From c6d5f7b7ee46d66f7225241befcc92467a6ab460 Mon Sep 17 00:00:00 2001
From: Antoine Gersant <antoine.gersant@lesforges.org>
Date: Sun, 11 Nov 2018 00:17:38 -0800
Subject: [PATCH] Fixed a bug where auth cookie was interfering with
 polaris-web cookie

---
 src/rocket_api.rs | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/src/rocket_api.rs b/src/rocket_api.rs
index b5dbc4f..2f97847 100644
--- a/src/rocket_api.rs
+++ b/src/rocket_api.rs
@@ -24,7 +24,7 @@ use crate::vfs::VFSSource;
 
 const CURRENT_MAJOR_VERSION: i32 = 3;
 const CURRENT_MINOR_VERSION: i32 = 0;
-const SESSION_FIELD_USERNAME: &str = "username";
+const COOKIE_SESSION: &str = "session";
 
 pub fn get_routes() -> Vec<rocket::Route> {
 	routes![
@@ -60,9 +60,10 @@ struct Auth {
 	username: String,
 }
 
-fn get_auth_cookie(username: &str) -> Cookie<'static> {
-	Cookie::build(SESSION_FIELD_USERNAME, username.to_owned())
+fn get_session_cookie(username: &str) -> Cookie<'static> {
+	Cookie::build(COOKIE_SESSION, username.to_owned())
 		.same_site(rocket::http::SameSite::Lax)
+		.http_only(true)
 		.finish()
 }
 
@@ -71,7 +72,7 @@ impl<'a, 'r> FromRequest<'a, 'r> for Auth {
 
 	fn from_request(request: &'a Request<'r>) -> request::Outcome<Self, ()> {
 		let mut cookies = request.guard::<Cookies>().unwrap();
-		if let Some(u) = cookies.get_private(SESSION_FIELD_USERNAME) {
+		if let Some(u) = cookies.get_private(COOKIE_SESSION) {
 			return Outcome::Success(Auth {
 				username: u.value().to_string(),
 			});
@@ -89,7 +90,7 @@ impl<'a, 'r> FromRequest<'a, 'r> for Auth {
 					_ => return Outcome::Failure((Status::InternalServerError, ())),
 				};
 				if user::auth(db.deref().deref(), &username, &password).unwrap_or(false) {
-					cookies.add_private(get_auth_cookie(&username));
+					cookies.add_private(get_session_cookie(&username));
 					return Outcome::Success(Auth {
 						username: username.to_string(),
 					});
@@ -238,7 +239,7 @@ fn auth(
 		return Err(errors::Error::from(errors::ErrorKind::IncorrectCredentials))
 	}
 
-	cookies.add_private(get_auth_cookie(&credentials.username));
+	cookies.add_private(get_session_cookie(&credentials.username));
 
 	let auth_output = AuthOutput {
 		admin: user::is_admin::<DB>(&db, &credentials.username)?,