fix(auth): harden token parsing and remove panics in ban logic

- Parse Bearer scheme case-insensitively per RFC 7235 §2.1
- Replace `parse_from_str` + `expect` with a `LazyLock` constant for
  the permanent-ban expiry date, removing two panic sites
- Propagate `is_user_banned` errors with `?` instead of swallowing
  them via `unwrap_or(false)`
- Use `saturating_sub` for token-expiry arithmetic to avoid underflow

Author: peer-cat

src/jwt.rs

@@ -271,7 +271,7 @@ impl JsonWebToken {
             return Err(AuthError::TokenRevoked);
         }
 
-        if db.is_user_banned(claims.sub).await.unwrap_or(false) {
+        if db.is_user_banned(claims.sub).await? {
             return Err(AuthError::TokenRevoked);
         }
 

src/services/authentication.rs

@@ -135,7 +135,7 @@ impl Service {
         })?;
 
         // Renew token if it is valid for less than one week
-        let token = match claims.exp - clock::now() {
+        let token = match claims.exp.saturating_sub(clock::now()) {
             x if x < ONE_WEEK_IN_SECONDS => self.json_web_token.sign(user_compact.clone(), claims.token_gen).await?,
             _ => token.to_string(),
         };

src/services/user.rs

@@ -1,10 +1,11 @@
 //! User services.
 use std::str::FromStr;
-use std::sync::Arc;
+use std::sync::{Arc, LazyLock};
 
 use argon2::password_hash::SaltString;
 use argon2::{Argon2, PasswordHasher};
 use async_trait::async_trait;
+use chrono::NaiveDate;
 #[cfg(test)]
 use mockall::automock;
 use pbkdf2::password_hash::rand_core::OsRng;
@@ -24,6 +25,14 @@ use crate::utils::validation::validate_email_address;
 use crate::web::api::server::v1::contexts::user::forms::{ChangePasswordForm, RegistrationForm};
 use crate::{AsCSV, mailer};
 
+/// Permanent ban expiry date (year 9999).
+static PERMANENT_BAN_EXPIRY: LazyLock<chrono::NaiveDateTime> = LazyLock::new(|| {
+    NaiveDate::from_ymd_opt(9999, 1, 1)
+        .expect("valid date")
+        .and_hms_opt(0, 0, 0)
+        .expect("valid time")
+});
+
 /// Since user email could be optional, we need a way to represent "no email"
 /// in the database. This function returns the string that should be used for
 /// that purpose.
@@ -551,11 +560,6 @@ impl DbBannedUserList {
     /// # Errors
     ///
     /// It returns an error if there is a database error.
-    ///
-    /// # Panics
-    ///
-    /// It panics if the expiration date cannot be parsed. It should never
-    /// happen as the date is hardcoded for now.
     pub async fn add(&self, user_id: &UserId) -> Result<(), Error> {
         // todo: add reason and `date_expiry` parameters to request.
 
@@ -564,11 +568,7 @@ impl DbBannedUserList {
         // For the time being, we will not use a reason for banning a user.
         let reason = "no reason".to_string();
 
-        // User will be banned until the year 9999
-        let date_expiry = chrono::NaiveDateTime::parse_from_str("9999-01-01 00:00:00", "%Y-%m-%d %H:%M:%S")
-            .expect("Could not parse date from 9999-01-01 00:00:00.");
-
-        self.database.ban_user(*user_id, &reason, date_expiry).await
+        self.database.ban_user(*user_id, &reason, *PERMANENT_BAN_EXPIRY).await
     }
 
     /// Ban a user and atomically increment `token_generation`.
@@ -577,17 +577,12 @@ impl DbBannedUserList {
     /// # Errors
     ///
     /// It returns an error if there is a database error.
-    ///
-    /// # Panics
-    ///
-    /// It panics if the expiration date cannot be parsed.
     pub async fn add_and_revoke_tokens(&self, user_id: &UserId) -> Result<(), Error> {
         let reason = "no reason".to_string();
 
-        let date_expiry = chrono::NaiveDateTime::parse_from_str("9999-01-01 00:00:00", "%Y-%m-%d %H:%M:%S")
-            .expect("Could not parse date from 9999-01-01 00:00:00.");
-
-        self.database.ban_user_and_revoke_tokens(*user_id, &reason, date_expiry).await
+        self.database
+            .ban_user_and_revoke_tokens(*user_id, &reason, *PERMANENT_BAN_EXPIRY)
+            .await
     }
 
     /// Increment the user's `token_generation` counter, invalidating all

src/web/api/server/v1/auth.rs

@@ -167,11 +167,16 @@ impl Authentication {
 /// # Errors
 ///
 /// Returns `AuthError::TokenInvalid` if the header value is not valid
-/// ASCII or does not contain a `Bearer <token>` pair.
+/// ASCII or does not contain a `Bearer <token>` pair. The scheme name
+/// is matched case-insensitively per RFC 7235 §2.1.
 pub fn parse_token(authorization: &HeaderValue) -> Result<String, AuthError> {
     let header_str = authorization.to_str().map_err(|_| AuthError::TokenInvalid)?;
 
-    let token = header_str.strip_prefix("Bearer ").ok_or(AuthError::TokenInvalid)?.trim();
+    let token = header_str
+        .get(7..)
+        .filter(|_| header_str[..7].eq_ignore_ascii_case("bearer "))
+        .ok_or(AuthError::TokenInvalid)?
+        .trim();
 
     if token.is_empty() {
         return Err(AuthError::TokenInvalid);