From 79437deb17592c0c690d594afe3ef1cf4dc87adb Mon Sep 17 00:00:00 2001
From: Anna <git@anna.lgbt>
Date: Fri, 20 Aug 2021 02:59:11 -0400
Subject: [PATCH] fix: set cookies better

---
 Cargo.lock                        | 160 +++++++++++++++++++++++++++++-
 Cargo.toml                        |   1 +
 src/app/web/route/access_token.rs |   8 +-
 3 files changed, 166 insertions(+), 3 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 3d836ac..a14c3cd 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -120,6 +120,12 @@ version = "1.0.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "cdb031dd78e28731d87d56cc8ffef4a8f36ca26c38fe2de700543e627f8a464a"
 
+[[package]]
+name = "base-x"
+version = "0.2.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a4521f3e3d031370679b3b140beb36dfe4801b09ac77e30c61941f97df3ef28b"
+
 [[package]]
 name = "base64"
 version = "0.13.0"
@@ -213,7 +219,7 @@ dependencies = [
  "num-integer",
  "num-traits",
  "serde",
- "time",
+ "time 0.1.43",
  "winapi",
 ]
 
@@ -226,6 +232,7 @@ dependencies = [
  "askama_warp",
  "cached",
  "chrono",
+ "cookie",
  "futures",
  "irc",
  "parking_lot",
@@ -242,6 +249,23 @@ dependencies = [
  "warp",
 ]
 
+[[package]]
+name = "const_fn"
+version = "0.4.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f92cfa0fd5690b3cf8c1ef2cabbd9b7ef22fa53cf5e1f92b05103f6d5d1cf6e7"
+
+[[package]]
+name = "cookie"
+version = "0.15.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d5f1c7727e460397e56abc4bddc1d49e07a1ad78fc98eb2e1c8f032a58a2f80d"
+dependencies = [
+ "percent-encoding",
+ "time 0.2.27",
+ "version_check",
+]
+
 [[package]]
 name = "core-foundation"
 version = "0.9.1"
@@ -311,6 +335,12 @@ dependencies = [
  "generic-array",
 ]
 
+[[package]]
+name = "discard"
+version = "1.0.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "212d0f5754cb6769937f4501cc0e67f4f4483c8d2c3e1e922ee9edbe4ab4c7c0"
+
 [[package]]
 name = "displaydoc"
 version = "0.2.3"
@@ -602,7 +632,7 @@ dependencies = [
  "http",
  "mime",
  "sha-1",
- "time",
+ "time 0.1.43",
 ]
 
 [[package]]
@@ -1318,6 +1348,15 @@ dependencies = [
  "winapi",
 ]
 
+[[package]]
+name = "rustc_version"
+version = "0.2.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "138e3e0acb6c9fb258b19b67cb8abd63c00679d2851805ea151465464fe9030a"
+dependencies = [
+ "semver",
+]
+
 [[package]]
 name = "rustls"
 version = "0.19.1"
@@ -1416,6 +1455,21 @@ dependencies = [
  "libc",
 ]
 
+[[package]]
+name = "semver"
+version = "0.9.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1d7eb9ef2c18661902cc47e535f9bc51b78acd254da71d375c2f6720d9a40403"
+dependencies = [
+ "semver-parser",
+]
+
+[[package]]
+name = "semver-parser"
+version = "0.7.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "388a1df253eca08550bef6c72392cfe7c30914bf41df5269b68cbd6ff8f570a3"
+
 [[package]]
 name = "serde"
 version = "1.0.127"
@@ -1516,6 +1570,12 @@ dependencies = [
  "opaque-debug",
 ]
 
+[[package]]
+name = "sha1"
+version = "0.6.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2579985fda508104f7587689507983eadd6a6e84dd35d6d115361f530916fa0d"
+
 [[package]]
 name = "signal-hook-registry"
 version = "1.4.0"
@@ -1562,12 +1622,70 @@ version = "0.5.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "6e63cff320ae2c57904679ba7cb63280a3dc4613885beafb148ee7bf9aa9042d"
 
+[[package]]
+name = "standback"
+version = "0.2.17"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e113fb6f3de07a243d434a56ec6f186dfd51cb08448239fe7bcae73f87ff28ff"
+dependencies = [
+ "version_check",
+]
+
 [[package]]
 name = "static_assertions"
 version = "1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a2eb9349b6444b326872e140eb1cf5e7c522154d69e7a0ffb0fb81c06b37543f"
 
+[[package]]
+name = "stdweb"
+version = "0.4.20"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d022496b16281348b52d0e30ae99e01a73d737b2f45d38fed4edf79f9325a1d5"
+dependencies = [
+ "discard",
+ "rustc_version",
+ "stdweb-derive",
+ "stdweb-internal-macros",
+ "stdweb-internal-runtime",
+ "wasm-bindgen",
+]
+
+[[package]]
+name = "stdweb-derive"
+version = "0.5.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c87a60a40fccc84bef0652345bbbbbe20a605bf5d0ce81719fc476f5c03b50ef"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "serde",
+ "serde_derive",
+ "syn",
+]
+
+[[package]]
+name = "stdweb-internal-macros"
+version = "0.2.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "58fa5ff6ad0d98d1ffa8cb115892b6e69d67799f6763e162a1c9db421dc22e11"
+dependencies = [
+ "base-x",
+ "proc-macro2",
+ "quote",
+ "serde",
+ "serde_derive",
+ "serde_json",
+ "sha1",
+ "syn",
+]
+
+[[package]]
+name = "stdweb-internal-runtime"
+version = "0.1.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "213701ba3370744dcd1a12960caa4843b3d68b4d1c0a5d575e0d65b2ee9d16c0"
+
 [[package]]
 name = "strsim"
 version = "0.10.0"
@@ -1635,6 +1753,44 @@ dependencies = [
  "winapi",
 ]
 
+[[package]]
+name = "time"
+version = "0.2.27"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4752a97f8eebd6854ff91f1c1824cd6160626ac4bd44287f7f4ea2035a02a242"
+dependencies = [
+ "const_fn",
+ "libc",
+ "standback",
+ "stdweb",
+ "time-macros",
+ "version_check",
+ "winapi",
+]
+
+[[package]]
+name = "time-macros"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "957e9c6e26f12cb6d0dd7fc776bb67a706312e7299aed74c8dd5b17ebb27e2f1"
+dependencies = [
+ "proc-macro-hack",
+ "time-macros-impl",
+]
+
+[[package]]
+name = "time-macros-impl"
+version = "0.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fd3c141a1b43194f3f56a1411225df8646c55781d5f26db825b3d98507eb482f"
+dependencies = [
+ "proc-macro-hack",
+ "proc-macro2",
+ "quote",
+ "standback",
+ "syn",
+]
+
 [[package]]
 name = "tinyvec"
 version = "1.3.1"
diff --git a/Cargo.toml b/Cargo.toml
index 39cc83e..fdc294b 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -11,6 +11,7 @@ askama = { version = "0.10", features = ["with-warp"] }
 askama_warp = "0.11"
 cached = { version = "0.25", default-features = false }
 chrono = "0.4"
+cookie = { version = "0.15", features = ["percent-encode"] }
 futures = "0.3"
 irc = "0.15"
 parking_lot = "0.11"
diff --git a/src/app/web/route/access_token.rs b/src/app/web/route/access_token.rs
index 4c43fa9..07d40c9 100644
--- a/src/app/web/route/access_token.rs
+++ b/src/app/web/route/access_token.rs
@@ -1,3 +1,4 @@
+use cookie::{Cookie, SameSite};
 use warp::{
     Filter, Reply,
     filters::BoxedFilter,
@@ -30,10 +31,15 @@ fn access_token_submit() -> BoxedFilter<(impl Reply, )> {
                 Some(token) => token,
                 None => return Err(warp::reject::custom(CustomRejection::InvalidForm)),
             };
+            let cookie = Cookie::build("access_token", token)
+                .same_site(SameSite::Lax)
+                .secure(true)
+                .http_only(true)
+                .finish();
             Ok(warp::reply::with_header(
                 warp::redirect(Uri::from_static("/")),
                 "Set-Cookie",
-                format!("access_token={}; SameSite=Lax; Secure; HttpOnly", token),
+                cookie.encoded().to_string(),
             ))
         })
         .boxed()