From 9633a4b527d4f9c73a81e3868e4d2876a3972e8f Mon Sep 17 00:00:00 2001 From: Max Brunsfeld Date: Fri, 17 Mar 2023 13:56:12 -0700 Subject: [PATCH] Return a 400, not a 500 when token validation fails Co-authored-by: Antonio Scandurra --- crates/collab/src/auth.rs | 28 ++++++++++++++++------------ 1 file changed, 16 insertions(+), 12 deletions(-) diff --git a/crates/collab/src/auth.rs b/crates/collab/src/auth.rs index 796bf1c40f..3156212cdf 100644 --- a/crates/collab/src/auth.rs +++ b/crates/collab/src/auth.rs @@ -1,5 +1,5 @@ use crate::{ - db::{self, AccessTokenId, UserId}, + db::{self, AccessTokenId, Database, UserId}, AppState, Error, Result, }; use anyhow::{anyhow, Context}; @@ -47,14 +47,9 @@ pub async fn validate_header(mut req: Request, next: Next) -> impl Into let credentials_valid = if let Some(admin_token) = access_token.strip_prefix("ADMIN_TOKEN:") { state.config.api_token == admin_token } else { - let access_token: AccessTokenJson = serde_json::from_str(&access_token)?; - - let token = state.db.get_access_token(access_token.id).await?; - if token.user_id != user_id { - return Err(anyhow!("no such access token"))?; - } - - verify_access_token(&access_token.token, &token.hash)? + verify_access_token(&access_token, user_id, &state.db) + .await + .unwrap_or(false) }; if credentials_valid { @@ -125,7 +120,16 @@ pub fn encrypt_access_token(access_token: &str, public_key: String) -> Result Result { - let hash = PasswordHash::new(hash).map_err(anyhow::Error::new)?; - Ok(Scrypt.verify_password(token.as_bytes(), &hash).is_ok()) +pub async fn verify_access_token(token: &str, user_id: UserId, db: &Arc) -> Result { + let token: AccessTokenJson = serde_json::from_str(&token)?; + + let db_token = db.get_access_token(token.id).await?; + if db_token.user_id != user_id { + return Err(anyhow!("no such access token"))?; + } + + let db_hash = PasswordHash::new(&db_token.hash).map_err(anyhow::Error::new)?; + Ok(Scrypt + .verify_password(token.token.as_bytes(), &db_hash) + .is_ok()) }