<!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width, initial-scale=1.0"><meta name="generator" content="rustdoc"><meta name="description" content="Source of the Rust file `auth/src/lib.rs`."><meta name="keywords" content="rust, rustlang, rust-lang"><title>lib.rs - source</title><link rel="preload" as="font" type="font/woff2" crossorigin href="../../SourceSerif4-Regular.ttf.woff2"><link rel="preload" as="font" type="font/woff2" crossorigin href="../../FiraSans-Regular.woff2"><link rel="preload" as="font" type="font/woff2" crossorigin href="../../FiraSans-Medium.woff2"><link rel="preload" as="font" type="font/woff2" crossorigin href="../../SourceCodePro-Regular.ttf.woff2"><link rel="preload" as="font" type="font/woff2" crossorigin href="../../SourceSerif4-Bold.ttf.woff2"><link rel="preload" as="font" type="font/woff2" crossorigin href="../../SourceCodePro-Semibold.ttf.woff2"><link rel="stylesheet" type="text/css" href="../../normalize.css"><link rel="stylesheet" type="text/css" href="../../rustdoc.css" id="mainThemeStyle"><link rel="stylesheet" type="text/css" href="../../ayu.css" disabled><link rel="stylesheet" type="text/css" href="../../dark.css" disabled><link rel="stylesheet" type="text/css" href="../../light.css" id="themeStyle"><script id="default-settings" ></script><script src="../../storage.js"></script><script defer src="../../source-script.js"></script><script defer src="../../source-files.js"></script><script defer src="../../main.js"></script><noscript><link rel="stylesheet" href="../../noscript.css"></noscript><link rel="alternate icon" type="image/png" href="../../favicon-16x16.png"><link rel="alternate icon" type="image/png" href="../../favicon-32x32.png"><link rel="icon" type="image/svg+xml" href="../../favicon.svg"></head><body class="rustdoc source"><!--[if lte IE 11]><div class="warning">This old browser is unsupported and will most likely display funky things.</div><![endif]--><nav class="mobile-topbar"><button class="sidebar-menu-toggle">&#9776;</button><a class="sidebar-logo" href="../../auth/index.html"><div class="logo-container"><img class="rust-logo" src="../../rust-logo.svg" alt="logo"></div>
        </a><h2 class="location"></h2>
    </nav>
    <nav class="sidebar"><a class="sidebar-logo" href="../../auth/index.html"><div class="logo-container"><img class="rust-logo" src="../../rust-logo.svg" alt="logo"></div>
        </a></nav><main><div class="width-limiter"><div class="sub-container"><a class="sub-logo-container" href="../../auth/index.html"><img class="rust-logo" src="../../rust-logo.svg" alt="logo"></a><nav class="sub"><form class="search-form"><div class="search-container"><span></span><input class="search-input" name="search" autocomplete="off" spellcheck="false" placeholder="Click or press ‘S’ to search, ‘?’ for more options…" type="search"><button type="button" id="help-button" title="help">?</button><div id="settings-menu" tabindex="-1">
                                <a href="../../settings.html" title="settings"><img width="22" height="22" alt="Change settings" src="../../wheel.svg"></a></div>
                        </div></form></nav></div><section id="main-content" class="content"><div class="example-wrap"><pre class="line-numbers"><span id="1">1</span>
<span id="2">2</span>
<span id="3">3</span>
<span id="4">4</span>
<span id="5">5</span>
<span id="6">6</span>
<span id="7">7</span>
<span id="8">8</span>
<span id="9">9</span>
<span id="10">10</span>
<span id="11">11</span>
<span id="12">12</span>
<span id="13">13</span>
<span id="14">14</span>
<span id="15">15</span>
<span id="16">16</span>
<span id="17">17</span>
<span id="18">18</span>
<span id="19">19</span>
<span id="20">20</span>
<span id="21">21</span>
<span id="22">22</span>
<span id="23">23</span>
<span id="24">24</span>
<span id="25">25</span>
<span id="26">26</span>
<span id="27">27</span>
<span id="28">28</span>
<span id="29">29</span>
<span id="30">30</span>
<span id="31">31</span>
<span id="32">32</span>
<span id="33">33</span>
<span id="34">34</span>
<span id="35">35</span>
<span id="36">36</span>
<span id="37">37</span>
<span id="38">38</span>
<span id="39">39</span>
<span id="40">40</span>
<span id="41">41</span>
<span id="42">42</span>
<span id="43">43</span>
<span id="44">44</span>
<span id="45">45</span>
<span id="46">46</span>
<span id="47">47</span>
<span id="48">48</span>
<span id="49">49</span>
<span id="50">50</span>
<span id="51">51</span>
<span id="52">52</span>
<span id="53">53</span>
<span id="54">54</span>
<span id="55">55</span>
<span id="56">56</span>
<span id="57">57</span>
<span id="58">58</span>
<span id="59">59</span>
<span id="60">60</span>
<span id="61">61</span>
<span id="62">62</span>
<span id="63">63</span>
<span id="64">64</span>
<span id="65">65</span>
<span id="66">66</span>
<span id="67">67</span>
<span id="68">68</span>
<span id="69">69</span>
<span id="70">70</span>
<span id="71">71</span>
<span id="72">72</span>
<span id="73">73</span>
<span id="74">74</span>
<span id="75">75</span>
<span id="76">76</span>
<span id="77">77</span>
<span id="78">78</span>
<span id="79">79</span>
<span id="80">80</span>
<span id="81">81</span>
<span id="82">82</span>
<span id="83">83</span>
<span id="84">84</span>
<span id="85">85</span>
<span id="86">86</span>
<span id="87">87</span>
<span id="88">88</span>
<span id="89">89</span>
<span id="90">90</span>
<span id="91">91</span>
<span id="92">92</span>
<span id="93">93</span>
<span id="94">94</span>
<span id="95">95</span>
<span id="96">96</span>
<span id="97">97</span>
<span id="98">98</span>
<span id="99">99</span>
</pre><pre class="rust"><code><span class="kw">use</span> <span class="ident">aes_gcm::aead::generic_array::GenericArray</span>;
<span class="kw">use</span> <span class="ident">aes_gcm::aead::Aead</span>;
<span class="kw">use</span> <span class="ident">aes_gcm::AeadInPlace</span>;
<span class="kw">use</span> <span class="ident">aes_gcm::Aes256Gcm</span>;
<span class="kw">use</span> <span class="ident">aes_gcm::NewAead</span>;

<span class="kw">use</span> <span class="ident">displaydoc::Display</span>;
<span class="kw">use</span> <span class="ident">once_cell::sync::OnceCell</span>;
<span class="kw">use</span> <span class="ident">rand::Rng</span>;
<span class="kw">use</span> <span class="ident">rand::RngCore</span>;
<span class="kw">use</span> <span class="ident">serde::Serialize</span>;
<span class="kw">use</span> <span class="ident">std::convert::TryInto</span>;
<span class="kw">use</span> <span class="ident">thiserror::Error</span>;

<span class="kw">const</span> <span class="ident">NONCE_LEN</span>: <span class="ident">usize</span> <span class="op">=</span> <span class="number">12</span>;
<span class="kw">const</span> <span class="ident">TAG_LEN</span>: <span class="ident">usize</span> <span class="op">=</span> <span class="number">16</span>;

<span class="doccomment">/// This is the secret key with which we sign the cookies.</span>
<span class="comment">// TODO: Generate this at first run to ensure security</span>
<span class="kw">static</span> <span class="ident">KEY</span>: <span class="ident">OnceCell</span><span class="op">&lt;</span>[<span class="ident">u8</span>; <span class="number">32</span>]<span class="op">&gt;</span> <span class="op">=</span> <span class="ident">OnceCell::new</span>();

<span class="kw">pub</span> <span class="kw">fn</span> <span class="ident">generate_key</span>() -&gt; [<span class="ident">u8</span>; <span class="number">32</span>] {
    <span class="ident">rand::thread_rng</span>().<span class="ident">gen</span>()
}

<span class="kw">pub</span> <span class="kw">fn</span> <span class="ident">set_key</span>(<span class="ident">k</span>: [<span class="ident">u8</span>; <span class="number">32</span>]) {
    <span class="ident">KEY</span>.<span class="ident">set</span>(<span class="ident">k</span>).<span class="ident">expect</span>(<span class="string">&quot;Failed to set secret_key&quot;</span>)
}

<span class="doccomment">/// This function should only be called from tests</span>
<span class="kw">pub</span> <span class="kw">fn</span> <span class="ident">set_key_fallible</span>(<span class="ident">k</span>: [<span class="ident">u8</span>; <span class="number">32</span>]) {
    <span class="kw">let</span> <span class="kw">_</span> <span class="op">=</span> <span class="ident">KEY</span>.<span class="ident">set</span>(<span class="ident">k</span>);
}

<span class="kw">fn</span> <span class="ident">get_key</span>() -&gt; <span class="kw-2">&amp;</span><span class="lifetime">&#39;static</span> [<span class="ident">u8</span>; <span class="number">32</span>] {
    <span class="ident">KEY</span>.<span class="ident">get</span>().<span class="ident">expect</span>(<span class="string">&quot;key must be initialized&quot;</span>)
}

<span class="attribute">#[<span class="ident">derive</span>(<span class="ident">Clone</span>, <span class="ident">Debug</span>, <span class="ident">Display</span>, <span class="ident">Error</span>, <span class="ident">Serialize</span>)]</span>
<span class="kw">pub</span> <span class="kw">enum</span> <span class="ident">AuthError</span> {
    <span class="doccomment">/// Token is not base64 encoded.</span>
    <span class="ident">BadBase64</span>,
    <span class="doccomment">/// Token data is too short.</span>
    <span class="ident">ShortData</span>,
    <span class="doccomment">/// Failed to decrypt token.</span>
    <span class="ident">DecryptError</span>,
    <span class="doccomment">/// Token plaintext does not contain a UserID.</span>
    <span class="ident">PlainTextNoti64</span>,
}

<span class="doccomment">/// Function encrypts a UserID with a nonce and returns it as a base64 string to be used as a cookie/token.</span>
<span class="kw">pub</span> <span class="kw">fn</span> <span class="ident">user_cookie_generate</span>(<span class="ident">user</span>: <span class="ident">i64</span>) -&gt; <span class="ident">String</span> {
    <span class="comment">// Create a vec to hold the [nonce | cookie value].</span>
    <span class="kw">let</span> <span class="ident">cookie_val</span> <span class="op">=</span> <span class="kw-2">&amp;</span><span class="ident">user</span>.<span class="ident">to_be_bytes</span>();
    <span class="kw">let</span> <span class="kw-2">mut</span> <span class="ident">data</span> <span class="op">=</span> <span class="macro">vec!</span>[<span class="number">0</span>; <span class="ident">NONCE_LEN</span> <span class="op">+</span> <span class="ident">cookie_val</span>.<span class="ident">len</span>() <span class="op">+</span> <span class="ident">TAG_LEN</span>];

    <span class="comment">// Split data into three: nonce, input/output, tag. Copy input.</span>
    <span class="kw">let</span> (<span class="ident">nonce</span>, <span class="ident">in_out</span>) <span class="op">=</span> <span class="ident">data</span>.<span class="ident">split_at_mut</span>(<span class="ident">NONCE_LEN</span>);
    <span class="kw">let</span> (<span class="ident">in_out</span>, <span class="ident">tag</span>) <span class="op">=</span> <span class="ident">in_out</span>.<span class="ident">split_at_mut</span>(<span class="ident">cookie_val</span>.<span class="ident">len</span>());
    <span class="ident">in_out</span>.<span class="ident">copy_from_slice</span>(<span class="ident">cookie_val</span>);

    <span class="comment">// Fill nonce piece with random data.</span>
    <span class="kw">let</span> <span class="kw-2">mut</span> <span class="ident">rng</span> <span class="op">=</span> <span class="ident">rand::thread_rng</span>();
    <span class="ident">rng</span>.<span class="ident">try_fill_bytes</span>(<span class="ident">nonce</span>)
        .<span class="ident">expect</span>(<span class="string">&quot;couldn&#39;t random fill nonce&quot;</span>);
    <span class="kw">let</span> <span class="ident">nonce</span> <span class="op">=</span> <span class="ident">GenericArray::clone_from_slice</span>(<span class="ident">nonce</span>);

    <span class="comment">// Perform the actual sealing operation, using the cookie&#39;s name as</span>
    <span class="comment">// associated data to prevent value swapping.</span>
    <span class="kw">let</span> <span class="ident">aead</span> <span class="op">=</span> <span class="ident">Aes256Gcm::new</span>(<span class="ident">GenericArray::from_slice</span>(<span class="ident">get_key</span>()));
    <span class="kw">let</span> <span class="ident">aad_tag</span> <span class="op">=</span> <span class="ident">aead</span>
        .<span class="ident">encrypt_in_place_detached</span>(<span class="kw-2">&amp;</span><span class="ident">nonce</span>, <span class="string">b&quot;&quot;</span>, <span class="ident">in_out</span>)
        .<span class="ident">expect</span>(<span class="string">&quot;encryption failure!&quot;</span>);

    <span class="comment">// Copy the tag into the tag piece.</span>
    <span class="ident">tag</span>.<span class="ident">copy_from_slice</span>(<span class="kw-2">&amp;</span><span class="ident">aad_tag</span>);

    <span class="comment">// Base64 encode [nonce | encrypted value | tag].</span>
    <span class="ident">base64::encode</span>(<span class="kw-2">&amp;</span><span class="ident">data</span>)
}

<span class="doccomment">/// Function decrypts a UserID which was encrypted with `user_cookie_generate`</span>
<span class="kw">pub</span> <span class="kw">fn</span> <span class="ident">user_cookie_decode</span>(<span class="ident">cookie</span>: <span class="ident">String</span>) -&gt; <span class="prelude-ty">Result</span><span class="op">&lt;</span><span class="ident">i64</span>, <span class="ident">AuthError</span><span class="op">&gt;</span> {
    <span class="kw">let</span> <span class="ident">data</span> <span class="op">=</span> <span class="ident">base64::decode</span>(<span class="ident">cookie</span>).<span class="ident">map_err</span>(<span class="op">|</span><span class="kw">_</span><span class="op">|</span> <span class="ident">AuthError::BadBase64</span>)<span class="question-mark">?</span>;
    <span class="kw">if</span> <span class="ident">data</span>.<span class="ident">len</span>() <span class="op">&lt;</span><span class="op">=</span> <span class="ident">NONCE_LEN</span> {
        <span class="kw">return</span> <span class="prelude-val">Err</span>(<span class="ident">AuthError::ShortData</span>);
    }
    <span class="kw">let</span> (<span class="ident">nonce</span>, <span class="ident">cipher</span>) <span class="op">=</span> <span class="ident">data</span>.<span class="ident">split_at</span>(<span class="ident">NONCE_LEN</span>);
    <span class="kw">let</span> <span class="ident">aead</span> <span class="op">=</span> <span class="ident">Aes256Gcm::new</span>(<span class="ident">GenericArray::from_slice</span>(<span class="ident">get_key</span>()));
    <span class="kw">let</span> <span class="ident">plaintext</span> <span class="op">=</span> <span class="ident">aead</span>
        .<span class="ident">decrypt</span>(<span class="ident">GenericArray::from_slice</span>(<span class="ident">nonce</span>), <span class="ident">cipher</span>)
        .<span class="ident">map_err</span>(<span class="op">|</span><span class="kw">_</span><span class="op">|</span> <span class="ident">AuthError::DecryptError</span>)<span class="question-mark">?</span>;

    <span class="prelude-val">Ok</span>(<span class="ident">i64::from_be_bytes</span>(
        <span class="ident">plaintext</span>
            .<span class="ident">try_into</span>()
            .<span class="ident">map_err</span>(<span class="op">|</span><span class="kw">_</span><span class="op">|</span> <span class="ident">AuthError::PlainTextNoti64</span>)<span class="question-mark">?</span>,
    ))
}
</code></pre></div>
</section></div></main><div id="rustdoc-vars" data-root-path="../../" data-current-crate="auth" data-themes="ayu,dark,light" data-resource-suffix="" data-rustdoc-version="1.63.0 (4b91a6ea7 2022-08-08)" ></div>
</body></html>