frontend: use secret key for cookies

Cargo.lock

@@ -1387,6 +1387,9 @@ name = "hex"
 version = "0.4.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7f24254aa9a54b5c858eaee2f5bccdb46aaf0e486a595ed5fd8f86ba55232a70"
+dependencies = [
+ "serde",
+]
 
 [[package]]
 name = "hkdf"

Cargo.toml

@@ -55,7 +55,7 @@ quick-xml = { version = "0.37", features = [
 ] }
 rust-embed = "8.5"
 futures-core = "0.3.31"
-hex = "0.4.3"
+hex = { version = "0.4.3", features = ["serde"] }
 mime_guess = "2.0.5"
 itertools = "0.13"
 log = "0.4"

crates/frontend/src/config.rs

@@ -2,5 +2,7 @@ use serde::{Deserialize, Serialize};
 
 #[derive(Deserialize, Serialize, Debug, Clone)]
 pub struct FrontendConfig {
-    secret_key: String,
+    #[serde(serialize_with = "hex::serde::serialize")]
+    #[serde(deserialize_with = "hex::serde::deserialize")]
+    pub secret_key: Vec<u8>,
 }

crates/frontend/src/lib.rs

@@ -62,15 +62,19 @@ pub fn configure_frontend<AP: AuthenticationProvider, C: CalendarStore + ?Sized>
     cfg: &mut web::ServiceConfig,
     auth_provider: Arc<AP>,
     store: Arc<C>,
+    frontend_config: FrontendConfig,
 ) {
     cfg.service(
         web::scope("")
             .wrap(AuthenticationMiddleware::new(auth_provider.clone()))
             .wrap(
-                SessionMiddleware::builder(CookieSessionStore::default(), Key::from(&[0; 64]))
-                    .cookie_secure(true)
-                    .cookie_content_security(actix_session::config::CookieContentSecurity::Private)
-                    .build(),
+                SessionMiddleware::builder(
+                    CookieSessionStore::default(),
+                    Key::from(&frontend_config.secret_key),
+                )
+                .cookie_secure(true)
+                .cookie_content_security(actix_session::config::CookieContentSecurity::Private)
+                .build(),
             )
             .app_data(Data::from(auth_provider))
             .app_data(Data::from(store.clone()))

src/app.rs

@@ -2,7 +2,7 @@ use actix_web::body::MessageBody;
 use actix_web::dev::{ServiceFactory, ServiceRequest, ServiceResponse};
 use actix_web::middleware::NormalizePath;
 use actix_web::{web, App};
-use rustical_frontend::configure_frontend;
+use rustical_frontend::{configure_frontend, FrontendConfig};
 use rustical_store::auth::AuthenticationProvider;
 use rustical_store::{AddressbookStore, CalendarStore};
 use std::sync::Arc;
@@ -12,6 +12,7 @@ pub fn make_app<AS: AddressbookStore + ?Sized, CS: CalendarStore + ?Sized>(
     addr_store: Arc<AS>,
     cal_store: Arc<CS>,
     auth_provider: Arc<impl AuthenticationProvider>,
+    frontend_config: FrontendConfig,
 ) -> App<
     impl ServiceFactory<
         ServiceRequest,
@@ -38,9 +39,13 @@ pub fn make_app<AS: AddressbookStore + ?Sized, CS: CalendarStore + ?Sized>(
                     rustical_carddav::configure_well_known(cfg, "/carddav".to_string())
                 }),
         )
-        .service(
-            web::scope("/frontend")
-                .configure(|cfg| configure_frontend(cfg, auth_provider.clone(), cal_store.clone())),
-        )
+        .service(web::scope("/frontend").configure(|cfg| {
+            configure_frontend(
+                cfg,
+                auth_provider.clone(),
+                cal_store.clone(),
+                frontend_config,
+            )
+        }))
         .service(web::redirect("/", "/frontend").see_other())
 }

src/main.rs

@@ -50,10 +50,17 @@ async fn main() -> Result<()> {
         config::AuthConfig::Static(config) => StaticUserStore::new(config),
     });
 
-    HttpServer::new(move || make_app(addr_store.clone(), cal_store.clone(), user_store.clone()))
-        .bind((config.http.host, config.http.port))?
-        .run()
-        .await?;
+    HttpServer::new(move || {
+        make_app(
+            addr_store.clone(),
+            cal_store.clone(),
+            user_store.clone(),
+            config.frontend.clone(),
+        )
+    })
+    .bind((config.http.host, config.http.port))?
+    .run()
+    .await?;
 
     Ok(())
 }