From 5ad6a1986d16646ececbd6bef92bab84c5f656ca Mon Sep 17 00:00:00 2001 From: Deep Date: Sun, 21 Sep 2025 16:01:16 +0530 Subject: [PATCH] Cleanup --- src/auth.rs | 18 +++++++----------- src/handlers/accounts.rs | 20 +++++++++++++------- src/handlers/identity.rs | 5 ----- src/handlers/sync.rs | 4 ---- src/lib.rs | 3 +-- src/models/cipher.rs | 1 - 6 files changed, 21 insertions(+), 30 deletions(-) diff --git a/src/auth.rs b/src/auth.rs index cc09657..77458ab 100644 --- a/src/auth.rs +++ b/src/auth.rs @@ -1,6 +1,6 @@ use axum::{ - extract::{FromRequestParts, State}, - http::{header, request::Parts, StatusCode}, + extract::FromRequestParts, + http::{header, request::Parts}, }; use jsonwebtoken::{decode, DecodingKey, Validation}; use serde::{Deserialize, Serialize}; @@ -9,10 +9,6 @@ use worker::Env; use crate::error::AppError; -// Secret key for signing JWTs. In a real application, this should be a strong, -// securely stored secret from the Worker's environment variables. -const JWT_SECRET: &str = "a-very-secure-secret-key-that-should-be-in-env"; - #[derive(Debug, Serialize, Deserialize)] pub struct Claims { pub sub: String, // User ID @@ -26,13 +22,11 @@ pub struct Claims { pub amr: Vec, } -impl FromRequestParts for Claims -where - S: Send + Sync, +impl FromRequestParts> for Claims { type Rejection = AppError; - async fn from_request_parts(parts: &mut Parts, _state: &S) -> Result { + async fn from_request_parts(parts: &mut Parts, state: &Arc) -> Result { // Extract the token from the authorization header let token = parts .headers @@ -47,8 +41,10 @@ where }) .ok_or_else(|| AppError::Unauthorized("Missing or invalid token".to_string()))?; + let secret = state.secret("JWT_SECRET")?; + // Decode and validate the token - let decoding_key = DecodingKey::from_secret(JWT_SECRET.as_ref()); + let decoding_key = DecodingKey::from_secret(secret.to_string().as_ref()); let token_data = decode::(&token, &decoding_key, &Validation::default()) .map_err(|_| AppError::Unauthorized("Invalid token".to_string()))?; diff --git a/src/handlers/accounts.rs b/src/handlers/accounts.rs index 09c5e77..a4f3b6a 100644 --- a/src/handlers/accounts.rs +++ b/src/handlers/accounts.rs @@ -21,7 +21,6 @@ pub async fn prelogin( .ok_or_else(|| AppError::BadRequest("Missing email".to_string()))?; let db = db::get_db(&env)?; - log::info!("Getting kdf for user {email:?}"); let stmt = db.prepare("SELECT kdf_iterations FROM users WHERE email = ?1"); let query = stmt.bind(&[email.into()])?; let kdf_iterations: Option = query @@ -29,7 +28,6 @@ pub async fn prelogin( .await .map_err(|_| AppError::Database)?; - log::info!("Returning {kdf_iterations:?}"); Ok(Json(PreloginResponse { kdf: 0, // PBKDF2 kdf_iterations: kdf_iterations.unwrap_or(600_000), @@ -41,9 +39,20 @@ pub async fn register( State(env): State>, Json(payload): Json, ) -> Result, AppError> { - log::info!("Get db"); + let allowed_emails = env + .secret("ALLOWED_EMAILS") + .map_err(|_| AppError::Internal)?; + let allowed_emails = allowed_emails + .as_ref() + .as_string() + .ok_or_else(|| AppError::Internal)?; + if allowed_emails + .split(",") + .all(|email| email.trim() != payload.email) + { + return Err(AppError::Unauthorized("Not allowed to signup".to_string())); + } let db = db::get_db(&env)?; - log::info!("db got"); let now = Utc::now().to_rfc3339(); let user = User { id: Uuid::new_v4().to_string(), @@ -62,7 +71,6 @@ pub async fn register( updated_at: now, }; - log::info!("User {user:?}"); let query = query!( &db, "INSERT INTO users (id, name, email, master_password_hash, key, private_key, public_key, kdf_iterations, security_stamp, created_at, updated_at) @@ -79,13 +87,11 @@ pub async fn register( user.created_at, user.updated_at ).map_err(|error|{ - log::error!("failed {error:?}"); AppError::Database })? .run() .await .map_err(|error|{ - log::error!("failed {error:?}"); AppError::Database })?; diff --git a/src/handlers/identity.rs b/src/handlers/identity.rs index 7ac30da..d914fd1 100644 --- a/src/handlers/identity.rs +++ b/src/handlers/identity.rs @@ -54,7 +54,6 @@ pub async fn token( State(env): State>, Form(payload): Form, ) -> Result, AppError> { - log::info!("Token payload {payload:?}"); if payload.grant_type != "password" { return Err(AppError::BadRequest("Unsupported grant_type".to_string())); } @@ -64,7 +63,6 @@ pub async fn token( let db = db::get_db(&env)?; - log::info!("Lookup user"); let user: Value = db .prepare("SELECT * FROM users WHERE email = ?1") .bind(&[payload.username.to_lowercase().into()])? @@ -72,17 +70,14 @@ pub async fn token( .await .map_err(|_| AppError::Unauthorized("Invalid credentials".to_string()))? .ok_or_else(|| AppError::Unauthorized("Invalid credentials".to_string()))?; - log::info!("User is {user:?}"); let user: User = serde_json::from_value(user).map_err(|_| AppError::Internal)?; // Securely compare the provided hash with the stored hash if !constant_time_eq( user.master_password_hash.as_bytes(), password_hash.as_bytes(), ) { - log::info!("Password is incorrect"); return Err(AppError::Unauthorized("Invalid credentials".to_string())); } - log::info!("Password matched"); // Create JWT claims let now = Utc::now(); diff --git a/src/handlers/sync.rs b/src/handlers/sync.rs index e395aa4..98e2c3c 100644 --- a/src/handlers/sync.rs +++ b/src/handlers/sync.rs @@ -23,7 +23,6 @@ pub async fn get_sync_data( let user_id = claims.sub; let db = db::get_db(&env)?; - log::info!("Fetch user"); // Fetch profile let user: User = db .prepare("SELECT * FROM users WHERE id = ?1") @@ -32,7 +31,6 @@ pub async fn get_sync_data( .await? .ok_or_else(|| AppError::NotFound("User not found".to_string()))?; - log::info!("Fetch folders"); // Fetch folders let folders: Vec = db .prepare("SELECT * FROM folders WHERE user_id = ?1") @@ -41,7 +39,6 @@ pub async fn get_sync_data( .await? .results()?; - log::info!("Fetch ciphers"); // Fetch ciphers let ciphers: Vec = db .prepare("SELECT * FROM ciphers WHERE user_id = ?1") @@ -64,7 +61,6 @@ pub async fn get_sync_data( .map(|cipher| cipher.into()) .collect::>(); - log::info!("Fetch time"); let time = chrono::DateTime::parse_from_rfc3339(&user.created_at) .map_err(|_| AppError::Internal)? .to_rfc3339_opts(chrono::SecondsFormat::Micros, true); diff --git a/src/lib.rs b/src/lib.rs index f0ff213..3b6cbda 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -1,4 +1,3 @@ -use axum::Router; use tower_http::cors::{Any, CorsLayer}; use tower_service::Service; use worker::*; @@ -19,7 +18,7 @@ pub async fn main( ) -> Result> { // Set up logging console_error_panic_hook::set_once(); - console_log::init_with_level(log::Level::Debug); + let _ = console_log::init_with_level(log::Level::Debug); // Allow all origins for CORS, which is typical for a public API like Bitwarden's. let cors = CorsLayer::new() diff --git a/src/models/cipher.rs b/src/models/cipher.rs index c9efc49..200ab60 100644 --- a/src/models/cipher.rs +++ b/src/models/cipher.rs @@ -170,7 +170,6 @@ impl Serialize for Cipher { response_map.insert("creationDate".to_string(), json!(self.created_at)); response_map.insert("deletedDate".to_string(), json!(self.deleted_at)); - log::debug!("Response data is {:?}", self.data); if let Some(data_obj) = self.data.as_object() { let data_clone = data_obj.clone();