf952740fe32544bc70a44e6a2744.json
@@ -0,0 +1,20 @@
+{
+  "db_name": "SQLite",
+  "query": "\n                insert\n                into token (secret, login, issued_at, last_used_at)\n                values ($1, $2, $3, $3)\n                returning secret as \"secret!: IdentitySecret\"\n            ",
+  "describe": {
+    "columns": [
+      {
+        "name": "secret!: IdentitySecret",
+        "ordinal": 0,
+        "type_info": "Text"
+      }
+    ],
+    "parameters": {
+      "Right": 3
+    },
+    "nullable": [
+      false
+    ]
+  },
+  "hash": "c28b9bffa73d6a861e122a73a90e3912d23bf952740fe32544bc70a44e6a2744"
+}
diff --git a/.sqlx/query-df84b2afcb1493b3643a83b68a8abceb822eb5db2e7dd8e509d4f79c106f8561.json b/.sqlx/query-df84b2afcb1493b3643a83b68a8abceb822eb5db2e7dd8e509d4f79c106f8561.json
deleted file mode 100644
index c788557..0000000
--- a/.sqlx/query-df84b2afcb1493b3643a83b68a8abceb822eb5db2e7dd8e509d4f79c106f8561.json
+++ /dev/null
@@ -1,20 +0,0 @@
-{
-  "db_name": "SQLite",
-  "query": "\n                insert\n                into token (secret, login, issued_at, last_used_at)\n                values ($1, $2, $3, $3)\n                returning secret as \"secret!\"\n            ",
-  "describe": {
-    "columns": [
-      {
-        "name": "secret!",
-        "ordinal": 0,
-        "type_info": "Text"
-      }
-    ],
-    "parameters": {
-      "Right": 3
-    },
-    "nullable": [
-      false
-    ]
-  },
-  "hash": "df84b2afcb1493b3643a83b68a8abceb822eb5db2e7dd8e509d4f79c106f8561"
-}
-- 
cgit v1.2.3