From aaaf17486db05c3f6d7f3857dfe1d21835c02fc1 Mon Sep 17 00:00:00 2001
From: Nutomic <me@nutomic.com>
Date: Wed, 8 Nov 2023 13:55:09 +0100
Subject: [PATCH] Dont create auth cookie in backend (#4136)

---
 crates/api/src/local_user/login.rs | 14 ++++----------
 crates/api_common/src/utils.rs     | 10 ----------
 crates/api_crud/src/user/create.rs |  9 +++------
 3 files changed, 7 insertions(+), 26 deletions(-)

diff --git a/crates/api/src/local_user/login.rs b/crates/api/src/local_user/login.rs
index f57fd0a70..956dcbba1 100644
--- a/crates/api/src/local_user/login.rs
+++ b/crates/api/src/local_user/login.rs
@@ -1,16 +1,14 @@
 use crate::check_totp_2fa_valid;
 use actix_web::{
-  http::StatusCode,
   web::{Data, Json},
   HttpRequest,
-  HttpResponse,
 };
 use bcrypt::verify;
 use lemmy_api_common::{
   claims::Claims,
   context::LemmyContext,
   person::{Login, LoginResponse},
-  utils::{check_user_valid, create_login_cookie},
+  utils::check_user_valid,
 };
 use lemmy_db_schema::{
   source::{local_site::LocalSite, registration_application::RegistrationApplication},
@@ -25,7 +23,7 @@ pub async fn login(
   data: Json<Login>,
   req: HttpRequest,
   context: Data<LemmyContext>,
-) -> Result<HttpResponse, LemmyError> {
+) -> Result<Json<LoginResponse>, LemmyError> {
   let site_view = SiteView::read_local(&mut context.pool()).await?;
 
   // Fetch that username / email
@@ -65,15 +63,11 @@ pub async fn login(
 
   let jwt = Claims::generate(local_user_view.local_user.id, req, &context).await?;
 
-  let json = LoginResponse {
+  Ok(Json(LoginResponse {
     jwt: Some(jwt.clone()),
     verify_email_sent: false,
     registration_created: false,
-  };
-
-  let mut res = HttpResponse::build(StatusCode::OK).json(json);
-  res.add_cookie(&create_login_cookie(jwt))?;
-  Ok(res)
+  }))
 }
 
 async fn check_registration_application(
diff --git a/crates/api_common/src/utils.rs b/crates/api_common/src/utils.rs
index 670271be7..c4417e0e1 100644
--- a/crates/api_common/src/utils.rs
+++ b/crates/api_common/src/utils.rs
@@ -1,10 +1,8 @@
 use crate::{
   context::LemmyContext,
   request::purge_image_from_pictrs,
-  sensitive::Sensitive,
   site::{FederatedInstances, InstanceWithFederationState},
 };
-use actix_web::cookie::{Cookie, SameSite};
 use anyhow::Context;
 use chrono::{DateTime, Days, Local, TimeZone, Utc};
 use enum_map::{enum_map, EnumMap};
@@ -776,14 +774,6 @@ pub fn generate_moderators_url(community_id: &DbUrl) -> Result<DbUrl, LemmyError
   Ok(Url::parse(&format!("{community_id}/moderators"))?.into())
 }
 
-pub fn create_login_cookie(jwt: Sensitive<String>) -> Cookie<'static> {
-  let mut cookie = Cookie::new(AUTH_COOKIE_NAME, jwt.into_inner());
-  cookie.set_secure(true);
-  cookie.set_same_site(SameSite::Lax);
-  cookie.set_http_only(true);
-  cookie
-}
-
 /// Ensure that ban/block expiry is in valid range. If its in past, throw error. If its more
 /// than 10 years in future, convert to permanent ban. Otherwise return the same value.
 pub fn check_expire_time(expires_unix_opt: Option<i64>) -> LemmyResult<Option<DateTime<Utc>>> {
diff --git a/crates/api_crud/src/user/create.rs b/crates/api_crud/src/user/create.rs
index 4a326a3ac..236da14da 100644
--- a/crates/api_crud/src/user/create.rs
+++ b/crates/api_crud/src/user/create.rs
@@ -1,11 +1,10 @@
 use activitypub_federation::{config::Data, http_signatures::generate_actor_keypair};
-use actix_web::{http::StatusCode, web::Json, HttpRequest, HttpResponse, HttpResponseBuilder};
+use actix_web::{web::Json, HttpRequest};
 use lemmy_api_common::{
   claims::Claims,
   context::LemmyContext,
   person::{LoginResponse, Register},
   utils::{
-    create_login_cookie,
     generate_inbox_url,
     generate_local_apub_endpoint,
     generate_shared_inbox_url,
@@ -42,7 +41,7 @@ pub async fn register(
   data: Json<Register>,
   req: HttpRequest,
   context: Data<LemmyContext>,
-) -> Result<HttpResponse, LemmyError> {
+) -> Result<Json<LoginResponse>, LemmyError> {
   let site_view = SiteView::read_local(&mut context.pool()).await?;
   let local_site = site_view.local_site;
   let require_registration_application =
@@ -158,7 +157,6 @@ pub async fn register(
       .await?;
   }
 
-  let mut res = HttpResponseBuilder::new(StatusCode::OK);
   let mut login_response = LoginResponse {
     jwt: None,
     registration_created: false,
@@ -170,7 +168,6 @@ pub async fn register(
     || (!require_registration_application && !local_site.require_email_verification)
   {
     let jwt = Claims::generate(inserted_local_user.id, req, &context).await?;
-    res.cookie(create_login_cookie(jwt.clone()));
     login_response.jwt = Some(jwt);
   } else {
     if local_site.require_email_verification {
@@ -201,5 +198,5 @@ pub async fn register(
     }
   }
 
-  Ok(res.json(login_response))
+  Ok(Json(login_response))
 }