Come up with a scheme for managing CSRF tokens for Google OAuth

[hgzimmerman]

Requirements:

• Store CSRF token from /auth/link, so it can be used in the /auth/redirect.
• Store multiple, for concurrent logins, have a lookup mechanism to see if CSRF from /auth/redirect is in the set produced by /auth/link.
• Ideally non-blocking, but can be slow.
• Bounded max-size, of cache or max-time for items in cache.
• Should be resilient to dos attacks within reason.

Candidates:

• Non-locking FIFO HashSet? I don't think that this exists, nor makes that much sense as a datastructure
• TimedCache https://docs.rs/cached/0.8.0/cached/stores/struct.TimedCache.html Good choice, but will require a lock.
• AtomicRingBuffer https://docs.rs/atomicring/1.2.2/atomicring/struct.AtomicRingBuffer.html exists, but would be painfully slow to iterate through all elements to search for a token.
• Single producer/ single consumer RingBuffer https://docs.rs/rb/0.3.2/rb/struct.SpscRb.html
  • This has write_blocking functions and a get function that fills another buffer to be searched through.
  • I think this could be made to work, but would be clunky.
• RwLock<RingBuffer> https://docs.rs/circular-queue/0.2.0/circular_queue/ Pragmatic, but possibly slow