···
extract::{FromRef, Query, State},
-
header::{CONTENT_TYPE, HeaderMap, REFERER},
response::{IntoResponse, Json, Redirect, Response},
···
const DID_COOKIE_KEY: &str = "did";
type AppEngine = Engine<Handlebars<'static>>;
-
type Rendered = RenderHtml<&'static str, AppEngine, Value>;
···
-
async fn hello(State(AppState { engine, .. }): State<AppState>) -> Rendered {
-
RenderHtml("hello", engine, json!({}))
async fn css() -> impl IntoResponse {
···
async fn favicon() -> impl IntoResponse {
([(CONTENT_TYPE, "image/x-icon")], FAVICON)
···
if parent_origin == "null" {
return err("Referer origin is opaque", true);
if let Some(did) = jar.get(DID_COOKIE_KEY) {
let Ok(did) = Did::new(did.value_trimmed().to_string()) else {
return err("Bad cookie", false);
let fetch_key = resolve_handles.dispatch(
let oauth = oauth.clone();
···
-
"fetch_key": fetch_key,
-
"parent_host": parent_host,
-
"parent_origin": parent_origin,
-
"parent_host": parent_host,
-
"parent_origin": parent_origin,
···
-
let cookie = Cookie::build((DID_COOKIE_KEY, did.to_string()))
-
.same_site(SameSite::None)
-
.max_age(std::time::Duration::from_secs(86_400).try_into().unwrap());
-
let jar = jar.add(cookie);
let fetch_key = resolve_handles.dispatch(
···
extract::{FromRef, Query, State},
+
header::{CONTENT_SECURITY_POLICY, CONTENT_TYPE, HeaderMap, REFERER, X_FRAME_OPTIONS},
response::{IntoResponse, Json, Redirect, Response},
···
const DID_COOKIE_KEY: &str = "did";
+
const COOKIE_EXPIRATION: Duration = Duration::from_secs(30 * 86_400);
type AppEngine = Engine<Handlebars<'static>>;
···
+
State(AppState { engine, .. }): State<AppState>,
+
mut jar: SignedCookieJar,
+
// push expiry (or clean up) the current cookie
+
if let Some(did) = jar.get(DID_COOKIE_KEY) {
+
if let Ok(did) = Did::new(did.value_trimmed().to_string()) {
+
jar = jar.add(cookie(&did));
+
jar = jar.remove(DID_COOKIE_KEY);
+
(X_FRAME_OPTIONS, "deny"),
+
(CONTENT_SECURITY_POLICY, "frame-ancestors 'none'"),
+
(frame_headers, jar, RenderHtml("hello", engine, json!({}))).into_response()
async fn css() -> impl IntoResponse {
···
async fn favicon() -> impl IntoResponse {
([(CONTENT_TYPE, "image/x-icon")], FAVICON)
+
fn cookie(did: &Did) -> Cookie<'static> {
+
Cookie::build((DID_COOKIE_KEY, did.to_string()))
+
.same_site(SameSite::None)
+
.max_age(COOKIE_EXPIRATION.try_into().unwrap())
···
if parent_origin == "null" {
return err("Referer origin is opaque", true);
+
(X_FRAME_OPTIONS, format!("allow-from {parent_origin}")),
+
CONTENT_SECURITY_POLICY,
+
format!("frame-ancestors {parent_host}"),
if let Some(did) = jar.get(DID_COOKIE_KEY) {
let Ok(did) = Did::new(did.value_trimmed().to_string()) else {
return err("Bad cookie", false);
+
let jar = jar.add(cookie(&did));
let fetch_key = resolve_handles.dispatch(
let oauth = oauth.clone();
···
+
"fetch_key": fetch_key,
+
"parent_host": parent_host,
+
"parent_origin": parent_origin,
+
(frame_headers, jar, RenderHtml("prompt", engine, info)).into_response()
+
"parent_host": parent_host,
+
"parent_origin": parent_origin,
+
(frame_headers, RenderHtml("prompt", engine, info)).into_response()
···
+
let jar = jar.add(cookie(&did));
let fetch_key = resolve_handles.dispatch(
nekomimi.pet
bad-example.com