add security

2020-01-05 19:12:55 -08:00 · 2020-01-05 19:12:55 -08:00 · dc2cd0de49
parent 1542daa71e
commit dc2cd0de49
5 changed files with 40 additions and 59 deletions
--- a/2
+++ b/2
@ -1,5 +1,5 @@
 build:
-	PORT=8080 cargo run
+	PORT=8080 ORIGIN=http://localhost:3000 cargo run
 rusty:
 	curl -S -v --header "Content-Type: application/json" POST --data '{"event":"user", "data":{"user":"Rusty"}}'  http://localhost:8080/insert
 client:
--- a/README.md
+++ b/README.md
@ -60,11 +60,11 @@ use broker::{broker_run};

 #[actix_rt::main]
 async fn main() -> std::result::Result<(), std::io::Error> {
-    broker_run("*".to_owned()).await
+    broker_run("http://localhost:3000".to_owned()).await
 }
 ```

- the only param is the origin you want to allow - wildcard for all
+- the only param is the origin you want to allow - wildcard is not supported
 - the PORT needs to passed in as an environment variable
 - the file database saves to ``` ./tmp ``` of the project root

--- a/example/src/App.js
+++ b/example/src/App.js
@ -67,7 +67,7 @@ function App() {
       <CardContent>
        <Typography className={classes.title} color="textSecondary" gutterBottom component={'span'} variant={'body2'}>
          What is your name?&nbsp;
-            <SSEProvider endpoint={sseEndpoint} options={{withCredentials: false}}>
+            <SSEProvider endpoint={sseEndpoint} options={{withCredentials: true}}>
              <Comments />
            </SSEProvider>
          </Typography>
--- a/src/lib.rs
+++ b/src/lib.rs
@ -11,8 +11,9 @@ use serde_json::json;
 use bcrypt::{DEFAULT_COST, hash, verify};

 #[derive(Deserialize, Debug)]
-struct Config {
-  port: String
+pub struct Config {
+  port: String,
+  pub origin: String
 }

 struct MyData {
@ -95,7 +96,10 @@ async fn new_client(data: web::Data<MyData>, broad: web::Data<Mutex<Broadcaster>

    // create sse endpoint
    HttpResponse::Ok()
-        .header("content-type", "text/event-stream")
+        .header("Set-Cookie", "SameSite=Strict")
+        .header("Keep-Alive", "true")
+        .header("Access-Control-Allow-Credentials", "true")
+        .header("Content-Type", "text/event-stream")
        .no_chunking()
        .streaming(rx)
 }
@ -214,54 +218,27 @@ pub async fn broker_run(origin: String) -> std::result::Result<(), std::io::Erro
    });
    x.thread();

-    // create actix web server with CORS, data, and routes - handle wildcard origins
-    if origin == "*" {
-        HttpServer::new(move || {
-            App::new()
-                .wrap(middleware::Logger::default())
-                .wrap(
-                    Cors::new()
-                        .send_wildcard()
-                        .allowed_methods(vec!["GET", "POST"])
-                        .allowed_headers(vec![header::AUTHORIZATION, header::ACCEPT, header::CONTENT_TYPE])
-                        .max_age(3600)
-                        .finish()
-                )
-                .app_data(events.clone())
-                .app_data(web::JsonConfig::default())
-                .data(MyData{ db: tree.clone() })
-                .route("/insert", web::post().to(insert))
-                .route("/events", web::get().to(new_client))
-                .route("/collection/{record}", web::get().to(collection))
-                .route("/cancel/{record}", web::get().to(cancel))
-                .route("/users/", web::post().to(user_create))
-        })
-        .bind(ip).unwrap()
-        .run()
-        .await
-    } else {
-        HttpServer::new(move || {
-            App::new()
-                .wrap(middleware::Logger::default())
-                .wrap(
-                    Cors::new()
-                        .allowed_origin(&origin)
-                        .allowed_methods(vec!["GET", "POST"])
-                        .allowed_headers(vec![header::AUTHORIZATION, header::ACCEPT, header::CONTENT_TYPE])
-                        .max_age(3600)
-                        .finish()
-                )
-                .app_data(events.clone())
-                .app_data(web::JsonConfig::default())
-                .data(MyData{ db: tree.clone() })
-                .route("/insert", web::post().to(insert))
-                .route("/events", web::get().to(new_client))
-                .route("/collection/{record}", web::get().to(collection))
-                .route("/cancel/{record}", web::get().to(cancel))
-                .route("/users/", web::post().to(user_create))
-        })
-        .bind(ip).unwrap()
-        .run()
-        .await
-    }
+    HttpServer::new(move || {
+        App::new()
+            .wrap(middleware::Logger::default())
+            .wrap(
+                Cors::new()
+                    .allowed_origin(&origin)
+                    .allowed_methods(vec!["GET", "POST"])
+                    .allowed_headers(vec![header::AUTHORIZATION, header::ACCEPT, header::CONTENT_TYPE])
+                    .max_age(3600)
+                    .finish()
+            )
+            .app_data(events.clone())
+            .app_data(web::JsonConfig::default())
+            .data(MyData{ db: tree.clone() })
+            .route("/insert", web::post().to(insert))
+            .route("/events", web::get().to(new_client))
+            .route("/collection/{record}", web::get().to(collection))
+            .route("/cancel/{record}", web::get().to(cancel))
+            .route("/users/", web::post().to(user_create))
+    })
+    .bind(ip).unwrap()
+    .run()
+    .await
 }
--- a/src/main.rs
+++ b/src/main.rs
@ -1,7 +1,11 @@
 mod lib;
-use lib::{broker_run};
+use lib::{broker_run, Config};

 #[actix_rt::main]
 async fn main() -> () {
-    let _ = broker_run("*".to_owned()).await;
+    // get origin env var
+    let config = envy::from_env::<Config>().unwrap();
+    let origin = config.origin;
+      
+    let _ = broker_run(origin).await;
 }