From b3ba31a1572ecec38115385fafe4a4e87ca39361 Mon Sep 17 00:00:00 2001
From: benj <benj@rse8.com>
Date: Fri, 26 May 2023 22:05:23 -0700
Subject: 🐞: don't panic when parsing a malformed api token
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 crates/secd/src/util/mod.rs | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

(limited to 'crates/secd/src')

diff --git a/crates/secd/src/util/mod.rs b/crates/secd/src/util/mod.rs
index fb984d1..03e7517 100644
--- a/crates/secd/src/util/mod.rs
+++ b/crates/secd/src/util/mod.rs
@@ -75,10 +75,18 @@ impl CredentialType {
             .decode(token)
             .map_err(|e| SecdError::DecodeError(e.to_string()))?;
 
-        let public =
-            general_purpose::URL_SAFE_NO_PAD.encode(&decoded[0..CREDENTIAL_PUBLIC_PART_BYTES]);
-        let private =
-            general_purpose::URL_SAFE_NO_PAD.encode(&decoded[CREDENTIAL_PUBLIC_PART_BYTES..]);
+        let public = general_purpose::URL_SAFE_NO_PAD.encode(
+            &decoded
+                .get(0..CREDENTIAL_PUBLIC_PART_BYTES)
+                .ok_or(SecdError::CredentialIsNotApiToken)
+                .ctx("insufficent number of bytes to find credential's public part")?,
+        );
+        let private = general_purpose::URL_SAFE_NO_PAD.encode(
+            &decoded
+                .get(CREDENTIAL_PUBLIC_PART_BYTES..)
+                .ok_or(SecdError::CredentialIsNotApiToken)
+                .ctx("insufficent number of bytes to find credential's secret part")?,
+        );
 
         Ok(CredentialType::ApiToken { public, private })
     }
-- 
cgit v1.2.3