···
extract::{FromRef, Query, State},
7
-
header::{CONTENT_TYPE, HeaderMap, REFERER},
7
+
header::{CONTENT_SECURITY_POLICY, CONTENT_TYPE, HeaderMap, REFERER, X_FRAME_OPTIONS},
response::{IntoResponse, Json, Redirect, Response},
···
const DID_COOKIE_KEY: &str = "did";
32
+
const COOKIE_EXPIRATION: Duration = Duration::from_secs(30 * 86_400);
type AppEngine = Engine<Handlebars<'static>>;
33
-
type Rendered = RenderHtml<&'static str, AppEngine, Value>;
···
99
-
async fn hello(State(AppState { engine, .. }): State<AppState>) -> Rendered {
100
-
RenderHtml("hello", engine, json!({}))
101
+
State(AppState { engine, .. }): State<AppState>,
102
+
mut jar: SignedCookieJar,
104
+
// push expiry (or clean up) the current cookie
105
+
if let Some(did) = jar.get(DID_COOKIE_KEY) {
106
+
if let Ok(did) = Did::new(did.value_trimmed().to_string()) {
107
+
jar = jar.add(cookie(&did));
109
+
jar = jar.remove(DID_COOKIE_KEY);
112
+
let frame_headers = [
113
+
(X_FRAME_OPTIONS, "deny"),
114
+
(CONTENT_SECURITY_POLICY, "frame-ancestors 'none'"),
116
+
(frame_headers, jar, RenderHtml("hello", engine, json!({}))).into_response()
async fn css() -> impl IntoResponse {
···
async fn favicon() -> impl IntoResponse {
([(CONTENT_TYPE, "image/x-icon")], FAVICON)
131
+
fn cookie(did: &Did) -> Cookie<'static> {
132
+
Cookie::build((DID_COOKIE_KEY, did.to_string()))
135
+
.same_site(SameSite::None)
136
+
.max_age(COOKIE_EXPIRATION.try_into().unwrap())
···
if parent_origin == "null" {
return err("Referer origin is opaque", true);
178
+
let frame_headers = [
179
+
(X_FRAME_OPTIONS, format!("allow-from {parent_origin}")),
181
+
CONTENT_SECURITY_POLICY,
182
+
format!("frame-ancestors {parent_host}"),
if let Some(did) = jar.get(DID_COOKIE_KEY) {
let Ok(did) = Did::new(did.value_trimmed().to_string()) else {
return err("Bad cookie", false);
191
+
// push cookie expiry
192
+
let jar = jar.add(cookie(&did));
let fetch_key = resolve_handles.dispatch(
let oauth = oauth.clone();
···
171
-
"fetch_key": fetch_key,
172
-
"parent_host": parent_host,
173
-
"parent_origin": parent_origin,
205
+
"fetch_key": fetch_key,
206
+
"parent_host": parent_host,
207
+
"parent_origin": parent_origin,
210
+
(frame_headers, jar, RenderHtml("prompt", engine, info)).into_response()
182
-
"parent_host": parent_host,
183
-
"parent_origin": parent_origin,
213
+
"parent_host": parent_host,
214
+
"parent_origin": parent_origin,
216
+
(frame_headers, RenderHtml("prompt", engine, info)).into_response()
···
319
-
let cookie = Cookie::build((DID_COOKIE_KEY, did.to_string()))
322
-
.same_site(SameSite::None)
323
-
.max_age(std::time::Duration::from_secs(86_400).try_into().unwrap());
325
-
let jar = jar.add(cookie);
349
+
let jar = jar.add(cookie(&did));
let fetch_key = resolve_handles.dispatch(
nekomimi.pet
bad-example.com