No longer use randomly generated key to encrypt session cookie

src/app_config.rs

@@ -18,6 +18,10 @@ pub struct AppConfig {
     #[clap(short, long, env)]
     pub proxy_ip: Option<String>,
 
+    /// Secret key, used to sign some resources. Must be randomly generated
+    #[clap(short = 'S', long, env, default_value = "")]
+    secret: String,
+
     /// Matrix API origin
     #[clap(short, long, env, default_value = "http://127.0.0.1:8448")]
     pub matrix_homeserver: String,
@@ -99,6 +103,21 @@ impl AppConfig {
         &ARGS
     }
 
+    /// Get app secret
+    pub fn secret(&self) -> &str {
+        let mut secret = self.secret.as_str();
+
+        if cfg!(debug_assertions) && secret.is_empty() {
+            secret = "DEBUGKEYDEBUGKEYDEBUGKEYDEBUGKEYDEBUGKEYDEBUGKEYDEBUGKEYDEBUGKEY";
+        }
+
+        if secret.is_empty() {
+            panic!("SECRET is undefined or too short (min 64 chars)!")
+        }
+
+        secret
+    }
+
     /// Get Redis connection configuration
     pub fn redis_connection_string(&self) -> String {
         format!(

src/extractors/client_auth.rs

@@ -1,7 +1,9 @@
+use crate::constants::USER_SESSION_KEY;
 use crate::server::HttpFailure;
-use crate::user::{APIClient, APIClientID, RumaClient, UserConfig, UserID};
+use crate::user::{APIClient, APIClientID, RumaClient, User, UserConfig, UserID};
 use crate::utils::curr_time;
 use actix_remote_ip::RemoteIP;
+use actix_session::Session;
 use actix_web::dev::Payload;
 use actix_web::{FromRequest, HttpRequest};
 use bytes::Bytes;
@@ -14,7 +16,7 @@ use std::str::FromStr;
 
 pub struct APIClientAuth {
     pub user: UserConfig,
-    pub client: APIClient,
+    pub client: Option<APIClient>,
     pub payload: Option<Vec<u8>>,
 }
 
@@ -33,6 +35,24 @@ impl APIClientAuth {
         remote_ip: IpAddr,
         payload_bytes: Option<Bytes>,
     ) -> Result<Self, actix_web::Error> {
+        // Check if user is authenticated using Web UI
+        let session = Session::from_request(req, &mut Payload::None).await?;
+
+        if let Some(user) = session.get::<User>(USER_SESSION_KEY)? {
+            match UserConfig::load(&user.id, false).await {
+                Ok(config) => {
+                    return Ok(Self {
+                        user: config,
+                        client: None,
+                        payload: payload_bytes.map(|bytes| bytes.to_vec()),
+                    })
+                }
+                Err(e) => {
+                    log::error!("Failed to fetch user information for authentication using cookie token! {e}");
+                }
+            };
+        }
+
         let Some(token) = req.headers().get("x-client-auth") else {
             return Err(actix_web::error::ErrorBadRequest(
                 "Missing authentication header!",
@@ -95,8 +115,11 @@ impl APIClientAuth {
 
         // Decode JWT
         let key = HS256Key::from_bytes(client.secret.as_bytes());
-        let mut verif = VerificationOptions::default();
-        verif.max_validity = Some(Duration::from_mins(20));
+        let verif = VerificationOptions {
+            max_validity: Some(Duration::from_mins(15)),
+            ..Default::default()
+        };
+
         let claims = match key.verify_token::<TokenClaims>(jwt_token, Some(verif)) {
             Ok(t) => t,
             Err(e) => {
@@ -175,7 +198,7 @@ impl APIClientAuth {
         }
 
         Ok(Self {
-            client: client.clone(),
+            client: Some(client.clone()),
             payload,
             user,
         })

src/main.rs

@@ -15,8 +15,7 @@ async fn main() -> std::io::Result<()> {
         .await
         .expect("Failed to create bucket!");
 
-    // FIXME : not scalable
-    let secret_key = Key::generate();
+    let secret_key = Key::from(AppConfig::get().secret().as_bytes());
 
     let redis_store = RedisSessionStore::new(AppConfig::get().redis_connection_string())
         .await