dioxus-cookie 0.2.0

Unified cookie storage for Dioxus fullstack apps that fills the gap in native platforms with keychain integration and encrypted file-vault fallback for simulators
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131

//! Encrypted file-based cookie storage fallback.
//!
//! Use cases:
//! - iOS Simulator (no keychain entitlements)
//! - Linux without D-Bus/Secret Service
//! - CI/CD pipelines and containers
//!
//! Security: AES-256-GCM with machine-derived key. Provides obfuscation,
//! not protection against local attackers. DEBUG BUILDS ONLY.
//!
//! Production apps must use real keychain storage (`keyring` feature).

use std::fs;
use std::path::PathBuf;

use aes_gcm::{
    aead::{Aead, KeyInit},
    Aes256Gcm, Nonce,
};
use sha2::{Digest, Sha256};

fn derive_key() -> Option<[u8; 32]> {
    let data = dirs::data_local_dir()?;
    let mut hasher = Sha256::new();
    hasher.update(b"dioxus-cookie-vault-v2");
    hasher.update(data.to_string_lossy().as_bytes());
    Some(hasher.finalize().into())
}

fn storage_dir() -> Option<PathBuf> {
    #[cfg(target_os = "ios")]
    {
        if let Some(home) = dirs::home_dir() {
            return Some(home.join("Documents").join(".dioxus_cookie_vault"));
        }
    }

    #[cfg(target_os = "android")]
    {
        if let Some(data) = dirs::data_local_dir() {
            return Some(data.join(".dioxus_cookie_vault"));
        }
    }

    #[cfg(not(any(target_os = "ios", target_os = "android")))]
    {
        if let Some(data) = dirs::data_local_dir() {
            return Some(data.join("dioxus-cookie").join("cookies"));
        }
    }

    None
}

fn ensure_storage_dir() -> Option<PathBuf> {
    let dir = storage_dir()?;
    if !dir.exists() {
        fs::create_dir_all(&dir).ok()?;
    }
    Some(dir)
}

/// Debug builds only.
fn is_file_storage_allowed() -> bool {
    cfg!(debug_assertions)
}

#[allow(deprecated)] // generic_array 0.x deprecation warnings
fn encrypt_vault(plaintext: &str) -> Option<Vec<u8>> {
    let key = derive_key()?;
    let cipher = Aes256Gcm::new_from_slice(&key).ok()?;

    let nonce_bytes: [u8; 12] = rand::random();
    let nonce = Nonce::from_slice(&nonce_bytes);

    let ciphertext = cipher.encrypt(nonce, plaintext.as_bytes()).ok()?;

    let mut result = nonce_bytes.to_vec();
    result.extend(ciphertext);
    Some(result)
}

#[allow(deprecated)] // generic_array 0.x deprecation warnings
fn decrypt_vault(data: &[u8]) -> Option<String> {
    if data.len() < 28 {
        return None;
    }

    let key = derive_key()?;
    let cipher = Aes256Gcm::new_from_slice(&key).ok()?;

    let (nonce_bytes, ciphertext) = data.split_at(12);
    let nonce = Nonce::from_slice(nonce_bytes);

    let plaintext = cipher.decrypt(nonce, ciphertext).ok()?;
    String::from_utf8(plaintext).ok()
}

pub fn write_vault(json: &str, filename: &str) -> bool {
    if !is_file_storage_allowed() {
        return false;
    }

    let dir = match ensure_storage_dir() {
        Some(d) => d,
        None => return false,
    };

    let encrypted = match encrypt_vault(json) {
        Some(data) => data,
        None => return false,
    };

    fs::write(dir.join(filename), &encrypted).is_ok()
}

pub fn read_vault(filename: &str) -> Option<String> {
    if !is_file_storage_allowed() {
        return None;
    }

    let dir = storage_dir()?;
    let path = dir.join(filename);

    if !path.exists() {
        return None;
    }

    let data = fs::read(&path).ok()?;
    decrypt_vault(&data)
}