Make login path configurable for security by obscurity

src/main.rs

@@ -9,11 +9,20 @@ mod middleware;
 mod post;
 mod routes;
 
+#[derive(Clone)]
+pub struct State {
+    pub login_path: String,
+}
+
 #[async_std::main]
 async fn main() -> std::io::Result<()> {
     dotenv::dotenv().ok();
     tide::log::start();
-    let mut app = tide::new();
+
+    let login_path = std::env::var("LOGIN_PATH").unwrap_or(String::from("/login"));
+    let mut app = tide::with_state(State {
+        login_path: login_path.clone(),
+    });
 
     app.with(After(errors));
     app.with(session());
@@ -29,7 +38,7 @@ async fn main() -> std::io::Result<()> {
     app.at("/posts/:id/edit")
         .with(require_auth)
         .get(routes::edit_post);
-    app.at("/login")
+    app.at(&login_path)
         .with(require_guest)
         .get(routes::login_page)
         .post(routes::login);

src/middleware.rs

@@ -7,7 +7,7 @@ use tide::{
 use std::{env, future::Future, io::ErrorKind, pin::Pin};
 use tera::Context;
 
-use crate::routes;
+use crate::{routes, State};
 
 pub fn session() -> SessionMiddleware<CookieStore> {
     SessionMiddleware::new(
@@ -22,22 +22,23 @@ pub fn session() -> SessionMiddleware<CookieStore> {
 }
 
 pub fn require_auth<'a>(
-    req: Request<()>,
-    next: Next<'a, ()>,
+    req: Request<State>,
+    next: Next<'a, State>,
 ) -> Pin<Box<dyn Future<Output = Result> + 'a + Send>> {
     Box::pin(async {
         let logged_in: bool = req.session().get("logged_in").unwrap_or(false);
         if logged_in {
             Ok(next.run(req).await)
         } else {
-            Ok(Redirect::new("/login").into())
+            let login_path = &req.state().login_path;
+            Ok(Redirect::new(login_path).into())
         }
     })
 }
 
 pub fn require_guest<'a>(
-    req: Request<()>,
-    next: Next<'a, ()>,
+    req: Request<State>,
+    next: Next<'a, State>,
 ) -> Pin<Box<dyn Future<Output = Result> + 'a + Send>> {
     Box::pin(async {
         let logged_in: bool = req.session().get("logged_in").unwrap_or(false);

src/routes.rs

@@ -7,7 +7,7 @@ use uuid::Uuid;
 
 use std::env;
 
-use crate::{fs, post::Post};
+use crate::{fs, post::Post, State};
 
 #[derive(Debug, Serialize, Deserialize)]
 struct User {
@@ -15,14 +15,14 @@ struct User {
     password: String,
 }
 
-pub async fn index(req: Request<()>) -> Result {
+pub async fn index(req: Request<State>) -> Result {
     let posts: Vec<Post> = fs::get_all_posts().await?;
     let mut context = Context::new();
     context.insert("posts", &posts);
     render_response("index.html", &context, &req)
 }
 
-pub async fn single_post(req: Request<()>) -> Result {
+pub async fn single_post(req: Request<State>) -> Result {
     let mut context = Context::new();
     let post_id = req.param("id")?;
     let post = fs::get_one_post(post_id).await?;
@@ -30,7 +30,7 @@ pub async fn single_post(req: Request<()>) -> Result {
     render_response("single.html", &context, &req)
 }
 
-pub async fn edit_post(req: Request<()>) -> Result {
+pub async fn edit_post(req: Request<State>) -> Result {
     let mut context = Context::new();
     let post_id = req.param("id")?;
     let mut post = fs::get_one_post(post_id).await?;
@@ -39,7 +39,7 @@ pub async fn edit_post(req: Request<()>) -> Result {
     render_response("edit.html", &context, &req)
 }
 
-pub async fn create_post(mut req: Request<()>) -> Result {
+pub async fn create_post(mut req: Request<State>) -> Result {
     let mut post: Post = req.body_form().await?;
     post.id = Uuid::new_v4().to_string();
     post.date = Local::now().date().naive_local().to_string();
@@ -48,13 +48,13 @@ pub async fn create_post(mut req: Request<()>) -> Result {
     Ok(Redirect::new("/").into())
 }
 
-pub async fn update_post(mut req: Request<()>) -> Result {
+pub async fn update_post(mut req: Request<State>) -> Result {
     let mut post: Post = req.body_form().await?;
     post.save().await?;
     Ok(Redirect::new(format!("/posts/{}", post.id)).into())
 }
 
-pub async fn delete_post(req: Request<()>) -> Result {
+pub async fn delete_post(req: Request<State>) -> Result {
     let id: String = req.param("id")?;
     fs::delete_post(id)?;
     let mut res = Response::new(StatusCode::Ok);
@@ -63,7 +63,7 @@ pub async fn delete_post(req: Request<()>) -> Result {
     Ok(res)
 }
 
-pub async fn login_page(mut req: Request<()>) -> Result {
+pub async fn login_page(mut req: Request<State>) -> Result {
     let mut context = Context::new();
     match req.session_mut().get::<String>("flash_error") {
         Some(error) => {
@@ -75,7 +75,7 @@ pub async fn login_page(mut req: Request<()>) -> Result {
     render_response("login.html", &context, &req)
 }
 
-pub async fn login(mut req: Request<()>) -> Result {
+pub async fn login(mut req: Request<State>) -> Result {
     let username = env::var("ADMIN_USERNAME")?;
     let password = env::var("ADMIN_PASSWORD")?;
     let user: User = req.body_form().await?;
@@ -87,20 +87,26 @@ pub async fn login(mut req: Request<()>) -> Result {
         req.session_mut().remove("logged_in");
         req.session_mut()
             .insert("flash_error", "Invalid credentials")?;
-        Ok(Redirect::new("/login").into())
+        Ok(Redirect::new(&req.state().login_path).into())
     }
 }
 
-pub async fn logout(mut req: Request<()>) -> Result {
+pub async fn logout(mut req: Request<State>) -> Result {
     req.session_mut().remove("logged_in");
     req.session_mut().insert("logged_in", false)?;
     Ok(Redirect::new("/").into())
 }
 
-pub fn render_response(template: &str, context: &Context, req: &Request<()>) -> Result<Response> {
+pub fn render_response(
+    template: &str,
+    context: &Context,
+    req: &Request<State>,
+) -> Result<Response> {
     let mut context = context.clone();
     let logged_in: bool = req.session().get("logged_in").unwrap_or(false);
     context.insert("logged_in", &logged_in);
+    let login_path = &req.state().login_path;
+    context.insert("login_path", login_path);
     let html = render_template(template, &context)?;
     let mut res = Response::new(StatusCode::Ok);
     res.set_body(html);

templates/login.html

@@ -1,18 +1,24 @@
 {% extends "layout.html" %} {% block content %}
 <h1 class="heading">Login</h1>
-<form class="form" method="POST" action="/login">
+<form class="form" method="POST" action="{{ login_path }}">
   <div class="form__field">
     <label for="username" class="form__label">Username</label>
-    <input class="form__text-field" type="text" name="username" required autofocus />
+    <input
+      class="form__text-field"
+      type="text"
+      name="username"
+      required
+      autofocus
+    />
   </div>
   <div class="form__field">
     <label for="password" class="form__label">Password</label>
     <input class="form__text-field" type="password" name="password" required />
   </div>
   {% if error %}
-    <div class="error">
-      <p class="error__message">{{ error }}</p>
-    </div>
+  <div class="error">
+    <p class="error__message">{{ error }}</p>
+  </div>
   {% endif %}
   <div class="form__field">
     <input class="form__button" type="submit" value="Login" />