diff --git a/server/src/auth.rs b/server/src/auth.rs index f64392f..35ce024 100644 --- a/server/src/auth.rs +++ b/server/src/auth.rs @@ -17,6 +17,8 @@ impl From for MasterPassword { } } +const AUTH_QUERY_KEY: &str = "pw"; + const AUTH_COOKIE_KEY: &str = "authorized"; const AUTH_COOKIE_VAL: &str = "true"; @@ -31,12 +33,40 @@ impl<'a> FromRequest<'a> for Authorized { type Error = Unauthorized; async fn from_request(request: &'a Request<'_>) -> Outcome { + // Check if user has been authorized by cookie let cookies = request.cookies(); - match cookies.get_private(AUTH_COOKIE_KEY) { - Some(cookie) if cookie.value() == AUTH_COOKIE_VAL => Outcome::Success(Authorized), - _ => Outcome::Failure((Status::Unauthorized, Unauthorized)), + Some(cookie) if cookie.value() == AUTH_COOKIE_VAL => { + return Outcome::Success(Authorized) + } + _ => {} } + + request + .guard::<&State>() + .await + .map_failure(|_| (Status::Unauthorized, Unauthorized)) + .and_then(|master_pass| { + // Check if query string contains password + request + .uri() + .query() + .iter() + .inspect(|q| eprintln!("1 {q:?}")) + .flat_map(|q| q.split('&')) + .flat_map(|q| q.percent_decode()) + .inspect(|q| eprintln!("2 {q:?}")) + .flat_map(|kv| { + kv.split_once('=') + .map(|(k, v)| (k.to_owned(), v.to_owned())) + }) + .inspect(|q| eprintln!("3 {q:?}")) + .filter(|(k, _)| k == AUTH_QUERY_KEY) + .filter(|(_, v)| v == &master_pass.0) + .map(|_| Outcome::Success(Authorized)) + .next() + .unwrap_or(Outcome::Failure((Status::Unauthorized, Unauthorized))) + }) } }