Auto merge of #2500 - jtgeibel:update/cookie-and-time, r=JohnTitor

bors · bors · commit c982a71b1596 · 2020-05-11T23:26:49.000Z
Bump to the latest `cookie` crate These upstream `conduit-*` crates now pull in the latest versions of `cookie` and `time`. In particular, the following changes to cookie behavior are made: * `cookie` is bumped to 0.13 * `Max-Age` is set to 90 days * `Same-Site=Strict` is added to the session cookie * Only set the session cookie in the response if the session was modified r? @JohnTitor
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -67,12 +67,12 @@ lettre_email = "0.9"
 failure = "0.1.1"
 
 conduit = "0.9.0-alpha.2"
-conduit-conditional-get = "0.9.0-alpha.2"
-conduit-cookie = "0.9.0-alpha.2"
-cookie = { version = "0.12", features = ["secure"] }
+conduit-conditional-get = "0.9.0-alpha.3"
+conduit-cookie = "0.9.0-alpha.3"
+cookie = { version = "0.13", features = ["secure"] }
 conduit-middleware = "0.9.0-alpha.2"
 conduit-router = "0.9.0-alpha.2"
-conduit-static = "0.9.0-alpha.2"
+conduit-static = "0.9.0-alpha.3"
 conduit-git-http-backend = "0.9.0-alpha.2"
 civet = "0.12.0-alpha.3"
 conduit-hyper = "0.3.0-alpha.2"
diff --git a/src/controllers/user/session.rs b/src/controllers/user/session.rs
@@ -31,7 +31,7 @@ pub fn begin(req: &mut dyn RequestExt) -> EndpointResult {
         .github
         .authorize_url(oauth2::CsrfToken::new_random);
     let state = state.secret().to_string();
-    req.session()
+    req.session_mut()
         .insert("github_oauth_state".to_string(), state.clone());
 
     #[derive(Serialize)]
@@ -82,7 +82,7 @@ pub fn authorize(req: &mut dyn RequestExt) -> EndpointResult {
     // Make sure that the state we just got matches the session state that we
     // should have issued earlier.
     {
-        let session_state = req.session().remove(&"github_oauth_state".to_string());
+        let session_state = req.session_mut().remove(&"github_oauth_state".to_string());
         let session_state = session_state.as_deref();
         if Some(&state[..]) != session_state {
             return Err(bad_request("invalid state parameter"));
@@ -104,7 +104,7 @@ pub fn authorize(req: &mut dyn RequestExt) -> EndpointResult {
     let user = ghuser.save_to_database(&token.secret(), &*req.db_conn()?)?;
 
     // Log in by setting a cookie and the middleware authentication
-    req.session()
+    req.session_mut()
         .insert("user_id".to_string(), user.id.to_string());
     req.mut_extensions().insert(TrustedUserId(user.id));
 
@@ -149,7 +149,7 @@ impl GithubUser {
 
 /// Handles the `DELETE /api/private/session` route.
 pub fn logout(req: &mut dyn RequestExt) -> EndpointResult {
-    req.session().remove(&"user_id".to_string());
+    req.session_mut().remove(&"user_id".to_string());
     Ok(req.json(&true))
 }
 
