From aaaf17486db05c3f6d7f3857dfe1d21835c02fc1 Mon Sep 17 00:00:00 2001 From: Nutomic Date: Wed, 8 Nov 2023 13:55:09 +0100 Subject: [PATCH] Dont create auth cookie in backend (#4136) --- crates/api/src/local_user/login.rs | 14 ++++---------- crates/api_common/src/utils.rs | 10 ---------- crates/api_crud/src/user/create.rs | 9 +++------ 3 files changed, 7 insertions(+), 26 deletions(-) diff --git a/crates/api/src/local_user/login.rs b/crates/api/src/local_user/login.rs index f57fd0a70..956dcbba1 100644 --- a/crates/api/src/local_user/login.rs +++ b/crates/api/src/local_user/login.rs @@ -1,16 +1,14 @@ use crate::check_totp_2fa_valid; use actix_web::{ - http::StatusCode, web::{Data, Json}, HttpRequest, - HttpResponse, }; use bcrypt::verify; use lemmy_api_common::{ claims::Claims, context::LemmyContext, person::{Login, LoginResponse}, - utils::{check_user_valid, create_login_cookie}, + utils::check_user_valid, }; use lemmy_db_schema::{ source::{local_site::LocalSite, registration_application::RegistrationApplication}, @@ -25,7 +23,7 @@ pub async fn login( data: Json, req: HttpRequest, context: Data, -) -> Result { +) -> Result, LemmyError> { let site_view = SiteView::read_local(&mut context.pool()).await?; // Fetch that username / email @@ -65,15 +63,11 @@ pub async fn login( let jwt = Claims::generate(local_user_view.local_user.id, req, &context).await?; - let json = LoginResponse { + Ok(Json(LoginResponse { jwt: Some(jwt.clone()), verify_email_sent: false, registration_created: false, - }; - - let mut res = HttpResponse::build(StatusCode::OK).json(json); - res.add_cookie(&create_login_cookie(jwt))?; - Ok(res) + })) } async fn check_registration_application( diff --git a/crates/api_common/src/utils.rs b/crates/api_common/src/utils.rs index 670271be7..c4417e0e1 100644 --- a/crates/api_common/src/utils.rs +++ b/crates/api_common/src/utils.rs @@ -1,10 +1,8 @@ use crate::{ context::LemmyContext, request::purge_image_from_pictrs, - sensitive::Sensitive, site::{FederatedInstances, InstanceWithFederationState}, }; -use actix_web::cookie::{Cookie, SameSite}; use anyhow::Context; use chrono::{DateTime, Days, Local, TimeZone, Utc}; use enum_map::{enum_map, EnumMap}; @@ -776,14 +774,6 @@ pub fn generate_moderators_url(community_id: &DbUrl) -> Result) -> Cookie<'static> { - let mut cookie = Cookie::new(AUTH_COOKIE_NAME, jwt.into_inner()); - cookie.set_secure(true); - cookie.set_same_site(SameSite::Lax); - cookie.set_http_only(true); - cookie -} - /// Ensure that ban/block expiry is in valid range. If its in past, throw error. If its more /// than 10 years in future, convert to permanent ban. Otherwise return the same value. pub fn check_expire_time(expires_unix_opt: Option) -> LemmyResult>> { diff --git a/crates/api_crud/src/user/create.rs b/crates/api_crud/src/user/create.rs index 4a326a3ac..236da14da 100644 --- a/crates/api_crud/src/user/create.rs +++ b/crates/api_crud/src/user/create.rs @@ -1,11 +1,10 @@ use activitypub_federation::{config::Data, http_signatures::generate_actor_keypair}; -use actix_web::{http::StatusCode, web::Json, HttpRequest, HttpResponse, HttpResponseBuilder}; +use actix_web::{web::Json, HttpRequest}; use lemmy_api_common::{ claims::Claims, context::LemmyContext, person::{LoginResponse, Register}, utils::{ - create_login_cookie, generate_inbox_url, generate_local_apub_endpoint, generate_shared_inbox_url, @@ -42,7 +41,7 @@ pub async fn register( data: Json, req: HttpRequest, context: Data, -) -> Result { +) -> Result, LemmyError> { let site_view = SiteView::read_local(&mut context.pool()).await?; let local_site = site_view.local_site; let require_registration_application = @@ -158,7 +157,6 @@ pub async fn register( .await?; } - let mut res = HttpResponseBuilder::new(StatusCode::OK); let mut login_response = LoginResponse { jwt: None, registration_created: false, @@ -170,7 +168,6 @@ pub async fn register( || (!require_registration_application && !local_site.require_email_verification) { let jwt = Claims::generate(inserted_local_user.id, req, &context).await?; - res.cookie(create_login_cookie(jwt.clone())); login_response.jwt = Some(jwt); } else { if local_site.require_email_verification { @@ -201,5 +198,5 @@ pub async fn register( } } - Ok(res.json(login_response)) + Ok(Json(login_response)) }