From 83bf0015c861f5437d8f815173f8e15d128bf497 Mon Sep 17 00:00:00 2001
From: Pieter Frenssen <pieter@frenssen.be>
Date: Mon, 13 Apr 2020 12:36:49 +0300
Subject: [PATCH] Demonstrate how to use random keys for sessions.

---
 cookie-auth/Cargo.toml    |  1 +
 cookie-auth/src/main.rs   |  9 +++++++--
 redis-session/Cargo.toml  |  1 +
 redis-session/src/main.rs | 15 +++++++++++----
 4 files changed, 20 insertions(+), 6 deletions(-)

diff --git a/cookie-auth/Cargo.toml b/cookie-auth/Cargo.toml
index 13e92939..3795ea0d 100644
--- a/cookie-auth/Cargo.toml
+++ b/cookie-auth/Cargo.toml
@@ -10,3 +10,4 @@ actix-web = "2.0.0"
 actix-identity = "0.2.0"
 actix-rt = "1.0.0"
 env_logger = "0.7"
+rand = "0.7.3"
diff --git a/cookie-auth/src/main.rs b/cookie-auth/src/main.rs
index 6efd51e1..9657bc89 100644
--- a/cookie-auth/src/main.rs
+++ b/cookie-auth/src/main.rs
@@ -1,6 +1,7 @@
 use actix_identity::Identity;
 use actix_identity::{CookieIdentityPolicy, IdentityService};
 use actix_web::{middleware, web, App, HttpResponse, HttpServer};
+use rand::Rng;
 
 async fn index(id: Identity) -> String {
     format!(
@@ -24,10 +25,14 @@ async fn main() -> std::io::Result<()> {
     std::env::set_var("RUST_LOG", "actix_web=info");
     env_logger::init();
 
-    HttpServer::new(|| {
+    // Generate a random 32 byte key. Note that it is important to use a unique
+    // private key for every project. Anyone with access to the key can generate
+    // authentication cookies for any user!
+    let private_key = rand::thread_rng().gen::<[u8; 32]>();
+    HttpServer::new(move || {
         App::new()
             .wrap(IdentityService::new(
-                CookieIdentityPolicy::new(&[0; 32])
+                CookieIdentityPolicy::new(&private_key)
                     .name("auth-example")
                     .secure(false),
             ))
diff --git a/redis-session/Cargo.toml b/redis-session/Cargo.toml
index 6b25f282..9d3934ac 100644
--- a/redis-session/Cargo.toml
+++ b/redis-session/Cargo.toml
@@ -13,5 +13,6 @@ env_logger = "0.7"
 serde = { version = "^1.0", features = ["derive"] }
 actix-service = "1.0.0"
 actix-http = "1.0.0"
+rand = "0.7.3"
 serde_json = "1.0.40"
 time = "0.1.42"
diff --git a/redis-session/src/main.rs b/redis-session/src/main.rs
index f9831a7f..8cd2aed1 100644
--- a/redis-session/src/main.rs
+++ b/redis-session/src/main.rs
@@ -11,6 +11,7 @@ use actix_web::{
     web::{get, post, resource},
     App, HttpResponse, HttpServer, Result,
 };
+use rand::Rng;
 use serde::{Deserialize, Serialize};
 
 #[derive(Serialize, Deserialize, Debug, PartialEq)]
@@ -76,10 +77,15 @@ async fn main() -> std::io::Result<()> {
     std::env::set_var("RUST_LOG", "actix_web=info,actix_redis=info");
     env_logger::init();
 
-    HttpServer::new(|| {
+    // Generate a random 32 byte key. Note that it is important to use a unique
+    // private key for every project. Anyone with access to the key can generate
+    // authentication cookies for any user!
+    let private_key = rand::thread_rng().gen::<[u8; 32]>();
+
+    HttpServer::new(move || {
         App::new()
             // redis session middleware
-            .wrap(RedisSession::new("127.0.0.1:6379", &[0; 32]))
+            .wrap(RedisSession::new("127.0.0.1:6379", &private_key))
             // enable logger - always register actix-web Logger middleware last
             .wrap(middleware::Logger::default())
             .service(resource("/").route(get().to(index)))
@@ -136,10 +142,11 @@ mod test {
         //   - set-cookie actix-session will be in response (session cookie #3)
         //   - response should be: {"counter": 0, "user_id": None}
 
-        let srv = test::start(|| {
+        let private_key = rand::thread_rng().gen::<[u8; 32]>();
+        let srv = test::start(move || {
             App::new()
                 .wrap(
-                    RedisSession::new("127.0.0.1:6379", &[0; 32])
+                    RedisSession::new("127.0.0.1:6379", &private_key)
                         .cookie_name("test-session"),
                 )
                 .wrap(middleware::Logger::default())