feat: Replace ad hoc auth header with internet standard bearer token

auth header

Cargo.lock

@@ -314,6 +314,21 @@ dependencies = [
  "syn 1.0.103",
 ]
 
+[[package]]
+name = "actix-web-httpauth"
+version = "0.8.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1d613edf08a42ccc6864c941d30fe14e1b676a77d16f1dbadc1174d065a0a775"
+dependencies = [
+ "actix-utils",
+ "actix-web",
+ "base64 0.21.2",
+ "futures-core",
+ "futures-util",
+ "log",
+ "pin-project-lite",
+]
+
 [[package]]
 name = "actix-web-prom"
 version = "0.6.0"
@@ -2672,6 +2687,7 @@ version = "0.18.1"
 dependencies = [
  "activitypub_federation",
  "actix-web",
+ "actix-web-httpauth",
  "async-trait",
  "bcrypt",
  "chrono",
@@ -2867,6 +2883,7 @@ dependencies = [
  "activitypub_federation",
  "actix-cors",
  "actix-web",
+ "actix-web-httpauth",
  "actix-web-prom",
  "chrono",
  "clap",

Cargo.toml

@@ -83,6 +83,7 @@ actix-web = { version = "4.3.1", default-features = false, features = [
   "compress-gzip",
   "compress-zstd",
 ] }
+actix-web-httpauth = "0.8.1"
 tracing = "0.1.37"
 tracing-actix-web = { version = "0.7.5", default-features = false }
 tracing-error = "0.2.0"
@@ -169,3 +170,4 @@ actix-web-prom = { version = "0.6.0", optional = true }
 serial_test = { workspace = true }
 clap = { version = "4.3.19", features = ["derive"] }
 lemmy_federate = { version = "0.18.1", path = "crates/federate" }
+actix-web-httpauth = { workspace = true }

crates/api_crud/Cargo.toml

@@ -18,6 +18,7 @@ activitypub_federation = { workspace = true }
 bcrypt = { workspace = true }
 serde = { workspace = true }
 actix-web = { workspace = true }
+actix-web-httpauth = { workspace = true }
 tracing = { workspace = true }
 url = { workspace = true }
 async-trait = { workspace = true }

crates/utils/translations

@@ -1 +1 @@
-Subproject commit 1c42c579460871de7b4ea18e58dc25543b80d289
+Subproject commit a0f95fc29b7501156b6d8bbb504b1e787b5769e7

src/session_middleware.rs

@@ -2,17 +2,15 @@ use actix_web::{
   body::MessageBody,
   cookie::SameSite,
   dev::{forward_ready, Service, ServiceRequest, ServiceResponse, Transform},
-  http::header::CACHE_CONTROL,
+  http::header::{Header, CACHE_CONTROL},
-  Error,
+  Error, HttpMessage,
-  HttpMessage,
 };
+use actix_web_httpauth::headers::authorization::{Authorization, Bearer};
 use chrono::{DateTime, Utc};
 use core::future::Ready;
 use futures_util::future::LocalBoxFuture;
 use lemmy_api_common::{
-  context::LemmyContext,
+  context::LemmyContext, lemmy_db_views::structs::LocalUserView, utils::check_user_valid,
-  lemmy_db_views::structs::LocalUserView,
-  utils::check_user_valid,
 };
 use lemmy_db_schema::newtypes::LocalUserId;
 use lemmy_utils::{
@@ -76,13 +74,9 @@ where
     let context = self.context.clone();
 
     Box::pin(async move {
-      // Try reading jwt from auth header
+      let auth_header = Authorization::<Bearer>::parse(&req).ok();
-      let auth_header = req
-        .headers()
-        .get(AUTH_COOKIE_NAME)
-        .and_then(|h| h.to_str().ok());
       let jwt = if let Some(a) = auth_header {
-        Some(a.to_string())
+        Some(a.as_ref().token().to_string())
       }
       // If that fails, try auth cookie. Dont use the `jwt` cookie from lemmy-ui because
       // its not http-only.