Improve security
This commit is contained in:
@@ -0,0 +1,23 @@
|
||||
use std::future::{ready, Ready};
|
||||
|
||||
use actix_web::dev::Payload;
|
||||
use actix_web::{error::ErrorUnauthorized, Error, FromRequest, HttpMessage, HttpRequest};
|
||||
|
||||
/// The user id of the caller, as established by the auth middleware after
|
||||
/// verifying the `user-token` header. Extracting this (instead of trusting a
|
||||
/// client-supplied `user_id` in the path/body) is the source of truth for
|
||||
/// "who is making this request".
|
||||
#[derive(Clone, Copy)]
|
||||
pub struct AuthUser(pub i32);
|
||||
|
||||
impl FromRequest for AuthUser {
|
||||
type Error = Error;
|
||||
type Future = Ready<Result<Self, Self::Error>>;
|
||||
|
||||
fn from_request(req: &HttpRequest, _payload: &mut Payload) -> Self::Future {
|
||||
match req.extensions().get::<AuthUser>() {
|
||||
Some(auth_user) => ready(Ok(*auth_user)),
|
||||
None => ready(Err(ErrorUnauthorized("missing authenticated user"))),
|
||||
}
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user