Auto merge of #2167 - integer32llc:fix-auth, r=jtgeibel

bors · bors · commit def94b392dff · 2020-01-27T18:46:20.000Z
Fix auth Set the TrustedUserId in the extensions when logging in Fixes #2166. In #2077 (d0b9bcc), we changed the type of the authentication data stored in the extensions from `User` to `TrustedUserId`, but we missed this spot :( We're allowed to insert anything we want into the extensions, but if we use a different type than what we use when looking up data in the extensions, it won't find what we inserted. I checked all the other locations of `mut_extensions` and `extensions` and I think they're good, but overall this system feels a bit loosey-goosey to me. Not sure how to improve it, though. r? @jtgeibel
diff --git a/src/controllers/user/me.rs b/src/controllers/user/me.rs
@@ -13,17 +13,6 @@ use crate::views::{EncodableMe, EncodableVersion, OwnedCrate};
 
 /// Handles the `GET /me` route.
 pub fn me(req: &mut dyn Request) -> AppResult<Response> {
-    // Changed to getting User information from database because in
-    // src/tests/user.rs, when testing put and get on updating email,
-    // request seems to be somehow 'cached'. When we try to get a
-    // request from the /me route with the just updated user (call
-    // this function) the user is the same as the initial GET request
-    // and does not seem to get the updated user information from the
-    // database
-    // This change is not preferable, we'd rather fix the request,
-    // perhaps adding `req.mut_extensions().insert(user)` to the
-    // update_user route, however this somehow does not seem to work
-
     let conn = req.db_conn()?;
     let user_id = req.authenticate(&conn)?.user_id();
 
diff --git a/src/controllers/user/session.rs b/src/controllers/user/session.rs
@@ -5,6 +5,7 @@ use conduit_cookie::RequestSession;
 use failure::Fail;
 use oauth2::{prelude::*, AuthorizationCode, TokenResponse};
 
+use crate::middleware::current_user::TrustedUserId;
 use crate::models::{NewUser, User};
 use crate::schema::users;
 use crate::util::errors::ReadOnlyMode;
@@ -88,8 +89,7 @@ pub fn authorize(req: &mut dyn Request) -> AppResult<Response> {
         }
     }
 
-    // Fetch the access token from github using the code we just got
-
+    // Fetch the access token from GitHub using the code we just got
     let code = AuthorizationCode::new(code);
     let token = req
         .app()
@@ -98,11 +98,16 @@ pub fn authorize(req: &mut dyn Request) -> AppResult<Response> {
         .map_err(|e| e.compat())
         .chain_error(|| server_error("Error obtaining token"))?;
     let token = token.access_token();
+
+    // Fetch the user info from GitHub using the access token we just got and create a user record
     let ghuser = github::github_api::<GithubUser>(req.app(), "/user", token)?;
     let user = ghuser.save_to_database(&token.secret(), &*req.db_conn()?)?;
+
+    // Log in by setting a cookie and the middleware authentication
     req.session()
         .insert("user_id".to_string(), user.id.to_string());
-    req.mut_extensions().insert(user);
+    req.mut_extensions().insert(TrustedUserId(user.id));
+
     super::me::me(req)
 }
 
