From 3d25d46dc5b14c506692ea8a82151b6e4f39fafd Mon Sep 17 00:00:00 2001
From: Moritz Bitsch <moritz@h6t.eu>
Date: Wed, 20 Oct 2021 06:20:34 +0200
Subject: [PATCH] Use simple BTreeMap to store uiaa requests

some uiaa requests contain plaintext passwords which should never be
persisted to disk.

Currently there is no cleanup implemented (you have to restart conduit)
---
 src/database.rs      |  3 +--
 src/database/uiaa.rs | 16 +++++++++-------
 2 files changed, 10 insertions(+), 9 deletions(-)

diff --git a/src/database.rs b/src/database.rs
index 84ca68dc..83b0fd5e 100644
--- a/src/database.rs
+++ b/src/database.rs
@@ -250,8 +250,7 @@ impl Database {
             },
             uiaa: uiaa::Uiaa {
                 userdevicesessionid_uiaainfo: builder.open_tree("userdevicesessionid_uiaainfo")?,
-                userdevicesessionid_uiaarequest: builder
-                    .open_tree("userdevicesessionid_uiaarequest")?,
+                userdevicesessionid_uiaarequest: RwLock::new(BTreeMap::new()),
             },
             rooms: rooms::Rooms {
                 edus: rooms::RoomEdus {
diff --git a/src/database/uiaa.rs b/src/database/uiaa.rs
index 1c0fb566..2ecca93d 100644
--- a/src/database/uiaa.rs
+++ b/src/database/uiaa.rs
@@ -1,4 +1,6 @@
 use std::sync::Arc;
+use std::sync::RwLock;
+use std::collections::BTreeMap;
 
 use crate::{client_server::SESSION_ID_LENGTH, utils, Error, Result};
 use ruma::{
@@ -18,7 +20,7 @@ use super::abstraction::Tree;
 
 pub struct Uiaa {
     pub(super) userdevicesessionid_uiaainfo: Arc<dyn Tree>, // User-interactive authentication
-    pub(super) userdevicesessionid_uiaarequest: Arc<dyn Tree>, // UiaaRequest = canonical json value
+    pub(super) userdevicesessionid_uiaarequest: RwLock<BTreeMap<Vec<u8>, Vec<u8>>>, // UiaaRequest = canonical json value
 }
 
 impl Uiaa {
@@ -153,10 +155,10 @@ impl Uiaa {
         userdevicesessionid.push(0xff);
         userdevicesessionid.extend_from_slice(session.as_bytes());
 
-        self.userdevicesessionid_uiaarequest.insert(
-            &userdevicesessionid,
-            &serde_json::to_vec(request).expect("json value to vec always works"),
-        )?;
+        self.userdevicesessionid_uiaarequest.write().unwrap().insert(
+            userdevicesessionid,
+            serde_json::to_vec(request).expect("json value to vec always works"),
+        );
 
         Ok(())
     }
@@ -173,8 +175,8 @@ impl Uiaa {
         userdevicesessionid.push(0xff);
         userdevicesessionid.extend_from_slice(session.as_bytes());
 
-        self.userdevicesessionid_uiaarequest
-            .get(&userdevicesessionid)?
+        self.userdevicesessionid_uiaarequest.read().unwrap()
+            .get(&userdevicesessionid)
             .map(|bytes| {
                 serde_json::from_str::<CanonicalJsonValue>(
                     &utils::string_from_bytes(&bytes)