build(deps): bump secrecy from 0.8.0 to 0.10.3 in /rust (#10631)

Bumps [secrecy](https://github.com/iqlusioninc/crates) from 0.8.0 to 0.10.3. <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/iqlusioninc/crates/commits">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=secrecy&package-manager=cargo&previous-version=0.8.0&new-version=0.10.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Thomas Eizinger <thomas@eizinger.io>
2026-01-27 10:18:54 +00:00 · 2025-10-30 01:17:10 +00:00
parent a22c7c9918
commit 941f6f3d1c
19 changed files with 76 additions and 69 deletions
--- a/rust/gui-client/src-tauri/Cargo.toml
+++ b/rust/gui-client/src-tauri/Cargo.toml
@@ -44,7 +44,7 @@ rand = { workspace = true }
 reqwest = { workspace = true, features = ["stream", "rustls-tls"] }
 rustls = { workspace = true }
 sadness-generator = { workspace = true }
-secrecy = { workspace = true }
+secrecy = { workspace = true, features = ["serde"] }
 semver = { workspace = true, features = ["serde"] }
 serde = { workspace = true, features = ["derive"] }
 serde_json = { workspace = true }
--- a/rust/gui-client/src-tauri/src/auth.rs
+++ b/rust/gui-client/src-tauri/src/auth.rs
@@ -66,12 +66,14 @@ impl Request {
            url.set_path(account_slug);
        }

-        url.query_pairs_mut()
-            .append_pair("as", "client")
-            .append_pair("nonce", self.nonce.expose_secret())
-            .append_pair("state", self.state.expose_secret());
+        // Avoid further usage of `Url` here so we don't need to zeroize it.
+        let base = url.to_string();

-        SecretString::new(url.to_string())
+        SecretString::from(format!(
+            "{base}?as=client&nonce={}&state={}",
+            self.nonce.expose_secret(),
+            self.state.expose_secret()
+        ))
    }
 }

--- a/rust/gui-client/src-tauri/src/controller.rs
+++ b/rust/gui-client/src-tauri/src/controller.rs
@@ -331,7 +331,7 @@ impl<I: GuiIntegration> Controller<I> {

        self.send_ipc(&service::ClientMsg::Connect {
            api_url: api_url.to_string(),
-            token: token.expose_secret().clone(),
+            token,
            is_internet_resource_active: self.general_settings.internet_resource_enabled(),
        })
        .await?;
--- a/rust/gui-client/src-tauri/src/deep_link.rs
+++ b/rust/gui-client/src-tauri/src/deep_link.rs
@@ -97,13 +97,13 @@ pub(crate) fn parse_auth_callback(url: &Url) -> Result<auth::Response> {
                if fragment.is_some() {
                    bail!("`fragment` should appear exactly once");
                }
-                fragment = Some(SecretString::new(value.to_string()));
+                fragment = Some(SecretString::from(value.as_ref()));
            }
            "state" => {
                if state.is_some() {
                    bail!("`state` should appear exactly once");
                }
-                state = Some(SecretString::new(value.to_string()));
+                state = Some(SecretString::from(value.as_ref()));
            }
            _ => {}
        }
--- a/rust/gui-client/src-tauri/src/service.rs
+++ b/rust/gui-client/src-tauri/src/service.rs
@@ -22,7 +22,7 @@ use futures::{
    task::{Context, Poll},
 };
 use phoenix_channel::{DeviceInfo, LoginUrl, PhoenixChannel, get_user_agent};
-use secrecy::{Secret, SecretString};
+use secrecy::{ExposeSecret, SecretBox, SecretString};
 use std::{
    io::{self, Write},
    mem,
@@ -47,12 +47,13 @@ mod platform;

 pub use platform::{elevation_check, install, run};

-#[derive(Debug, PartialEq, serde::Deserialize, serde::Serialize)]
+#[derive(Debug, serde::Deserialize, serde::Serialize)]
 pub enum ClientMsg {
    ClearLogs,
    Connect {
        api_url: String,
-        token: String,
+        #[serde(serialize_with = "serialize_token")]
+        token: SecretString,
        is_internet_resource_active: bool,
    },
    Disconnect,
@@ -67,6 +68,13 @@ pub enum ClientMsg {
    },
 }

+fn serialize_token<S>(token: &SecretString, serializer: S) -> Result<S::Ok, S::Error>
+where
+    S: serde::Serializer,
+{
+    serializer.serialize_str(token.expose_secret())
+}
+
 /// Messages that end up in the GUI, either forwarded from connlib or from the Tunnel service.
 #[derive(Debug, serde::Deserialize, serde::Serialize, strum::Display)]
 pub enum ServerMsg {
@@ -516,8 +524,6 @@ impl<'a> Handler<'a> {
                token,
                is_internet_resource_active,
            } => {
-                let token = SecretString::new(token);
-
                if !self.session.is_none() {
                    tracing::debug!(session = ?self.session, "Connecting despite existing session");
                }
@@ -641,7 +647,7 @@ impl<'a> Handler<'a> {

        // Synchronous DNS resolution here
        let portal = PhoenixChannel::disconnected(
-            Secret::new(url),
+            SecretBox::init_with(|| url),
            get_user_agent(None, "gui-client", env!("CARGO_PKG_VERSION")),
            "client",
            (),