From 81303d31cd471fd56a65c7837e59842f7ea219c8 Mon Sep 17 00:00:00 2001
From: Imbus <>
Date: Sun, 24 Mar 2024 23:45:22 +0100
Subject: [PATCH] Beefing up security and cleaning up state

---
 server/src/main.rs  | 19 +++++++++++--------
 server/src/state.rs | 26 +++++++-------------------
 2 files changed, 18 insertions(+), 27 deletions(-)

diff --git a/server/src/main.rs b/server/src/main.rs
index 476c4be..bcf68c8 100755
--- a/server/src/main.rs
+++ b/server/src/main.rs
@@ -5,6 +5,7 @@ use actix_web::middleware;
 use actix_web::web::Data;
 use actix_web::{web::scope, App, HttpServer};
 use log::info;
+use rand::Rng;
 
 mod db;
 mod jwt;
@@ -32,21 +33,23 @@ async fn main() -> std::io::Result<()> {
 
     let data = ServerState::new().await;
     let capt_db = CaptchaState::new();
-    let auth = Authentication::new("secret".as_bytes());
 
-    #[cfg(debug_assertions)]
-    {
-        for _ in 0..10 {
-            let s = hex_string(10);
-            info!("Adding captcha key: {}", &s);
-            capt_db.capthca_db.lock().unwrap().insert(s);
-        }
+    // 32 random bytes for the auth key should be enough
+    let mut rng = rand::thread_rng();
+    let random_bytes = (0..32).map(|_| rng.gen::<u8>()).collect::<Vec<u8>>();
+    let auth = Authentication::new(&random_bytes);
+
+    for _ in 0..10 {
+        let s = hex_string(10);
+        info!("Adding captcha key: {}", &s);
+        capt_db.capthca_db.lock().unwrap().insert(s);
     }
 
     info!("Spinning up server on http://localhost:8080");
     HttpServer::new(move || {
         let cors = Cors::default()
             .allowed_origin("https://shitpost.se")
+            .allowed_origin("http://localhost:8080")
             .allowed_methods(vec!["GET", "POST"])
             .max_age(3600);
 
diff --git a/server/src/state.rs b/server/src/state.rs
index c4748c2..347320e 100644
--- a/server/src/state.rs
+++ b/server/src/state.rs
@@ -9,7 +9,6 @@ use sqlx::PgPool;
 
 #[derive(Clone)]
 pub struct CaptchaState {
-    // pub capthca_db: Arc<Mutex<BTreeMap<i32, String>>>,
     pub capthca_db: Arc<Mutex<BTreeSet<String>>>,
 }
 
@@ -45,27 +44,13 @@ impl ServerState {
 
         sqlx::migrate!("./migrations").run(&pool).await.unwrap();
 
-        match crate::db::db_new_user("imbus".to_string(), "kartellen1234".to_string(), &pool).await
-        {
-            Some(u) => info!("Created default user {}", u.username),
-            None => error!("Failed to create default user..."),
-        }
-        match crate::db::db_new_user("hollgy".to_string(), "yomomonpizza".to_string(), &pool).await
-        {
-            Some(u) => info!("Created default user {}", u.username),
-            None => error!("Failed to create default user..."),
-        }
-        match crate::db::db_new_user("demouser".to_string(), "demopw".to_string(), &pool).await {
-            Some(u) => info!("Created default user {}", u.username),
-            None => error!("Failed to create default user..."),
-        }
-
-        // We want dummy posts
-        lipsum_setup(&pool).await.unwrap();
-
         #[cfg(debug_assertions)]
         debug_setup(&pool).await.unwrap();
 
+        // We want dummy posts
+        #[cfg(debug_assertions)]
+        lipsum_setup(&pool).await.unwrap();
+
         Self { pool }
     }
 }
@@ -80,6 +65,7 @@ async fn debug_setup(pool: &PgPool) -> Result<(), sqlx::Error> {
 }
 
 /// Inserts a bunch of dummy posts into the database
+#[allow(dead_code)]
 async fn lipsum_setup(pool: &PgPool) -> Result<(), sqlx::Error> {
     use lipsum::lipsum;
     use rand::prelude::*;
@@ -118,6 +104,8 @@ async fn lipsum_setup(pool: &PgPool) -> Result<(), sqlx::Error> {
                 .await?;
             }
         }
+    } else {
+        error!("No users in the database, skipping lipsum setup");
     }
 
     Ok(())