From 4259e7406aec128bfb45fbb46eefa501f12870da Mon Sep 17 00:00:00 2001 From: Owen Jacobson Date: Wed, 4 Sep 2024 11:00:48 -0400 Subject: Login fixes: 1. Stop rejecting login attempts when there's an identity cookie already set. This looked like a good idea, but in practice it's not a sufficient check, as it doesnt' ensure the identity cookie is actually valid. Validating it is an option, but the do-nothing alternative (which I went with) is that a login request while already logged in overwrites your identity cookie, instead. It's less code, semantically not bonkers, and doesn't _appear_ to introduce any interesting user security issues. 2. Redirect to / after successful login/logout, instead of dropping the user on a useless text page. --- src/login/extract/login.rs | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'src/login/extract/login.rs') diff --git a/src/login/extract/login.rs b/src/login/extract/login.rs index ce820f1..b756fa6 100644 --- a/src/login/extract/login.rs +++ b/src/login/extract/login.rs @@ -22,6 +22,10 @@ impl FromRequestParts for Login { parts: &mut Parts, state: &SqlitePool, ) -> Result { + // After Rust 1.82 (and #[feature(min_exhaustive_patterns)] lands on + // stable), the following can be replaced: + // + // let Ok(identity_token) = IdentityToken::from_request_parts(parts, state).await; let identity_token = IdentityToken::from_request_parts(parts, state).await?; let requested_at = RequestedAt::from_request_parts(parts, state).await?; -- cgit v1.2.3