Merge branch 'main' into sql

fastn-stack · Oct 30, 2023 · f553011 · f553011
2 parents 7b17008 + fcf243c
commit f553011
Show file tree

Hide file tree

Showing 201 changed files with 3,227 additions and 1,645 deletions.
diff --git a/.gitignore b/.gitignore
@@ -5,6 +5,9 @@
 ftd/t/js/**.manual.html
 ftd/t/js/**.script.html
 
+# nix symlink to the build output
+result
+
 # Rust stuff
 target
 **/*.rs.bk

diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -8,7 +8,6 @@ members = [
     "fastn-issues",
     "fastn-js",
     "fastn-grammar",
-    "fastn-observer",
     # "fastn-wasm",
     # "fastn-runtime",
 ]
@@ -71,7 +70,7 @@ bytemuck = { version = "1", features = [ "derive" ] }
 camino = "1"
 clap = "4"
 colored = "2.0.4"
-crossterm = "0.26"
+crossterm = "0.27"
 css-color-parser = "0.1"
 diffy = "0.3"
 dioxus-html = { git = "https://github.com/DioxusLabs/dioxus", rev = "fb52673433cc57a70c86185ffa7da5fa3a2394da" }
@@ -84,7 +83,6 @@ fastn-core = { path = "fastn-core" }
 fastn-issues = { path = "fastn-issues" }
 fastn-package = { path = "fastn-package" }
 fastn-runtime = { path = "fastn-runtime" }
-fastn-observer = { path = "fastn-observer" }
 fastn-wasm = { path = "fastn-wasm" }
 fastn-grammar = { path = "fastn-grammar" }
 fluent = "0.16"
@@ -97,7 +95,7 @@ ignore = "0.4"
 include_dir = "0.7"
 indoc = "2"
 intl-memoizer = "0.5"
-itertools = "0.10"
+itertools = "0.11"
 log = "0.4"
 magic-crypt = { version = "3", default-features = false }
 mime_guess = "2"
@@ -112,7 +110,7 @@ regex = "1"
 reqwest = { version = "0.11", features = ["json"] }
 rink = { git = "https://github.com/DioxusLabs/dioxus", rev = "fb52673433cc57a70c86185ffa7da5fa3a2394da" }
 ron = "0.8"
-rquickjs = { version = "0.1", features = ["macro"] }
+rquickjs = { version = "0.3", features = ["macro"] }
 quick-js = "0.4.1"
 rustc-hash = "1"
 rusty-hook = "^0.11.2"
@@ -132,13 +130,17 @@ ansi_term = "0.12"
 walkdir = "2"
 smallvec = "1"
 wasm-bindgen = "0.2"
-wasmtime = "10"
-wgpu = "0.16"
+wasmtime = "13"
+wgpu = "0.17"
 winit = "0.28"
 zip = "0.6"
 prettify-js = "0.1.0"
 indexmap = { version = "2", features = ["serde"] }
 
+[workspace.dependencies.fastn-observer]
+git = "https://github.com/fastn-stack/fastn-observer"
+rev = "47b29ea"
+
 [workspace.dependencies.rusqlite]
 version = "0.29.0"
 features = [
@@ -200,7 +202,7 @@ features = [
 [workspace.dependencies.comrak]
 # We use comrak for markup processing.
 
-version = "0.18"
+version = "0.19"
 # By default comrak ships with support for syntax highlighting using syntext for "fenced
 # code blocks". We have disabled that by not using default features. We did that because
 # we already have a way to show code in ftd, ftd.code. Further, comark requires syntect 4.6

diff --git a/design/github.md b/design/github.md
@@ -0,0 +1,26 @@
+# How Does Github Login Work?
+
+The auth related stuff is in `fastn_core::auth` module.
+
+## Login
+
+To login we send user to `/-/auth/login?provider=github&next=<optional redirect url>`.
+
+The `next` can be used to send the user to arbitrary URL after successful signing.
+
+We use `oauth2` crate for authentication with github.
+
+## Callback URL
+
+The callback URL is 
+
+## CSRF Token
+
+Are we CSRF safe? We are generating a CSRF token using `oauth2::CsrfToken::new_random` in 
+`fastn_core::auth::github::login()`, but we are not checking it in `fastn_core::auth::github::callback()`. I think
+we aught to, else we may be susceptible to CSRF. Not sure how someone can use CSRF in this context, but given
+the library supports should too.
+
+How would we verify? Easiest thing would be to store it in a cookie. This is what Django does, stores CSRF token in
+cookie, and verifies that tokens match on POST request etc. 
+