From 4d0bb0709b168a24ab6a8dbc86da45d7503596ee Mon Sep 17 00:00:00 2001
From: Owen Jacobson <owen@grimoire.ca>
Date: Sat, 28 Sep 2024 01:40:22 -0400
Subject: Wrap credential and credential-holding types to prevent `Debug`
 leaks.

The following values are considered confidential, and should never be logged, even by accident:

* `Password`, which is a durable bearer token for a specific Login;
* `IdentitySecret`, which is an ephemeral but potentially long-lived bearer token for a specific Login; or
* `IdentityToken`, which may hold cookies containing an `IdentitySecret`.

These values are now wrapped in types whose `Debug` impls output opaque values, so that they can be included in structs that `#[derive(Debug)]` without requiring any additional care. The wrappers also avoid implementing `Display`, to prevent inadvertent `to_string()`s.

We don't bother obfuscating `IdentitySecret`s in memory or in the `.hi` database. There's no point: we'd also need to store the information needed to de-obfuscate them, and they can be freely invalidated and replaced by blanking that table and asking everyone to log in again. Passwords _are_ obfuscated for storage, as they're intended to be durable.
---
 src/login/routes/test/login.rs  | 8 ++++----
 src/login/routes/test/logout.rs | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

(limited to 'src/login/routes/test')

diff --git a/src/login/routes/test/login.rs b/src/login/routes/test/login.rs
index 719ccca..10c17d6 100644
--- a/src/login/routes/test/login.rs
+++ b/src/login/routes/test/login.rs
@@ -38,7 +38,7 @@ async fn new_identity() {
     let validated_at = fixtures::now();
     let validated = app
         .logins()
-        .validate(secret, &validated_at)
+        .validate(&secret, &validated_at)
         .await
         .expect("identity secret is valid");
 
@@ -75,7 +75,7 @@ async fn existing_identity() {
     let validated_at = fixtures::now();
     let validated_login = app
         .logins()
-        .validate(secret, &validated_at)
+        .validate(&secret, &validated_at)
         .await
         .expect("identity secret is valid");
 
@@ -122,7 +122,7 @@ async fn token_expires() {
     let (identity, _) = routes::on_login(State(app.clone()), logged_in_at, identity, Json(request))
         .await
         .expect("logged in with valid credentials");
-    let token = identity.secret().expect("logged in with valid credentials");
+    let secret = identity.secret().expect("logged in with valid credentials");
 
     // Verify the semantics
 
@@ -135,7 +135,7 @@ async fn token_expires() {
     let verified_at = fixtures::now();
     let error = app
         .logins()
-        .validate(token, &verified_at)
+        .validate(&secret, &verified_at)
         .await
         .expect_err("validating an expired token");
 
diff --git a/src/login/routes/test/logout.rs b/src/login/routes/test/logout.rs
index 4c09a73..05594be 100644
--- a/src/login/routes/test/logout.rs
+++ b/src/login/routes/test/logout.rs
@@ -37,7 +37,7 @@ async fn successful() {
 
     let error = app
         .logins()
-        .validate(secret, &now)
+        .validate(&secret, &now)
         .await
         .expect_err("secret is invalid");
     match error {
-- 
cgit v1.2.3