kanidm · Firstyear · Dec 20, 2024 · Dec 11, 2024 · Dec 11, 2024 · Dec 12, 2024
@@ -261,4 +261,4 @@ jobs:
           triplet: x64-windows-static-md
           token: ${{ github.token }}
 
-      - run: cargo build -p actix_web -p web_authn -p tide-server
+      - run: cargo build -p actix_tutorial -p axum_tutorial -p tide_tutorial
@@ -33,7 +33,6 @@ members = [
     "tutorial/server/tide",
     "tutorial/server/axum",
     "tutorial/server/actix_web",
-    "tutorial/wasm",
     # Attestatation struct format
     "attestation-ca",
     # Fido MDS tools
@@ -52,7 +51,10 @@ members = [
 ]
 
 # Due to --cfg=web_sys_unstable_apis
-exclude = ["compat_tester/webauthn-rs-demo-wasm"]
+exclude = [
+    "compat_tester/webauthn-rs-demo-wasm",
+    "tutorial/wasm",
+]
 
 [workspace.dependencies]
 # These are in release/dependency order.
@@ -70,6 +72,7 @@ cable-tunnel-server-common = { path = "./cable-tunnel-server/common", version =
 webauthn-rs-device-catalog = { path = "./device-catalog" }
 
 async-std = { version = "1.6", features = ["attributes"] }
+anyhow = "1.0"
 base64 = "0.21"
 clap = { version = "^4.5", features = ["derive", "env"] }
 compact_jwt = "0.4.2"
@@ -87,8 +90,11 @@ hyper-util = { version = "0.1.10", features = [
 nom = "7.1"
 peg = "0.8.1"
 openssl = "^0.10.56"
+
 rand = "0.8"
 rand_chacha = "0.3.1"
+reqwest = { version = "0.12", default-features = false, features = [ "rustls-tls-native-roots" ] }
+
 serde = { version = "^1.0.141", features = ["derive"] }
 serde_cbor_2 = { version = "0.12.0-dev" }
 serde_json = "^1.0.79"
@@ -110,6 +116,7 @@ tracing-subscriber = { version = "0.3", features = [
     "std",
     "fmt",
 ] }
+tracing-log = { version = "0.2.0" }
 tungstenite = { version = "^0.24.0", default-features = false, features = [
     "handshake",
 ] }

@@ -18,4 +18,4 @@ clap.workspace = true
 
 tracing.workspace = true
 tracing-subscriber.workspace = true
-tracing-log = { version = "0.1.3" }
+tracing-log.workspace = true
@@ -28,7 +28,7 @@ serde.workspace = true
 
 webauthn-rs-device-catalog =  { workspace = true }
 fido-mds = { workspace = true }
-reqwest = "0.11"
+reqwest = { version = "0.12", default-features = false, features = [ "rustls-tls-native-roots" ] }
 
 [dependencies.tide-openssl]
 git = "https://github.com/victorcwai/tide-openssl.git"

@@ -44,4 +44,4 @@ tracing-subscriber.workspace = true
 webauthn-rs-core.workspace = true
 
 [build-dependencies]
-embed-resource = "2.1"
+embed-resource = "3"
@@ -2,6 +2,8 @@ fn main() {
     let target_os = std::env::var("CARGO_CFG_TARGET_OS").unwrap_or_default();
 
     if !cfg!(feature = "disable_windows_manifest") && target_os == "windows" {
-        embed_resource::compile("windows/fido-key-manager.rc", embed_resource::NONE);
+        embed_resource::compile("windows/fido-key-manager.rc", embed_resource::NONE)
+            .manifest_required()
+            .expect("Unable to embed windows/fido-key-manager.rc");
     }
 }
@@ -21,6 +21,7 @@ tracing-subscriber.workspace = true
 uuid.workspace = true
 
 url = { version = "2", features = ["serde"] }
-reqwest = { version = "0.11", features = ["blocking", "native-tls"] }
+
+reqwest = { workspace = true, features = ["blocking"] }
 
 serde_json.workspace = true
@@ -1,5 +1,5 @@
 [package]
-name = "actix_web"
+name = "actix_tutorial"
 version = "0.1.0"
 edition = "2021"
 authors = ["Niklas Pfister <[email protected]>"]
@@ -10,7 +10,7 @@ authors = ["Niklas Pfister <[email protected]>"]
 # Webframework
 actix-web = { version = ">=4.5.1" }
 # Session framework for actix-web
-actix-session = { version = "~0.9", features = ["cookie-session"] }
+actix-session = { version = "~0.10", features = ["cookie-session"] }
 # Async trait, anyhow, chrono, once_cell and rand are required for the implementation of a
 # server-side memory-backed session store.
 # Normally, you want to use a database / redis backend as session store, but for the simplicity of this
@@ -22,17 +22,17 @@ once_cell = { version = ">=1.18" }
 rand = { workspace = true }
 
 # Nicer error management
-thiserror = { version = "~1" }
+thiserror = { version = "~2" }
 
 # Serve static file. Used to serve wasm
 actix-files = { version = "~0.6" }
 
 # Async runtime
 tokio = { workspace = true, features = ["macros", "rt-multi-thread"] }
 
-# Logging framework + facade
-env_logger = { version = "~0.10" }
-log = { version = "~0.4" }
+tracing.workspace = true
+tracing-subscriber.workspace = true
+tracing-log.workspace = true
 
 # Webauthn framework
 webauthn-rs = { workspace = true, features = ["danger-allow-state-serialisation"] }
@@ -1,8 +1,8 @@
 use actix_session::Session;
 use actix_web::web::{Data, Json, Path};
 use actix_web::HttpResponse;
-use log::{error, info};
 use tokio::sync::Mutex;
+use tracing::{error, info};
 
 use crate::handler::{Error, WebResult};
 use crate::startup::UserData;

@@ -6,7 +6,7 @@ use actix_web::middleware::Logger;
 use actix_web::web::JsonConfig;
 use actix_web::web::{get, post};
 use actix_web::{App, HttpServer};
-use log::info;
+use tracing::info;
 
 use crate::handler::auth::{
     finish_authentication, finish_register, start_authentication, start_register,
@@ -22,12 +22,11 @@ mod startup;
 
 #[tokio::main]
 async fn main() {
-    if std::env::var_os("RUST_LOG").is_none() {
-        std::env::set_var("RUST_LOG", "info");
+    if std::env::var("RUST_LOG").is_err() {
+        std::env::set_var("RUST_LOG", "INFO");
     }
-
-    // Initialize env-logger
-    env_logger::init();
+    // initialize tracing
+    tracing_subscriber::fmt::init();
 
     // Generate secret key for cookies.
     // Normally you would read this from a configuration file.

@@ -1,5 +1,5 @@
 [package]
-name = "web_authn"
+name = "axum_tutorial"
 version = "0.1.0"
 edition = "2021"
 authors = ["William Brown <[email protected]>, Ben Wishovich <[email protected]>"]
@@ -12,14 +12,14 @@ tracing.workspace = true
 tracing-subscriber.workspace = true
 serde.workspace = true
 webauthn-rs = { workspace = true, features = ["danger-allow-state-serialisation"] }
-axum = { version = "0.6.1", features = ["http2"] }
+axum = { version = "0.7" }
 tokio = { workspace = true, features = ["full"] }
 uuid = { workspace = true, features = ["v4"] }
 url.workspace = true
 thiserror.workspace = true
-tower = "0.4.13"
-tower-http = { version = "0.4.4", features = ["fs"] }
-tower-sessions = "0.6"
+tower = "0.5"
+tower-http = { version = "0.6", features = ["fs"] }
+tower-sessions = "0.13"
 
 [features]
 default = ["wasm"]

@@ -76,7 +76,7 @@ pub async fn start_register(
     };
 
     // Remove any previous registrations that may have occured from the session.
-    session.remove_value("reg_state");
+    let _ = session.remove_value("reg_state").await;
 
     // If the user has any other credentials, we exclude these here so they can't be duplicate registered.
     // It also hints to the browser that only new credentials should be "blinked" for interaction.
@@ -100,6 +100,7 @@ pub async fn start_register(
             // not open to replay attacks. If this was a cookie store, this would be UNSAFE.
             session
                 .insert("reg_state", (username, user_unique_id, reg_state))
+                .await
                 .expect("Failed to insert");
             info!("Registration Successful!");
             Json(ccr)
@@ -121,15 +122,15 @@ pub async fn finish_register(
     session: Session,
     Json(reg): Json<RegisterPublicKeyCredential>,
 ) -> Result<impl IntoResponse, WebauthnError> {
-    let (username, user_unique_id, reg_state) = match session.get("reg_state")? {
+    let (username, user_unique_id, reg_state) = match session.get("reg_state").await? {
         Some((username, user_unique_id, reg_state)) => (username, user_unique_id, reg_state),
         None => {
             error!("Failed to get session");
             return Err(WebauthnError::CorruptSession);
         }
     };
 
-    session.remove_value("reg_state");
+    let _ = session.remove_value("reg_state").await;
 
     let res = match app_state
         .webauthn
@@ -197,7 +198,7 @@ pub async fn start_authentication(
     // some other process.
 
     // Remove any previous authentication that may have occured from the session.
-    session.remove_value("auth_state");
+    let _ = session.remove_value("auth_state").await;
 
     // Get the set of keys that the user possesses
     let users_guard = app_state.users.lock().await;
@@ -227,6 +228,7 @@ pub async fn start_authentication(
             // not open to replay attacks. If this was a cookie store, this would be UNSAFE.
             session
                 .insert("auth_state", (user_unique_id, auth_state))
+                .await
                 .expect("Failed to insert");
             Json(rcr)
         }
@@ -249,10 +251,11 @@ pub async fn finish_authentication(
     Json(auth): Json<PublicKeyCredential>,
 ) -> Result<impl IntoResponse, WebauthnError> {
     let (user_unique_id, auth_state): (Uuid, PasskeyAuthentication) = session
-        .get("auth_state")?
+        .get("auth_state")
+        .await?
         .ok_or(WebauthnError::CorruptSession)?;
 
-    session.remove_value("auth_state");
+    let _ = session.remove_value("auth_state").await;
 
     let res = match app_state
         .webauthn

@@ -1,9 +1,5 @@
-use axum::{
-    error_handling::HandleErrorLayer, extract::Extension, http::StatusCode, response::IntoResponse,
-    routing::post, BoxError, Router,
-};
+use axum::{extract::Extension, http::StatusCode, response::IntoResponse, routing::post, Router};
 use std::{net::SocketAddr, path::PathBuf};
-use tower::ServiceBuilder;
 use tower_sessions::{
     cookie::{time::Duration, SameSite},
     Expiry, MemoryStore, SessionManagerLayer,
@@ -46,17 +42,6 @@ async fn main() {
     let app_state = AppState::new();
 
     let session_store = MemoryStore::default();
-    let session_service = ServiceBuilder::new()
-        .layer(HandleErrorLayer::new(|_: BoxError| async {
-            StatusCode::BAD_REQUEST
-        }))
-        .layer(
-            SessionManagerLayer::new(session_store)
-                .with_name("webauthnrs")
-                .with_same_site(SameSite::Strict)
-                .with_secure(false) // TODO: change this to true when running on an HTTPS/production server instead of locally
-                .with_expiry(Expiry::OnInactivity(Duration::seconds(360))),
-        );
 
     // build our application with a route
     let app = Router::new()
@@ -65,7 +50,13 @@ async fn main() {
         .route("/login_start/:username", post(start_authentication))
         .route("/login_finish", post(finish_authentication))
         .layer(Extension(app_state))
-        .layer(session_service)
+        .layer(
+            SessionManagerLayer::new(session_store)
+                .with_name("webauthnrs")
+                .with_same_site(SameSite::Strict)
+                .with_secure(false) // TODO: change this to true when running on an HTTPS/production server instead of locally
+                .with_expiry(Expiry::OnInactivity(Duration::seconds(360))),
+        )
         .fallback(handler_404);
 
     #[cfg(feature = "wasm")]
@@ -88,10 +79,11 @@ async fn main() {
     let addr = SocketAddr::from(([0, 0, 0, 0], 8080));
     info!("listening on {addr}");
 
-    axum::Server::bind(&addr)
-        .serve(app.into_make_service())
+    let listener = tokio::net::TcpListener::bind(addr)
         .await
-        .unwrap();
+        .expect("Unable to spawn tcp listener");
+
+    axum::serve(listener, app).await.unwrap();
 }
 
 async fn handler_404() -> impl IntoResponse {

@@ -1,5 +1,5 @@
 [package]
-name = "tide-server"
+name = "tide_tutorial"
 version = "0.1.0"
 edition = "2021"
 authors = ["William Brown <[email protected]>"]

@@ -1,5 +1,5 @@
 [package]
-name = "wasm"
+name = "wasm_tutorial"
 version = "0.1.1"
 edition = "2021"
 authors = ["William Brown <[email protected]>"]

@@ -84,9 +84,9 @@ impl App {
 
     // Do the fetch in the background.
     async fn register_begin(username: String) -> Result<AppMsg, FetchError> {
-        let mut opts = RequestInit::new();
-        opts.method("POST");
-        opts.mode(RequestMode::SameOrigin);
+        let opts = RequestInit::new();
+        opts.set_method("POST");
+        opts.set_mode(RequestMode::SameOrigin);
 
         let dest = format!("/register_start/{username}");
         let request = Request::new_with_str_and_init(&dest, &opts)?;
@@ -168,10 +168,10 @@ impl App {
             .map(|s| JsValue::from(&s))
             .expect("Failed to serialise rpkc");
 
-        let mut opts = RequestInit::new();
-        opts.method("POST");
-        opts.mode(RequestMode::SameOrigin);
-        opts.body(Some(&req_jsvalue));
+        let opts = RequestInit::new();
+        opts.set_method("POST");
+        opts.set_mode(RequestMode::SameOrigin);
+        opts.set_body(&req_jsvalue);
 
         let request = Request::new_with_str_and_init("/register_finish", &opts)?;
         request
@@ -240,9 +240,9 @@ impl App {
 
     // Do the fetch in the background.
     async fn authenticate_begin(username: String) -> Result<AppMsg, FetchError> {
-        let mut opts = RequestInit::new();
-        opts.method("POST");
-        opts.mode(RequestMode::SameOrigin);
+        let opts = RequestInit::new();
+        opts.set_method("POST");
+        opts.set_mode(RequestMode::SameOrigin);
 
         let dest = format!("/login_start/{username}");
         let request = Request::new_with_str_and_init(&dest, &opts)?;
@@ -317,10 +317,10 @@ impl App {
             .map(|s| JsValue::from(&s))
             .expect("Failed to serialise pkc");
 
-        let mut opts = RequestInit::new();
-        opts.method("POST");
-        opts.mode(RequestMode::SameOrigin);
-        opts.body(Some(&req_jsvalue));
+        let opts = RequestInit::new();
+        opts.set_method("POST");
+        opts.set_mode(RequestMode::SameOrigin);
+        opts.set_body(&req_jsvalue);
 
         let request = Request::new_with_str_and_init("/login_finish", &opts)?;
         request