Always normalise vaultId and trim token

2025-04-07 22:29:23 +01:00 · 2025-04-07 22:29:23 +01:00 · 74a8060246
commit 74a8060246
parent 04a24d0b38
11 changed files with 44 additions and 10 deletions
--- a/backend/sync_server/src/server/auth.rs
+++ b/backend/sync_server/src/server/auth.rs
@ -15,6 +15,7 @@ use crate::{
    app_state::{AppState, database::models::VaultId},
    config::user_config::{AllowListedVaults, User, VaultAccess},
    errors::{SyncServerError, permission_denied_error, unauthenticated_error},
+    utils::normalize::normalize_string,
 };

 pub async fn auth_middleware(
@ -24,12 +25,14 @@ pub async fn auth_middleware(
    mut req: Request,
    next: Next,
 ) -> Result<Response, SyncServerError> {
-    let token = auth_header.token();
-    let vault_id = path_params
-        .get("vault_id")
-        .ok_or_else(|| unauthenticated_error(anyhow::anyhow!("Missing vault_id")))?;
+    let token = auth_header.token().trim();
+    let vault_id = normalize_string(
+        path_params
+            .get("vault_id")
+            .ok_or_else(|| unauthenticated_error(anyhow::anyhow!("Missing vault_id")))?,
+    );

-    let user = auth(&state, token, vault_id)?;
+    let user = auth(&state, token, &vault_id)?;

    req.extensions_mut().insert(user);

--- a/backend/sync_server/src/server/create_document.rs
+++ b/backend/sync_server/src/server/create_document.rs
@ -16,12 +16,13 @@ use crate::{
        },
    },
    errors::{SyncServerError, client_error, server_error},
-    utils::sanitize_path,
+    utils::{normalize::normalize, sanitize_path::sanitize_path},
 };

 // This is required for aide to infer the path parameter types and names
 #[derive(Deserialize, JsonSchema)]
 pub struct CreateDocumentPathParams {
+    #[serde(deserialize_with = "normalize")]
    vault_id: VaultId,
 }

--- a/backend/sync_server/src/server/delete_document.rs
+++ b/backend/sync_server/src/server/delete_document.rs
@ -14,13 +14,15 @@ use crate::{
        },
    },
    errors::{SyncServerError, server_error},
-    utils::sanitize_path,
+    utils::{normalize::normalize, sanitize_path::sanitize_path},
 };

 // This is required for aide to infer the path parameter types and names
 #[derive(Deserialize, JsonSchema)]
 pub struct DeleteDocumentPathParams {
+    #[serde(deserialize_with = "normalize")]
    vault_id: VaultId,
+
    document_id: DocumentId,
 }

--- a/backend/sync_server/src/server/fetch_document_version.rs
+++ b/backend/sync_server/src/server/fetch_document_version.rs
@ -10,12 +10,15 @@ use crate::{
        database::models::{DocumentId, DocumentVersion, VaultId, VaultUpdateId},
    },
    errors::{SyncServerError, not_found_error, server_error},
+    utils::normalize::normalize,
 };

 // This is required for aide to infer the path parameter types and names
 #[derive(Deserialize, JsonSchema)]
 pub struct FetchDocumentVersionPathParams {
+    #[serde(deserialize_with = "normalize")]
    vault_id: VaultId,
+
    document_id: DocumentId,
    vault_update_id: VaultUpdateId,
 }
--- a/backend/sync_server/src/server/fetch_document_version_content.rs
+++ b/backend/sync_server/src/server/fetch_document_version_content.rs
@ -12,12 +12,15 @@ use crate::{
        database::models::{DocumentId, VaultId, VaultUpdateId},
    },
    errors::{SyncServerError, not_found_error, server_error},
+    utils::normalize::normalize,
 };

 // This is required for aide to infer the path parameter types and names
 #[derive(Deserialize, JsonSchema)]
 pub struct FetchDocumentVersionContentPathParams {
+    #[serde(deserialize_with = "normalize")]
    vault_id: VaultId,
+
    document_id: DocumentId,
    vault_update_id: VaultUpdateId,
 }
--- a/backend/sync_server/src/server/fetch_latest_document_version.rs
+++ b/backend/sync_server/src/server/fetch_latest_document_version.rs
@ -10,12 +10,15 @@ use crate::{
        database::models::{DocumentId, DocumentVersion, VaultId},
    },
    errors::{SyncServerError, not_found_error, server_error},
+    utils::normalize::normalize,
 };

 // This is required for aide to infer the path parameter types and names
 #[derive(Deserialize, JsonSchema)]
 pub struct FetchLatestDocumentVersionPathParams {
+    #[serde(deserialize_with = "normalize")]
    vault_id: VaultId,
+
    document_id: DocumentId,
 }

--- a/backend/sync_server/src/server/fetch_latest_documents.rs
+++ b/backend/sync_server/src/server/fetch_latest_documents.rs
@ -10,11 +10,13 @@ use crate::{
        database::models::{VaultId, VaultUpdateId},
    },
    errors::{SyncServerError, server_error},
+    utils::normalize::normalize,
 };

 // This is required for aide to infer the path parameter types and names
 #[derive(Deserialize, JsonSchema)]
 pub struct FetchLatestDocumentsPathParams {
+    #[serde(deserialize_with = "normalize")]
    vault_id: VaultId,
 }

--- a/backend/sync_server/src/server/ping.rs
+++ b/backend/sync_server/src/server/ping.rs
@ -13,11 +13,13 @@ use super::{auth::auth, responses::PingResponse};
 use crate::{
    app_state::{AppState, database::models::VaultId},
    errors::SyncServerError,
+    utils::normalize::normalize,
 };

 // This is required for aide to infer the path parameter types and names
 #[derive(Deserialize, JsonSchema)]
 pub struct PingPathParams {
+    #[serde(deserialize_with = "normalize")]
    vault_id: VaultId,
 }

--- a/backend/sync_server/src/server/update_document.rs
+++ b/backend/sync_server/src/server/update_document.rs
@ -18,13 +18,15 @@ use crate::{
        database::models::{DeviceId, DocumentId, StoredDocumentVersion, VaultId, VaultUpdateId},
    },
    errors::{SyncServerError, client_error, not_found_error, server_error},
-    utils::{deduped_file_paths, sanitize_path},
+    utils::{dedup_paths::dedup_paths, normalize::normalize, sanitize_path::sanitize_path},
 };

 // This is required for aide to infer the path parameter types and names
 #[derive(Deserialize, JsonSchema)]
 pub struct UpdateDocumentPathParams {
+    #[serde(deserialize_with = "normalize")]
    vault_id: VaultId,
+
    document_id: DocumentId,
 }

@ -171,7 +173,7 @@ async fn internal_update_document(
        && latest_version.relative_path != sanitized_relative_path
    {
        let mut new_relative_path = String::default();
-        for candidate in deduped_file_paths(&sanitized_relative_path) {
+        for candidate in dedup_paths(&sanitized_relative_path) {
            if state
                .database
                .get_latest_document_by_path(&vault_id, &candidate, Some(&mut transaction))
--- a/backend/sync_server/src/server/websocket.rs
+++ b/backend/sync_server/src/server/websocket.rs
@ -21,11 +21,13 @@ use crate::{
        database::models::{DeviceId, DocumentVersionWithoutContent, VaultId, VaultUpdateId},
    },
    errors::{SyncServerError, server_error, unauthenticated_error},
+    utils::normalize::{normalize, normalize_string},
 };

 // This is required for aide to infer the path parameter types and names
 #[derive(Deserialize, JsonSchema)]
 pub struct WebsocketPathParams {
+    #[serde(deserialize_with = "normalize")]
    vault_id: VaultId,
 }

@ -81,7 +83,7 @@ async fn websocket(
            .context("Failed to parse token")
            .map_err(server_error)?;

-        auth(&state, &handshake.token, &vault_id)?;
+        auth(&state, handshake.token.trim(), &normalize_string(&vault_id))?;

        handshake
    } else {
--- a/backend/sync_server/src/utils/normalize.rs
+++ b/backend/sync_server/src/utils/normalize.rs
@ -0,0 +1,11 @@
+use serde::{Deserialize, Deserializer};
+
+pub fn normalize<'de, D>(deserializer: D) -> Result<String, D::Error>
+where
+    D: Deserializer<'de>,
+{
+    let s = String::deserialize(deserializer)?;
+    Ok(normalize_string(&s))
+}
+
+pub fn normalize_string(s: &str) -> String { s.trim().to_lowercase() }