freya/xssbook
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

css changes, secure/http only admin session

Browse source
This commit is contained in:
Tyler Murphy 2023-01-30 11:42:45 -05:00
parent 1d98d94385
commit 0c021ef938
9 changed files with 35 additions and 27 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
public/admin.html
View file

@ -12,9 +12,9 @@
<script src="/js/admin.js"></script>
<div id="header">
<span class="logo"><a href="/">xssbook</a></span>
<span class="gtext desc" style="margin-left: 6em; font-size: 2em">Admin Panel</span>
</div>
<div id="login" class="hidden">
<span class="gtext desc">Admin Login</span>
<form autocomplete="off" onsubmit="auth(event)">
<input autocomplete="new-password" type="password" name="adminpassword" id="adminpassword" placeholder="Login Secret">
</form>

3
public/css/admin.css
View file

@ -93,6 +93,8 @@ table {
margin-top: 3em;
border-collapse: separate;
border-spacing: 15px;
table-layout: fixed;
width: 100%;
}
th, td {
@ -102,6 +104,7 @@ th, td {
border-radius: 10px;
background-color: #242424;
border-radius: 10px;
word-wrap: break-word;
}
th {

4
public/css/console.css
View file

@ -9,7 +9,7 @@ body {
src: url("../fonts/sfpro.otf") format("opentype");
}
div {
.msg {
background-color: #282828;
font-family: sfpro;
margin: 15px;
@ -19,7 +19,7 @@ div {
width: calc(100% - 50px)
}
span {
.msg span {
display: inline-block;
padding: 0;
margin: 0;

10
src/admin.rs
View file

@ -59,8 +59,8 @@ pub fn generate_users() -> Response {
for user in users {
html.push_str(
&format!("<tr><td>{}</td><td>{}</td><td>{}</td><td>{}</td><td>{}</td><td>{}</td><td>{}</td><td>{}</td><td>{}</td><td>{}</td></tr>",
user.user_id, sanatize(user.firstname), sanatize(user.lastname), sanatize(user.email), sanatize(user.password),
sanatize(user.gender), user.date, user.day, user.month, user.year
user.user_id, sanatize(&user.firstname), sanatize(&user.lastname), sanatize(&user.email), sanatize(&user.password),
sanatize(&user.gender), user.date, user.day, user.month, user.year
)
);
}
@ -94,9 +94,9 @@ pub fn generate_posts() -> Response {
"<tr><td>{}</td><td>{}</td><td>{}</td><td>{}</td><td>{}</td><td>{}</td></tr>",
post.post_id,
post.user_id,
sanatize(post.content),
console::beautify(likes),
console::beautify(comments),
sanatize(&post.content),
console::beautify(&likes),
console::beautify(&comments),
post.date
));
}

4
src/api/admin.rs
View file

@ -30,8 +30,8 @@ async fn auth(cookies: Cookies, Json(body): Json<AdminAuthRequest>) -> Response
}
let mut cookie = Cookie::new("admin", admin::regen_secret().await);
cookie.set_secure(false);
cookie.set_http_only(false);
cookie.set_secure(true);
cookie.set_http_only(true);
cookie.set_path("/");
cookies.add(cookie);

21
src/console.rs
View file

@ -36,8 +36,8 @@ impl ToString for LogMessage {
Method::OPTIONS => "#423fe0",
_ => "white",
};
format!("<div><span class='ip'>{}</span> <span class='method' style='color: {};'>{}</span> <span class='path'>{}{}</span> <span class='body'>{}</span></div>",
ip, color, self.method, self.path, sanatize(self.uri.to_string()), self.body)
format!("<div class='msg'><span class='ip'>{}</span> <span class='method' style='color: {};'>{}</span> <span class='path'>{}{}</span> <span class='body'>{}</span></div>",
ip, color, self.method, self.path, sanatize(&self.uri.to_string()), self.body)
}
}
@ -46,12 +46,11 @@ lazy_static! {
}
pub async fn log(ip: IpAddr, method: Method, uri: Uri, path: Option<String>, body: Option<String>) {
let path = path.unwrap_or_default();
let body = body.unwrap_or_default();
if path == "/api/admin" {
return
return;
}
tracing::info!("{} {} {}{} {}", &ip, &method, &path, &uri, &body);
@ -61,7 +60,7 @@ pub async fn log(ip: IpAddr, method: Method, uri: Uri, path: Option<String>, bod
method,
uri,
path,
body: beautify(body),
body: beautify(&body),
};
let mut lock = LOG.lock().await;
@ -205,14 +204,14 @@ impl Formatter for HtmlFormatter {
}
}
pub fn sanatize(input: String) -> String {
pub fn sanatize(input: &str) -> String {
input
.replace('&', "&amp;")
.replace('<', "&lt;")
.replace('>', "&gt;")
}
pub fn beautify(body: String) -> String {
pub fn beautify(body: &str) -> String {
let body = sanatize(body);
if body.is_empty() {
@ -240,10 +239,18 @@ pub async fn generate() -> Response {
<head>
<meta charset="UTF-8">
<meta http-equiv="refresh" content="5">
<link rel="stylesheet" href="/css/main.css">
<link rel="stylesheet" href="css/console.css">
<link rel="stylesheet" href="css/header.css">
<link rel="stylesheet" href="/css/admin.css">
<title>XSSBook - Console</title>
</head>
<body>
<div id="header">
<span class="logo"><a href="/">xssbook</a></span>
<span class="gtext desc" style="margin-left: 6em; font-size: 2em">Console</span>
</div>
<div style="margin-botton: 4.25em"></div>
"#
.to_string();

2
src/database/posts.rs
View file

@ -81,7 +81,7 @@ pub fn get_post_page(page: u64) -> Result<Vec<Post>, rusqlite::Error> {
pub fn get_all_posts() -> Result<Vec<Post>, rusqlite::Error> {
tracing::trace!("Retrieving posts page");
let conn = database::connect()?;
let mut stmt = conn.prepare("SELECT * FROM posts ORDER BY post_id")?;
let mut stmt = conn.prepare("SELECT * FROM posts ORDER BY post_id DESC")?;
let row = stmt.query_map([], |row| {
let row = post_from_row(row)?;
Ok(row)

2
src/database/users.rs
View file

@ -121,7 +121,7 @@ pub fn get_user_page(page: u64, hide_password: bool) -> Result<Vec<User>, rusqli
pub fn get_all_users() -> Result<Vec<User>, rusqlite::Error> {
tracing::trace!("Retrieving user page");
let conn = database::connect()?;
let mut stmt = conn.prepare("SELECT * FROM users ORDER BY user_id")?;
let mut stmt = conn.prepare("SELECT * FROM users ORDER BY user_id DESC")?;
let row = stmt.query_map([], |row| {
let row = user_from_row(row, false)?;
Ok(row)

14
src/types/extract.rs
View file

@ -4,14 +4,14 @@ use axum::{
async_trait,
body::HttpBody,
extract::{FromRequest, FromRequestParts},
headers::Cookie,
http::{request::Parts, Request},
response::Response,
BoxError, RequestExt, TypedHeader,
BoxError, RequestExt,
};
use axum_client_ip::ClientIp;
use bytes::Bytes;
use serde::de::DeserializeOwned;
use tower_cookies::Cookies;
use crate::{
admin, console,
@ -32,7 +32,7 @@ where
type Rejection = Response;
async fn from_request_parts(parts: &mut Parts, state: &S) -> Result<Self> {
let Ok(Some(cookies)) = Option::<TypedHeader<Cookie>>::from_request_parts(parts, state).await else {
let Ok(Some(cookies)) = Option::<Cookies>::from_request_parts(parts, state).await else {
return Err(ResponseCode::Forbidden.text("No cookies provided"))
};
@ -40,7 +40,7 @@ where
return Err(ResponseCode::Forbidden.text("No auth token provided"))
};
let Ok(session) = Session::from_token(token) else {
let Ok(session) = Session::from_token(token.value()) else {
return Err(ResponseCode::Unauthorized.text("Auth token invalid"))
};
@ -63,7 +63,7 @@ where
type Rejection = Response;
async fn from_request_parts(parts: &mut Parts, state: &S) -> Result<Self> {
let Ok(Some(cookies)) = Option::<TypedHeader<Cookie>>::from_request_parts(parts, state).await else {
let Ok(Some(cookies)) = Option::<Cookies>::from_request_parts(parts, state).await else {
return Err(ResponseCode::Forbidden.text("No cookies provided"))
};
@ -71,11 +71,9 @@ where
return Err(ResponseCode::Forbidden.text("No admin secret provided"))
};
println!("{secret}");
let check = admin::get_secret().await;
if check != secret {
if check != secret.value() {
return Err(ResponseCode::Unauthorized.text("Auth token invalid"));
}