diff --git a/src/config.rs b/src/config.rs index c6c6a0c..4f9b3b5 100644 --- a/src/config.rs +++ b/src/config.rs @@ -109,7 +109,7 @@ impl SecretConfig { .await .context("failed to load RSA private key")?; let rsa_key_pair = - RsaKeyPair::from_pem(&rsa_keypair_bytes).context("Failed to decode RSA key pair")?; + RsaKeyPair::from_pem(rsa_keypair_bytes).context("Failed to decode RSA key pair")?; Ok(Self { rsa_key_pair }) } diff --git a/src/web.rs b/src/web.rs index e457756..6a850c8 100644 --- a/src/web.rs +++ b/src/web.rs @@ -114,7 +114,7 @@ pub async fn serve( .layer(Extension(Arc::new(PasswordHashInflightLimiter::new(1)))) .layer(client_ip_source.into_extension()) .layer(Extension(Arc::new(ratelimiters))) - .layer(Extension(VolatileCodeStore::new())); + .layer(Extension(VolatileCodeStore::default())); info!("Listening on {bind:?}"); axum::Server::try_bind(&bind) diff --git a/src/web/login.rs b/src/web/login.rs index ae8a835..a602dfe 100644 --- a/src/web/login.rs +++ b/src/web/login.rs @@ -133,10 +133,10 @@ impl LoginSession { // TODO this is only using the key, not the salt and persona let mac_tag_bytes = Blake2sMac256::new_with_salt_and_personal(&self.xsrf_secret, &[], &[])? - .chain_update(&now_8bytes) + .chain_update(now_8bytes) .finalize() .into_bytes(); - let mac_b64 = BASE64_URL_SAFE_NO_PAD.encode(&mac_tag_bytes); + let mac_b64 = BASE64_URL_SAFE_NO_PAD.encode(mac_tag_bytes); Ok(format!("{now_timestamp}.{mac_b64}")) } @@ -158,7 +158,7 @@ impl LoginSession { // TODO this is only using the key, not the salt and persona // TODO perhaps the persona should be the user UUID hashed? Blake2sMac256::new_with_salt_and_personal(&self.xsrf_secret, &[], &[])? - .chain_update(×tamp_8bytes) + .chain_update(timestamp_8bytes) .verify_slice(&mac_tag_bytes) .context("bad MAC in XSRF token")?; @@ -270,6 +270,7 @@ fn render_login_retry_form() -> Response { (StatusCode::UNAUTHORIZED, "Wrong username or password!").into_response() // TODO(ui): this should re-render the login form for another go } +#[allow(clippy::too_many_arguments)] pub async fn post_login( Query(query): Query, cookies: Cookies, @@ -346,7 +347,7 @@ pub async fn post_login( let login_session_token = thread_rng().gen::<[u8; LOGIN_SESSION_TOKEN_BYTES]>(); let login_session_token_b64 = BASE64_URL_SAFE_NO_PAD.encode(login_session_token); let login_session_token_hash: [u8; LOGIN_SESSION_TOKEN_HASH_BYTES] = - Blake2s256::digest(&login_session_token).into(); + Blake2s256::digest(login_session_token).into(); let xsrf_secret = thread_rng().gen::<[u8; LOGIN_SESSION_XSRF_SECRET_BYTES]>(); // store session in the database diff --git a/src/web/oauth_openid/application_session_access_token.rs b/src/web/oauth_openid/application_session_access_token.rs index 52df2d8..5deae2a 100644 --- a/src/web/oauth_openid/application_session_access_token.rs +++ b/src/web/oauth_openid/application_session_access_token.rs @@ -31,7 +31,7 @@ where let Ok(TypedHeader(Authorization(bearer))) = TypedHeader::>::from_request_parts(parts, state).await else { return Err((StatusCode::UNAUTHORIZED, "No access token.")); }; - let Ok(access_token) = BASE64_URL_SAFE_NO_PAD.decode(&bearer.token()) else { + let Ok(access_token) = BASE64_URL_SAFE_NO_PAD.decode(bearer.token()) else { return Err(( StatusCode::UNAUTHORIZED, "Invalid access token." diff --git a/src/web/oauth_openid/authorisation.rs b/src/web/oauth_openid/authorisation.rs index 38ff0ea..fb92c4e 100644 --- a/src/web/oauth_openid/authorisation.rs +++ b/src/web/oauth_openid/authorisation.rs @@ -194,26 +194,26 @@ fn validate_authorisation_basics<'a>( if &query.response_type != "code" { return Err(fail_authorisation_with_redirect( query, - &client_config, + client_config, AuthorisationRedirectableError::UnsupportedResponseType, "We only support `code` authorisation responses here.".to_owned(), )); } if query.code_challenge.is_none() { return Err(fail_authorisation_with_redirect( - &query, + query, client_config, AuthorisationRedirectableError::InvalidRequest, "`code_challenge` not specified.".to_owned(), )); } - match query.code_challenge_method.as_ref().map(String::as_str) { + match query.code_challenge_method.as_deref() { None | Some("S256") | Some("plain") => { // OK: supported (None = 'plain') } _other => { return Err(fail_authorisation_with_redirect( - &query, + query, client_config, AuthorisationRedirectableError::InvalidRequest, "`code_challenge_method` is not supported.".to_owned(), diff --git a/src/web/oauth_openid/ext_codes.rs b/src/web/oauth_openid/ext_codes.rs index a2df9c3..92a2794 100644 --- a/src/web/oauth_openid/ext_codes.rs +++ b/src/web/oauth_openid/ext_codes.rs @@ -92,8 +92,8 @@ impl VolatileCodeStoreInner { ) -> CodeRedemption { if let Some(conflicted) = self.conflictable_codes.get(auth_code) { return CodeRedemption::Conflicted { - access_token_to_invalidate: conflicted.access_token_hash.clone(), - refresh_token_to_invalidate: conflicted.refresh_token_hash.clone(), + access_token_to_invalidate: conflicted.access_token_hash, + refresh_token_to_invalidate: conflicted.refresh_token_hash, }; } @@ -146,8 +146,8 @@ pub struct VolatileCodeStore { inner: Arc>, } -impl VolatileCodeStore { - pub fn new() -> Self { +impl Default for VolatileCodeStore { + fn default() -> Self { let poke = Arc::new(Notify::new()); let inner: Arc> = Default::default(); @@ -159,7 +159,9 @@ impl VolatileCodeStore { VolatileCodeStore { inner, poke } } +} +impl VolatileCodeStore { async fn expirer(inner: Arc>, poke: Arc) { let mut next_expiry: Option = None; loop { diff --git a/src/web/oauth_openid/token.rs b/src/web/oauth_openid/token.rs index 4beb2c1..e730fdc 100644 --- a/src/web/oauth_openid/token.rs +++ b/src/web/oauth_openid/token.rs @@ -176,17 +176,13 @@ pub async fn oidc_token( // so double redemptions can invalidate the access token appropriately. let access_token = thread_rng().gen::(); let access_token_b64 = BASE64_URL_SAFE_NO_PAD.encode(access_token); - let access_token_hash: AccessTokenHash = Blake2s256::digest(&access_token).into(); + let access_token_hash: AccessTokenHash = Blake2s256::digest(access_token).into(); let refresh_token = thread_rng().gen::(); let refresh_token_b64 = BASE64_URL_SAFE_NO_PAD.encode(refresh_token); - let refresh_token_hash: RefreshTokenHash = Blake2s256::digest(&refresh_token).into(); + let refresh_token_hash: RefreshTokenHash = Blake2s256::digest(refresh_token).into(); // Redeem the auth code so we can check it and then maybe issue an access token. - let binding = match code_store.redeem( - &auth_code, - access_token_hash.clone(), - refresh_token_hash.clone(), - ) { + let binding = match code_store.redeem(&auth_code, access_token_hash, refresh_token_hash) { CodeRedemption::Invalid => { return ( StatusCode::BAD_REQUEST, @@ -382,7 +378,7 @@ pub async fn oidc_token( } fn make_id_token(id_token: IdToken, secrets: &SecretConfig) -> eyre::Result { - let Ok(serde_json::Value::Object(map)) = serde_json::to_value(&id_token).context("failed to serialise ID Token content") else { + let Ok(serde_json::Value::Object(map)) = serde_json::to_value(id_token).context("failed to serialise ID Token content") else { bail!("ID Token not a map"); };