Use SecretString for access tokens

Author: Redande

services/headless-lms/Cargo.lock

@@ -55,3 +55,5 @@ sqlx = { version = "0.8.6", features = [
   "chrono",
   "json",
 ] }
+
+secrecy = { version = "0.10.3", features = ["serde"] }

services/headless-lms/Cargo.toml

@@ -59,7 +59,7 @@ anyhow = "1.0.100"
 # HTTP client for Rust
 reqwest = { version = "0.12.23", features = ["json"] }
 # Secret value wrapper to avoid leaking secrets in logs and memory
-secrecy = "0.10.3"
+secrecy.workspace = true
 # Password hashing using Argon2id
 argon2 = "0.5.3"
 

services/headless-lms/models/Cargo.toml

@@ -60,7 +60,14 @@ blake3 = "1.8.2"
 # Recursively walk a directory.
 walkdir = "2.5.0"
 # higher level HTTP client library
-reqwest = { version = "0.12.23", features = ["brotli", "gzip", "json", "http2", "rustls-tls", "stream"] }
+reqwest = { version = "0.12.23", features = [
+  "brotli",
+  "gzip",
+  "json",
+  "http2",
+  "rustls-tls",
+  "stream",
+] }
 # Sessions for Actix web
 actix-session = { version = "0.11.0", features = ["cookie-session"] }
 # An extensible, strongly-typed implementation of OAuth2
@@ -130,7 +137,7 @@ tokio-util = "0.7.16"
 # Asynchronous streams using async & await notation
 async-stream = "0.3.6"
 # Secret value wrapper to avoid leaking secrets in logs and memory
-secrecy = { version = "0.10.3", features = ["serde"] }
+secrecy.workspace = true
 # Password hashing using Argon2id
 argon2 = "0.5.3"
 

services/headless-lms/server/Cargo.toml

@@ -4,8 +4,6 @@ Handlers for HTTP requests to `/api/v0/tmc-server/users-by-upstream-id`.
 These endpoints are used by the TMC server so that it can integrate with this system.
 */
 
-use std::env;
-
 use crate::{
     domain::authorization::{
         authorize_access_from_tmc_server_to_course_mooc_fi,
@@ -30,12 +28,8 @@ pub async fn get_user_by_upstream_id(
 ) -> ControllerResult<web::Json<User>> {
     let mut conn = pool.acquire().await?;
     let token = authorize_access_from_tmc_server_to_course_mooc_fi(&request).await?;
-    let tmc_access_token = env::var("TMC_ACCESS_TOKEN").expect("TMC_ACCESS_TOKEN must be defined");
     let tmc_user = tmc_client
-        .get_user_from_tmc_mooc_fi_by_tmc_access_token_and_upstream_id(
-            &tmc_access_token,
-            &upstream_id,
-        )
+        .get_user_from_tmc_mooc_fi_by_tmc_access_token_and_upstream_id(&upstream_id)
         .await?;
 
     debug!(

services/headless-lms/server/src/controllers/tmc_server/users_by_upstream_id.rs

@@ -22,6 +22,7 @@ use oauth2::ResourceOwnerUsername;
 use oauth2::StandardTokenResponse;
 use oauth2::TokenResponse;
 use oauth2::basic::BasicTokenType;
+use secrecy::SecretString;
 use serde::{Deserialize, Serialize};
 use sqlx::PgConnection;
 use std::env;
@@ -722,7 +723,7 @@ pub async fn authenticate_moocfi_user(
     email: String,
     password: String,
     tmc_client: &TmcClient,
-) -> anyhow::Result<Option<(User, LoginToken)>> {
+) -> anyhow::Result<Option<(User, SecretString)>> {
     info!("Attempting to authenticate user with TMC");
     let token = match exchange_password_with_tmc(client, email.clone(), password).await? {
         Some(token) => token,
@@ -731,7 +732,7 @@ pub async fn authenticate_moocfi_user(
     debug!("Successfully obtained OAuth token from TMC");
 
     let tmc_user = tmc_client
-        .get_user_from_tmc_mooc_fi_by_tmc_access_token(token.access_token().secret())
+        .get_user_from_tmc_mooc_fi_by_tmc_access_token(token.clone())
         .await?;
     debug!(
         "Creating or fetching user with TMC id {} and mooc.fi UUID {}",
@@ -766,7 +767,7 @@ pub async fn exchange_password_with_tmc(
     client: &OAuthClient,
     email: String,
     password: String,
-) -> anyhow::Result<Option<LoginToken>> {
+) -> anyhow::Result<Option<SecretString>> {
     let token_result = client
         .exchange_password(
             &ResourceOwnerUsername::new(email),
@@ -775,7 +776,9 @@ pub async fn exchange_password_with_tmc(
         .request_async(&async_http_client_with_headers)
         .await;
     match token_result {
-        Ok(token) => Ok(Some(token)),
+        Ok(token) => Ok(Some(SecretString::new(
+            token.access_token().secret().to_owned().into(),
+        ))),
         Err(RequestTokenError::ServerResponse(server_response)) => {
             let error = server_response.error();
             let error_description = server_response.error_description();
@@ -912,12 +915,13 @@ pub async fn authenticate_test_user(
 // Only used for testing, not to use in production.
 pub async fn authenticate_test_token(
     conn: &mut PgConnection,
-    token: &str,
+    _token: &SecretString,
     application_configuration: &ApplicationConfiguration,
 ) -> anyhow::Result<User> {
     // Sanity check to ensure this is not called outside of test mode. The whole application configuration is passed to this function instead of just the boolean to make mistakes harder.
     assert!(application_configuration.test_mode);
-    let user = models::users::get_by_email(conn, token).await?;
+    // TODO: this has never worked
+    let user = models::users::get_by_email(conn, "TODO").await?;
     Ok(user)
 }
 

services/headless-lms/server/src/domain/authorization.rs

@@ -1,12 +1,12 @@
 use crate::{
-    domain::authorization::{self, LoginToken, get_or_create_user_from_tmc_mooc_fi_response},
+    domain::authorization::{self, get_or_create_user_from_tmc_mooc_fi_response},
     prelude::*,
 };
 use actix_web::{FromRequest, http::header};
 use futures_util::{FutureExt, future::LocalBoxFuture};
 use headless_lms_utils::{cache::Cache, tmc::TmcClient};
 use models::users::User;
-use oauth2::TokenResponse;
+use secrecy::{ExposeSecret, SecretString};
 use std::ops::{Deref, DerefMut};
 use std::time::Duration;
 
@@ -48,7 +48,8 @@ impl FromRequest for UserFromTMCAccessToken {
             .headers()
             .get(header::AUTHORIZATION)
             .map(|hv| String::from_utf8_lossy(hv.as_bytes()))
-            .and_then(|h| h.strip_prefix("Bearer ").map(str::to_string));
+            .and_then(|h| h.strip_prefix("Bearer ").map(str::to_string))
+            .map(|o| SecretString::new(o.into()));
 
         let tmc_client: web::Data<TmcClient> = req
             .app_data::<web::Data<TmcClient>>()
@@ -79,15 +80,8 @@ impl FromRequest for UserFromTMCAccessToken {
                 match load_user(&cache, &token).await {
                     Some(user) => user,
                     None => {
-                        let token = LoginToken::new(
-                            oauth2::AccessToken::new(token),
-                            oauth2::basic::BasicTokenType::Bearer,
-                            oauth2::EmptyExtraTokenFields {},
-                        );
                         let tmc_user = tmc_client
-                            .get_user_from_tmc_mooc_fi_by_tmc_access_token(
-                                token.access_token().secret(),
-                            )
+                            .get_user_from_tmc_mooc_fi_by_tmc_access_token(token.clone())
                             .await?;
 
                         debug!(
@@ -126,16 +120,22 @@ struct TmcUser {
     administrator: bool,
 }
 
-pub async fn cache_user(cache: &Cache, token: &LoginToken, user: &User) {
+fn token_to_cache_key(token: &SecretString) -> String {
+    let mut hasher = blake3::Hasher::new();
+    hasher.update(token.expose_secret().as_bytes());
+    format!("user:{}", hasher.finalize().to_hex())
+}
+
+pub async fn cache_user(cache: &Cache, token: &SecretString, user: &User) {
     cache
         .cache_json(
-            token.access_token().secret(),
+            token_to_cache_key(token),
             user,
             Duration::from_secs(60 * 60),
         )
         .await;
 }
 
-pub async fn load_user(cache: &Cache, token: &str) -> Option<User> {
-    cache.get_json(token).await
+pub async fn load_user(cache: &Cache, token: &SecretString) -> Option<User> {
+    cache.get_json(token_to_cache_key(token)).await
 }

services/headless-lms/server/src/domain/langs/token.rs

@@ -6,6 +6,7 @@ use crate::{
 use headless_lms_utils::{
     ApplicationConfiguration, file_store::local_file_store::LocalFileStore, tmc::TmcClient,
 };
+use secrecy::SecretString;
 use sqlx::{Connection, PgConnection, Postgres, Transaction};
 use std::{env, sync::Arc};
 use tokio::sync::Mutex;
@@ -31,6 +32,7 @@ postgres://headless-lms:only-for-local-development-intentionally-public@postgres
             azure_configuration: None,
             test_chatbot: false,
             tmc_account_creation_origin: None,
+            tmc_admin_access_token: SecretString::new("mock-access-token".to_string().into()),
         },
         redis_url: "redis://example.com".to_string(),
         jwt_password: "sMG87WlKnNZoITzvL2+jczriTR7JRsCtGu/bSKaSIvw=asdfjklasd***FSDfsdASDFDS"

services/headless-lms/server/src/test_helper.rs

@@ -15,6 +15,7 @@ use headless_lms_server::{
 use headless_lms_utils::{
     ApplicationConfiguration, file_store::local_file_store::LocalFileStore, tmc::TmcClient,
 };
+use secrecy::SecretString;
 use sqlx::{Connection, PgConnection, PgPool, Postgres, migrate::MigrateDatabase};
 use tokio::sync::Mutex;
 use uuid::Uuid;
@@ -81,6 +82,7 @@ pub async fn test_config() -> ServerConfig {
             azure_configuration: None,
             test_chatbot: false,
             tmc_account_creation_origin: None,
+            tmc_admin_access_token: SecretString::new("mock-access-token".to_string().into()),
         },
         redis_url: "redis://example.com".to_string(),
         jwt_password: "sMG87WlKnNZoITzvL2+jczriTR7JRsCtGu/bSKaSIvw=asdfjklasd***FSDfsdASDFDS"

services/headless-lms/server/tests/integration_test.rs

@@ -88,6 +88,8 @@ redis = { version = "0.32.6", features = [
   "tokio-comp",
   "connection-manager",
 ] }
+# Secret value wrapper to avoid leaking secrets in logs and memory
+secrecy.workspace = true
 
 [dev-dependencies]
 # Overwrite `assert_eq!` and `assert_ne!` with drop-in replacements, adding colorful diffs.