From 33eae4a78007de310f3ae4e3d3677bfbbd04ab75 Mon Sep 17 00:00:00 2001
From: Lennart <18233294+lennart-k@users.noreply.github.com>
Date: Sat, 2 Nov 2024 13:10:41 +0100
Subject: [PATCH] frontend: use secret key for cookies

---
 Cargo.lock                    |  3 +++
 Cargo.toml                    |  2 +-
 crates/frontend/src/config.rs |  4 +++-
 crates/frontend/src/lib.rs    | 12 ++++++++----
 src/app.rs                    | 15 ++++++++++-----
 src/main.rs                   | 15 +++++++++++----
 6 files changed, 36 insertions(+), 15 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index a322e76..4e37216 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1387,6 +1387,9 @@ name = "hex"
 version = "0.4.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7f24254aa9a54b5c858eaee2f5bccdb46aaf0e486a595ed5fd8f86ba55232a70"
+dependencies = [
+ "serde",
+]
 
 [[package]]
 name = "hkdf"
diff --git a/Cargo.toml b/Cargo.toml
index 2d0ba84..9e8060a 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -55,7 +55,7 @@ quick-xml = { version = "0.37", features = [
 ] }
 rust-embed = "8.5"
 futures-core = "0.3.31"
-hex = "0.4.3"
+hex = { version = "0.4.3", features = ["serde"] }
 mime_guess = "2.0.5"
 itertools = "0.13"
 log = "0.4"
diff --git a/crates/frontend/src/config.rs b/crates/frontend/src/config.rs
index b03f3b1..54147ae 100644
--- a/crates/frontend/src/config.rs
+++ b/crates/frontend/src/config.rs
@@ -2,5 +2,7 @@ use serde::{Deserialize, Serialize};
 
 #[derive(Deserialize, Serialize, Debug, Clone)]
 pub struct FrontendConfig {
-    secret_key: String,
+    #[serde(serialize_with = "hex::serde::serialize")]
+    #[serde(deserialize_with = "hex::serde::deserialize")]
+    pub secret_key: Vec<u8>,
 }
diff --git a/crates/frontend/src/lib.rs b/crates/frontend/src/lib.rs
index 7ac39a7..4e51bf0 100644
--- a/crates/frontend/src/lib.rs
+++ b/crates/frontend/src/lib.rs
@@ -62,15 +62,19 @@ pub fn configure_frontend<AP: AuthenticationProvider, C: CalendarStore + ?Sized>
     cfg: &mut web::ServiceConfig,
     auth_provider: Arc<AP>,
     store: Arc<C>,
+    frontend_config: FrontendConfig,
 ) {
     cfg.service(
         web::scope("")
             .wrap(AuthenticationMiddleware::new(auth_provider.clone()))
             .wrap(
-                SessionMiddleware::builder(CookieSessionStore::default(), Key::from(&[0; 64]))
-                    .cookie_secure(true)
-                    .cookie_content_security(actix_session::config::CookieContentSecurity::Private)
-                    .build(),
+                SessionMiddleware::builder(
+                    CookieSessionStore::default(),
+                    Key::from(&frontend_config.secret_key),
+                )
+                .cookie_secure(true)
+                .cookie_content_security(actix_session::config::CookieContentSecurity::Private)
+                .build(),
             )
             .app_data(Data::from(auth_provider))
             .app_data(Data::from(store.clone()))
diff --git a/src/app.rs b/src/app.rs
index d23e1a1..4a7f159 100644
--- a/src/app.rs
+++ b/src/app.rs
@@ -2,7 +2,7 @@ use actix_web::body::MessageBody;
 use actix_web::dev::{ServiceFactory, ServiceRequest, ServiceResponse};
 use actix_web::middleware::NormalizePath;
 use actix_web::{web, App};
-use rustical_frontend::configure_frontend;
+use rustical_frontend::{configure_frontend, FrontendConfig};
 use rustical_store::auth::AuthenticationProvider;
 use rustical_store::{AddressbookStore, CalendarStore};
 use std::sync::Arc;
@@ -12,6 +12,7 @@ pub fn make_app<AS: AddressbookStore + ?Sized, CS: CalendarStore + ?Sized>(
     addr_store: Arc<AS>,
     cal_store: Arc<CS>,
     auth_provider: Arc<impl AuthenticationProvider>,
+    frontend_config: FrontendConfig,
 ) -> App<
     impl ServiceFactory<
         ServiceRequest,
@@ -38,9 +39,13 @@ pub fn make_app<AS: AddressbookStore + ?Sized, CS: CalendarStore + ?Sized>(
                     rustical_carddav::configure_well_known(cfg, "/carddav".to_string())
                 }),
         )
-        .service(
-            web::scope("/frontend")
-                .configure(|cfg| configure_frontend(cfg, auth_provider.clone(), cal_store.clone())),
-        )
+        .service(web::scope("/frontend").configure(|cfg| {
+            configure_frontend(
+                cfg,
+                auth_provider.clone(),
+                cal_store.clone(),
+                frontend_config,
+            )
+        }))
         .service(web::redirect("/", "/frontend").see_other())
 }
diff --git a/src/main.rs b/src/main.rs
index f9676ce..68de819 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -50,10 +50,17 @@ async fn main() -> Result<()> {
         config::AuthConfig::Static(config) => StaticUserStore::new(config),
     });
 
-    HttpServer::new(move || make_app(addr_store.clone(), cal_store.clone(), user_store.clone()))
-        .bind((config.http.host, config.http.port))?
-        .run()
-        .await?;
+    HttpServer::new(move || {
+        make_app(
+            addr_store.clone(),
+            cal_store.clone(),
+            user_store.clone(),
+            config.frontend.clone(),
+        )
+    })
+    .bind((config.http.host, config.http.port))?
+    .run()
+    .await?;
 
     Ok(())
 }