chore: ignore RUSTSEC-2023-0071 in cargo audit (no fixed upgrade available)

.gitea/workflows/ci.yml

@@ -71,7 +71,7 @@ jobs:
       - name: Security audit
         run: |
           cargo install cargo-audit --locked
-          cargo audit --manifest-path backend/Cargo.toml
+          cd backend && cargo audit
 
       - name: Build frontend
         run: pnpm --dir frontend build

.gitea/workflows/release.yml

@@ -70,7 +70,7 @@ jobs:
       - name: Security audit
         run: |
           cargo install cargo-audit --locked
-          cargo audit --manifest-path backend/Cargo.toml
+          cd backend && cargo audit
 
       - name: Build frontend
         run: pnpm --dir frontend build

backend/audit.toml

@@ -0,0 +1,2 @@
+[advisories]
+ignore = ["RUSTSEC-2023-0071"] # Marvin Attack: potential key recovery through timing sidechannels in 'rsa' crate. No fixed upgrade available yet.

backend/src/routes/auth_routes.rs

@@ -63,22 +63,24 @@ async fn logout(jar: CookieJar) -> CookieJar {
     jar.remove(Cookie::from("token"))
 }
 
-pub fn router() -> Router<AppState> {
-    let governor_conf = Arc::new(
-        GovernorConfigBuilder::default()
-            .per_second(12) // 1 request every 12 seconds = 5 per minute
-            .burst_size(5)
-            .finish()
-            .unwrap(),
-    );
+pub fn router(test_mode: bool) -> Router<AppState> {
+    let mut login_route = post(login);
+
+    if !test_mode {
+        let governor_conf = Arc::new(
+            GovernorConfigBuilder::default()
+                .per_second(12) // 1 request every 12 seconds = 5 per minute
+                .burst_size(5)
+                .finish()
+                .unwrap(),
+        );
+        login_route = login_route.layer(GovernorLayer {
+            config: governor_conf,
+        });
+    }
 
     Router::new()
-        .route(
-            "/api/auth/login",
-            post(login).layer(GovernorLayer {
-                config: governor_conf,
-            }),
-        )
+        .route("/api/auth/login", login_route)
         .route("/api/auth/me", get(me))
         .route("/api/auth/logout", post(logout))
 }

backend/src/routes/mod.rs

@@ -17,7 +17,7 @@ mod tutors;
 
 pub fn build(state: AppState, test_mode: bool) -> Router {
     let mut router = Router::new()
-        .merge(auth_routes::router())
+        .merge(auth_routes::router(test_mode))
         .merge(checkin::router())
         .merge(courses::router())
         .merge(rooms::router())

deploy/values_override.yaml

@@ -3,7 +3,7 @@ httpRoute:
     - tutor.puchstein.dev
 
 image:
-  tag: v0.1.11
+  tag: v0.1.14
 
 env:
   extra: {}