v0.6.5

Cargo.lock

@@ -2999,7 +2999,7 @@ dependencies = [
 
 [[package]]
 name = "rustical"
-version = "0.6.4"
+version = "0.6.5"
 dependencies = [
  "anyhow",
  "argon2",
@@ -3042,7 +3042,7 @@ dependencies = [
 
 [[package]]
 name = "rustical_caldav"
-version = "0.6.4"
+version = "0.6.5"
 dependencies = [
  "async-std",
  "async-trait",
@@ -3080,7 +3080,7 @@ dependencies = [
 
 [[package]]
 name = "rustical_carddav"
-version = "0.6.4"
+version = "0.6.5"
 dependencies = [
  "async-trait",
  "axum",
@@ -3112,7 +3112,7 @@ dependencies = [
 
 [[package]]
 name = "rustical_dav"
-version = "0.6.4"
+version = "0.6.5"
 dependencies = [
  "async-trait",
  "axum",
@@ -3137,7 +3137,7 @@ dependencies = [
 
 [[package]]
 name = "rustical_dav_push"
-version = "0.6.4"
+version = "0.6.5"
 dependencies = [
  "async-trait",
  "axum",
@@ -3163,7 +3163,7 @@ dependencies = [
 
 [[package]]
 name = "rustical_frontend"
-version = "0.6.4"
+version = "0.6.5"
 dependencies = [
  "askama",
  "askama_web",
@@ -3196,7 +3196,7 @@ dependencies = [
 
 [[package]]
 name = "rustical_ical"
-version = "0.6.4"
+version = "0.6.5"
 dependencies = [
  "axum",
  "chrono",
@@ -3214,7 +3214,7 @@ dependencies = [
 
 [[package]]
 name = "rustical_oidc"
-version = "0.6.4"
+version = "0.6.5"
 dependencies = [
  "async-trait",
  "axum",
@@ -3229,7 +3229,7 @@ dependencies = [
 
 [[package]]
 name = "rustical_store"
-version = "0.6.4"
+version = "0.6.5"
 dependencies = [
  "anyhow",
  "async-trait",
@@ -3263,7 +3263,7 @@ dependencies = [
 
 [[package]]
 name = "rustical_store_sqlite"
-version = "0.6.4"
+version = "0.6.5"
 dependencies = [
  "async-trait",
  "chrono",
@@ -3284,7 +3284,7 @@ dependencies = [
 
 [[package]]
 name = "rustical_xml"
-version = "0.6.4"
+version = "0.6.5"
 dependencies = [
  "quick-xml",
  "thiserror 2.0.12",

Cargo.toml

@@ -2,7 +2,7 @@
 members = ["crates/*"]
 
 [workspace.package]
-version = "0.6.4"
+version = "0.6.5"
 edition = "2024"
 description = "A CalDAV server"
 repository = "https://github.com/lennart-k/rustical"

crates/caldav/src/calendar/service.rs

@@ -51,7 +51,7 @@ impl<C: CalendarStore, S: SubscriptionStore> ResourceService for CalendarResourc
     type Principal = Principal;
     type PrincipalUri = CalDavPrincipalUri;
 
-    const DAV_HEADER: &str = "1, 3, access-control, calendar-access, calendar-proxy, webdav-push";
+    const DAV_HEADER: &str = "1, 3, access-control, calendar-access, webdav-push";
 
     async fn get_resource(
         &self,

crates/caldav/src/principal/mod.rs

@@ -41,11 +41,6 @@ impl Resource for PrincipalResource {
         Resourcetype(&[
             ResourcetypeInner(Some(rustical_dav::namespace::NS_DAV), "collection"),
             ResourcetypeInner(Some(rustical_dav::namespace::NS_DAV), "principal"),
-            // https://github.com/apple/ccs-calendarserver/blob/13c706b985fb728b9aab42dc0fef85aae21921c3/doc/Extensions/caldav-proxy.txt
-            // ResourcetypeInner(
-            //     Some(rustical_dav::namespace::NS_CALENDARSERVER),
-            //     "calendar-proxy-write",
-            // ),
         ])
     }
 

crates/caldav/src/principal/service.rs

@@ -46,7 +46,7 @@ impl<AP: AuthenticationProvider, S: SubscriptionStore, CS: CalendarStore> Resour
     type Principal = Principal;
     type PrincipalUri = CalDavPrincipalUri;
 
-    const DAV_HEADER: &str = "1, 3, access-control, calendar-access, calendar-proxy";
+    const DAV_HEADER: &str = "1, 3, access-control, calendar-access";
 
     async fn get_resource(
         &self,

crates/frontend/src/routes/app_token.rs

@@ -56,9 +56,13 @@ pub async fn route_post_app_token<AP: AuthenticationProvider>(
     assert!(!name.is_empty());
     assert_eq!(user_id, user.id);
     let token = generate_app_token();
-    auth_provider
+    let mut token_id = auth_provider
         .add_app_token(&user.id, name.to_owned(), token.clone())
         .await?;
+    // Get first 4 characters of token identifier
+    token_id.truncate(4);
+    // This will be a hint for the token validator which app token hash to verify against
+    let token = format!("{token_id}_{token}");
     if apple {
         let profile = AppleConfig {
             token_name: name,

crates/store_sqlite/src/principal_store.rs

@@ -149,8 +149,23 @@ impl AuthenticationProvider for SqlitePrincipalStore {
         user_id: &str,
         token: &str,
     ) -> Result<Option<Principal>, Error> {
+        #[instrument(skip(password))]
+        fn verify_password(password: &str, hash: &str) -> Result<(), password_auth::VerifyError> {
+            password_auth::verify_password(password, hash)
+        }
+
+        // Allow to specify the token id to use to make validation faster
+        // Doesn't match the whole length of the token id to keep the length in bounds
+        // Example: asd_selgkh
+        // where the app token id starts with asd and its value is selgkh
+        let (token_id_prefix, token) = token.split_once('_').unwrap_or(("", token));
+
         for app_token in &self.get_app_tokens(user_id).await? {
-            if password_auth::verify_password(token, app_token.token.as_ref()).is_ok() {
+            // Wrong token id
+            if !app_token.id.starts_with(token_id_prefix) {
+                continue;
+            }
+            if verify_password(token, app_token.token.as_ref()).is_ok() {
                 return self.get_principal(user_id).await;
             }
         }
@@ -206,7 +221,10 @@ impl AuthenticationProvider for SqlitePrincipalStore {
                 None,
                 None,
                 Params {
-                    rounds: 10,
+                    // The app token has a high entropy so we are quite safe from quessing attacks
+                    // Also if an attacker got access to the hashes they'd have already gotten
+                    // access to the whole database.
+                    rounds: 2,
                     ..Default::default()
                 },
                 &salt,