Beefing up security and cleaning up state

2024-03-24 23:45:22 +01:00 · 2024-03-24 23:45:22 +01:00 · 81303d31cd
commit 81303d31cd
parent 630f19f82c
2 changed files with 18 additions and 27 deletions
--- a/server/src/main.rs
+++ b/server/src/main.rs
@ -5,6 +5,7 @@ use actix_web::middleware;
 use actix_web::web::Data;
 use actix_web::{web::scope, App, HttpServer};
 use log::info;
+use rand::Rng;

 mod db;
 mod jwt;
@ -32,21 +33,23 @@ async fn main() -> std::io::Result<()> {

    let data = ServerState::new().await;
    let capt_db = CaptchaState::new();
-    let auth = Authentication::new("secret".as_bytes());

-    #[cfg(debug_assertions)]
-    {
-        for _ in 0..10 {
-            let s = hex_string(10);
-            info!("Adding captcha key: {}", &s);
-            capt_db.capthca_db.lock().unwrap().insert(s);
-        }
+    // 32 random bytes for the auth key should be enough
+    let mut rng = rand::thread_rng();
+    let random_bytes = (0..32).map(|_| rng.gen::<u8>()).collect::<Vec<u8>>();
+    let auth = Authentication::new(&random_bytes);
+
+    for _ in 0..10 {
+        let s = hex_string(10);
+        info!("Adding captcha key: {}", &s);
+        capt_db.capthca_db.lock().unwrap().insert(s);
    }

    info!("Spinning up server on http://localhost:8080");
    HttpServer::new(move || {
        let cors = Cors::default()
            .allowed_origin("https://shitpost.se")
+            .allowed_origin("http://localhost:8080")
            .allowed_methods(vec!["GET", "POST"])
            .max_age(3600);

--- a/server/src/state.rs
+++ b/server/src/state.rs
@ -9,7 +9,6 @@ use sqlx::PgPool;

 #[derive(Clone)]
 pub struct CaptchaState {
-    // pub capthca_db: Arc<Mutex<BTreeMap<i32, String>>>,
    pub capthca_db: Arc<Mutex<BTreeSet<String>>>,
 }

@ -45,27 +44,13 @@ impl ServerState {

        sqlx::migrate!("./migrations").run(&pool).await.unwrap();

-        match crate::db::db_new_user("imbus".to_string(), "kartellen1234".to_string(), &pool).await
-        {
-            Some(u) => info!("Created default user {}", u.username),
-            None => error!("Failed to create default user..."),
-        }
-        match crate::db::db_new_user("hollgy".to_string(), "yomomonpizza".to_string(), &pool).await
-        {
-            Some(u) => info!("Created default user {}", u.username),
-            None => error!("Failed to create default user..."),
-        }
-        match crate::db::db_new_user("demouser".to_string(), "demopw".to_string(), &pool).await {
-            Some(u) => info!("Created default user {}", u.username),
-            None => error!("Failed to create default user..."),
-        }
-
-        // We want dummy posts
-        lipsum_setup(&pool).await.unwrap();
-
        #[cfg(debug_assertions)]
        debug_setup(&pool).await.unwrap();

+        // We want dummy posts
+        #[cfg(debug_assertions)]
+        lipsum_setup(&pool).await.unwrap();
+
        Self { pool }
    }
 }
@ -80,6 +65,7 @@ async fn debug_setup(pool: &PgPool) -> Result<(), sqlx::Error> {
 }

 /// Inserts a bunch of dummy posts into the database
+#[allow(dead_code)]
 async fn lipsum_setup(pool: &PgPool) -> Result<(), sqlx::Error> {
    use lipsum::lipsum;
    use rand::prelude::*;
@ -118,6 +104,8 @@ async fn lipsum_setup(pool: &PgPool) -> Result<(), sqlx::Error> {
                .await?;
            }
        }
+    } else {
+        error!("No users in the database, skipping lipsum setup");
    }

    Ok(())