refactor: moved auth business logic outside of db using store abstraction
parent
78a274e01f
commit
54a723f803
|
|
@ -6,9 +6,11 @@ pub fn serve(config: &crate::config::Config) -> u8 {
|
||||||
tracing::info!("Initializing database and running migrations");
|
tracing::info!("Initializing database and running migrations");
|
||||||
|
|
||||||
let pool = db::initialize_db(config.data_dir.join(crate::DB_FILENAME), true).unwrap();
|
let pool = db::initialize_db(config.data_dir.join(crate::DB_FILENAME), true).unwrap();
|
||||||
|
let repo = db::SqliteRepository::from(pool);
|
||||||
|
|
||||||
let ctx = server::Context {
|
let ctx = server::Context {
|
||||||
repo: db::SqliteRepository::from(pool),
|
repo: repo.clone(),
|
||||||
|
store: crate::gpodder::GpodderRepository::new(Box::new(repo)),
|
||||||
};
|
};
|
||||||
let app = server::app(ctx);
|
let app = server::app(ctx);
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -1,3 +1,4 @@
|
||||||
|
use chrono::DateTime;
|
||||||
use diesel::prelude::*;
|
use diesel::prelude::*;
|
||||||
use rand::Rng;
|
use rand::Rng;
|
||||||
|
|
||||||
|
|
@ -19,6 +20,16 @@ impl From<diesel::result::Error> for gpodder::AuthErr {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
impl From<db::User> for gpodder::User {
|
||||||
|
fn from(value: db::User) -> Self {
|
||||||
|
Self {
|
||||||
|
id: value.id,
|
||||||
|
username: value.username,
|
||||||
|
password_hash: value.password_hash,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
impl gpodder::AuthRepository for SqliteRepository {
|
impl gpodder::AuthRepository for SqliteRepository {
|
||||||
fn validate_credentials(
|
fn validate_credentials(
|
||||||
&self,
|
&self,
|
||||||
|
|
@ -35,6 +46,7 @@ impl gpodder::AuthRepository for SqliteRepository {
|
||||||
Ok(gpodder::User {
|
Ok(gpodder::User {
|
||||||
id: user.id,
|
id: user.id,
|
||||||
username: user.username,
|
username: user.username,
|
||||||
|
password_hash: user.password_hash,
|
||||||
})
|
})
|
||||||
} else {
|
} else {
|
||||||
Err(gpodder::AuthErr::InvalidPassword)
|
Err(gpodder::AuthErr::InvalidPassword)
|
||||||
|
|
@ -54,6 +66,7 @@ impl gpodder::AuthRepository for SqliteRepository {
|
||||||
Ok(user) => Ok(gpodder::User {
|
Ok(user) => Ok(gpodder::User {
|
||||||
id: user.id,
|
id: user.id,
|
||||||
username: user.username,
|
username: user.username,
|
||||||
|
password_hash: user.password_hash,
|
||||||
}),
|
}),
|
||||||
Err(diesel::result::Error::NotFound) => Err(gpodder::AuthErr::UnknownSession),
|
Err(diesel::result::Error::NotFound) => Err(gpodder::AuthErr::UnknownSession),
|
||||||
Err(err) => Err(gpodder::AuthErr::Other(Box::new(err))),
|
Err(err) => Err(gpodder::AuthErr::Other(Box::new(err))),
|
||||||
|
|
@ -88,6 +101,7 @@ impl gpodder::AuthRepository for SqliteRepository {
|
||||||
gpodder::User {
|
gpodder::User {
|
||||||
id: user.id,
|
id: user.id,
|
||||||
username: user.username,
|
username: user.username,
|
||||||
|
password_hash: user.password_hash,
|
||||||
},
|
},
|
||||||
))
|
))
|
||||||
} else {
|
} else {
|
||||||
|
|
@ -122,3 +136,49 @@ impl gpodder::AuthRepository for SqliteRepository {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
impl gpodder::AuthStore for SqliteRepository {
|
||||||
|
fn get_user(&self, username: &str) -> Result<Option<gpodder::models::User>, AuthErr> {
|
||||||
|
Ok(users::table
|
||||||
|
.select(db::User::as_select())
|
||||||
|
.filter(users::username.eq(username))
|
||||||
|
.first(&mut self.pool.get()?)
|
||||||
|
.optional()?
|
||||||
|
.map(gpodder::User::from))
|
||||||
|
}
|
||||||
|
|
||||||
|
fn get_session(&self, session_id: i64) -> Result<Option<gpodder::models::Session>, AuthErr> {
|
||||||
|
match sessions::table
|
||||||
|
.inner_join(users::table)
|
||||||
|
.filter(sessions::id.eq(session_id))
|
||||||
|
.select((db::Session::as_select(), db::User::as_select()))
|
||||||
|
.get_result(&mut self.pool.get()?)
|
||||||
|
{
|
||||||
|
Ok((session, user)) => Ok(Some(gpodder::Session {
|
||||||
|
id: session.id,
|
||||||
|
last_seen: DateTime::from_timestamp(session.last_seen, 0).unwrap(),
|
||||||
|
user: user.into(),
|
||||||
|
})),
|
||||||
|
Err(err) => Err(AuthErr::from(err)),
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
fn remove_session(&self, session_id: i64) -> Result<(), AuthErr> {
|
||||||
|
Ok(
|
||||||
|
diesel::delete(sessions::table.filter(sessions::id.eq(session_id)))
|
||||||
|
.execute(&mut self.pool.get()?)
|
||||||
|
.map(|_| ())?,
|
||||||
|
)
|
||||||
|
}
|
||||||
|
|
||||||
|
fn insert_session(&self, session: &gpodder::Session) -> Result<(), AuthErr> {
|
||||||
|
Ok(db::Session {
|
||||||
|
id: session.id,
|
||||||
|
user_id: session.user.id,
|
||||||
|
last_seen: session.last_seen.timestamp(),
|
||||||
|
}
|
||||||
|
.insert_into(sessions::table)
|
||||||
|
.execute(&mut self.pool.get()?)
|
||||||
|
.map(|_| ())?)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
|
||||||
|
|
@ -1,6 +1,8 @@
|
||||||
pub mod models;
|
pub mod models;
|
||||||
|
mod repository;
|
||||||
|
|
||||||
pub use models::*;
|
pub use models::*;
|
||||||
|
pub use repository::GpodderRepository;
|
||||||
|
|
||||||
pub enum AuthErr {
|
pub enum AuthErr {
|
||||||
UnknownSession,
|
UnknownSession,
|
||||||
|
|
@ -27,6 +29,20 @@ pub trait AuthRepository {
|
||||||
fn remove_session(&self, username: &str, session_id: i64) -> Result<(), AuthErr>;
|
fn remove_session(&self, username: &str, session_id: i64) -> Result<(), AuthErr>;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
pub trait AuthStore {
|
||||||
|
/// Retrieve the session with the given session ID
|
||||||
|
fn get_session(&self, session_id: i64) -> Result<Option<models::Session>, AuthErr>;
|
||||||
|
|
||||||
|
/// Retrieve the user with the given username
|
||||||
|
fn get_user(&self, username: &str) -> Result<Option<models::User>, AuthErr>;
|
||||||
|
|
||||||
|
/// Create a new session for a user with the given session ID
|
||||||
|
fn insert_session(&self, session: &Session) -> Result<(), AuthErr>;
|
||||||
|
|
||||||
|
/// Remove the session with the given session ID
|
||||||
|
fn remove_session(&self, session_id: i64) -> Result<(), AuthErr>;
|
||||||
|
}
|
||||||
|
|
||||||
pub trait DeviceRepository {
|
pub trait DeviceRepository {
|
||||||
/// Return all devices associated with the user
|
/// Return all devices associated with the user
|
||||||
fn devices_for_user(&self, user: &User) -> Result<Vec<Device>, AuthErr>;
|
fn devices_for_user(&self, user: &User) -> Result<Vec<Device>, AuthErr>;
|
||||||
|
|
|
||||||
|
|
@ -1,10 +1,11 @@
|
||||||
use chrono::NaiveDateTime;
|
use chrono::{DateTime, NaiveDateTime, Utc};
|
||||||
use serde::{Deserialize, Serialize};
|
use serde::{Deserialize, Serialize};
|
||||||
|
|
||||||
#[derive(Clone)]
|
#[derive(Clone)]
|
||||||
pub struct User {
|
pub struct User {
|
||||||
pub id: i64,
|
pub id: i64,
|
||||||
pub username: String,
|
pub username: String,
|
||||||
|
pub password_hash: String,
|
||||||
}
|
}
|
||||||
|
|
||||||
#[derive(Serialize, Deserialize)]
|
#[derive(Serialize, Deserialize)]
|
||||||
|
|
@ -57,3 +58,9 @@ pub struct EpisodeAction {
|
||||||
#[serde(flatten)]
|
#[serde(flatten)]
|
||||||
pub action: EpisodeActionType,
|
pub action: EpisodeActionType,
|
||||||
}
|
}
|
||||||
|
|
||||||
|
pub struct Session {
|
||||||
|
pub id: i64,
|
||||||
|
pub last_seen: DateTime<Utc>,
|
||||||
|
pub user: User,
|
||||||
|
}
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,74 @@
|
||||||
|
use std::sync::Arc;
|
||||||
|
|
||||||
|
use argon2::{Argon2, PasswordHash, PasswordVerifier};
|
||||||
|
use rand::Rng;
|
||||||
|
|
||||||
|
use super::{models, AuthErr, AuthStore};
|
||||||
|
|
||||||
|
const MAX_SESSION_AGE: i64 = 60 * 60 * 24 * 7;
|
||||||
|
|
||||||
|
type Store = dyn AuthStore + Send + Sync;
|
||||||
|
|
||||||
|
#[derive(Clone)]
|
||||||
|
pub struct GpodderRepository {
|
||||||
|
store: Arc<Store>,
|
||||||
|
}
|
||||||
|
|
||||||
|
impl GpodderRepository {
|
||||||
|
pub fn new(store: Box<Store>) -> Self {
|
||||||
|
Self {
|
||||||
|
store: Arc::from(store),
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
pub fn validate_session(&self, session_id: i64) -> Result<models::Session, AuthErr> {
|
||||||
|
let session = self
|
||||||
|
.store
|
||||||
|
.get_session(session_id)?
|
||||||
|
.ok_or(AuthErr::UnknownSession)?;
|
||||||
|
|
||||||
|
// Expired sessions still in the database are considered removed
|
||||||
|
if chrono::Utc::now() - session.last_seen
|
||||||
|
> chrono::TimeDelta::new(MAX_SESSION_AGE, 0).unwrap()
|
||||||
|
{
|
||||||
|
Err(AuthErr::UnknownSession)
|
||||||
|
} else {
|
||||||
|
Ok(session)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
pub fn validate_credentials(
|
||||||
|
&self,
|
||||||
|
username: &str,
|
||||||
|
password: &str,
|
||||||
|
) -> Result<models::User, AuthErr> {
|
||||||
|
let user = self.store.get_user(username)?.ok_or(AuthErr::UnknownUser)?;
|
||||||
|
|
||||||
|
let password_hash = PasswordHash::new(&user.password_hash).unwrap();
|
||||||
|
|
||||||
|
if Argon2::default()
|
||||||
|
.verify_password(password.as_bytes(), &password_hash)
|
||||||
|
.is_ok()
|
||||||
|
{
|
||||||
|
Ok(user)
|
||||||
|
} else {
|
||||||
|
Err(AuthErr::InvalidPassword)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
pub fn create_session(&self, user: &models::User) -> Result<models::Session, AuthErr> {
|
||||||
|
let session = models::Session {
|
||||||
|
id: rand::thread_rng().gen(),
|
||||||
|
last_seen: chrono::Utc::now(),
|
||||||
|
user: user.clone(),
|
||||||
|
};
|
||||||
|
|
||||||
|
self.store.insert_session(&session)?;
|
||||||
|
|
||||||
|
Ok(session)
|
||||||
|
}
|
||||||
|
|
||||||
|
pub fn remove_session(&self, session_id: i64) -> Result<(), AuthErr> {
|
||||||
|
self.store.remove_session(session_id)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
@ -12,13 +12,10 @@ use axum_extra::{
|
||||||
TypedHeader,
|
TypedHeader,
|
||||||
};
|
};
|
||||||
|
|
||||||
use crate::{
|
use crate::server::{
|
||||||
gpodder::AuthRepository,
|
|
||||||
server::{
|
|
||||||
error::{AppError, AppResult},
|
error::{AppError, AppResult},
|
||||||
gpodder::SESSION_ID_COOKIE,
|
gpodder::SESSION_ID_COOKIE,
|
||||||
Context,
|
Context,
|
||||||
},
|
|
||||||
};
|
};
|
||||||
|
|
||||||
pub fn router() -> Router<Context> {
|
pub fn router() -> Router<Context> {
|
||||||
|
|
@ -38,14 +35,17 @@ async fn post_login(
|
||||||
return Err(AppError::BadRequest);
|
return Err(AppError::BadRequest);
|
||||||
}
|
}
|
||||||
|
|
||||||
let (session_id, _) = tokio::task::spawn_blocking(move || {
|
let session = tokio::task::spawn_blocking(move || {
|
||||||
ctx.repo.create_session(auth.username(), auth.password())
|
let user = ctx
|
||||||
|
.store
|
||||||
|
.validate_credentials(auth.username(), auth.password())?;
|
||||||
|
ctx.store.create_session(&user)
|
||||||
})
|
})
|
||||||
.await
|
.await
|
||||||
.unwrap()?;
|
.unwrap()?;
|
||||||
|
|
||||||
Ok(jar.add(
|
Ok(jar.add(
|
||||||
Cookie::build((SESSION_ID_COOKIE, session_id.to_string())).expires(Expiration::Session),
|
Cookie::build((SESSION_ID_COOKIE, session.id.to_string())).expires(Expiration::Session),
|
||||||
))
|
))
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -60,7 +60,8 @@ async fn post_logout(
|
||||||
.parse()
|
.parse()
|
||||||
.map_err(|_| AppError::BadRequest)?;
|
.map_err(|_| AppError::BadRequest)?;
|
||||||
|
|
||||||
tokio::task::spawn_blocking(move || ctx.repo.remove_session(&username, session_id))
|
// TODO reintroduce username check
|
||||||
|
tokio::task::spawn_blocking(move || ctx.store.remove_session(session_id))
|
||||||
.await
|
.await
|
||||||
.unwrap()?;
|
.unwrap()?;
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -17,10 +17,7 @@ use axum_extra::{
|
||||||
};
|
};
|
||||||
use tower_http::set_header::SetResponseHeaderLayer;
|
use tower_http::set_header::SetResponseHeaderLayer;
|
||||||
|
|
||||||
use crate::{
|
use crate::{gpodder, server::error::AppError};
|
||||||
gpodder::{self, AuthRepository},
|
|
||||||
server::error::AppError,
|
|
||||||
};
|
|
||||||
|
|
||||||
use super::Context;
|
use super::Context;
|
||||||
|
|
||||||
|
|
@ -51,12 +48,12 @@ pub async fn auth_middleware(State(ctx): State<Context>, mut req: Request, next:
|
||||||
.and_then(|c| c.value().parse::<i64>().ok())
|
.and_then(|c| c.value().parse::<i64>().ok())
|
||||||
{
|
{
|
||||||
let ctx_clone = ctx.clone();
|
let ctx_clone = ctx.clone();
|
||||||
match tokio::task::spawn_blocking(move || ctx_clone.repo.validate_session(session_id))
|
match tokio::task::spawn_blocking(move || ctx_clone.store.validate_session(session_id))
|
||||||
.await
|
.await
|
||||||
.unwrap()
|
.unwrap()
|
||||||
{
|
{
|
||||||
Ok(user) => {
|
Ok(session) => {
|
||||||
auth_user = Some(user);
|
auth_user = Some(session.user);
|
||||||
}
|
}
|
||||||
Err(gpodder::AuthErr::UnknownSession) => {
|
Err(gpodder::AuthErr::UnknownSession) => {
|
||||||
jar = jar.add(
|
jar = jar.add(
|
||||||
|
|
@ -77,7 +74,7 @@ pub async fn auth_middleware(State(ctx): State<Context>, mut req: Request, next:
|
||||||
.await
|
.await
|
||||||
{
|
{
|
||||||
match tokio::task::spawn_blocking(move || {
|
match tokio::task::spawn_blocking(move || {
|
||||||
ctx.repo
|
ctx.store
|
||||||
.validate_credentials(auth.username(), auth.password())
|
.validate_credentials(auth.username(), auth.password())
|
||||||
})
|
})
|
||||||
.await
|
.await
|
||||||
|
|
|
||||||
|
|
@ -7,6 +7,7 @@ use tower_http::trace::TraceLayer;
|
||||||
#[derive(Clone)]
|
#[derive(Clone)]
|
||||||
pub struct Context {
|
pub struct Context {
|
||||||
pub repo: crate::db::SqliteRepository,
|
pub repo: crate::db::SqliteRepository,
|
||||||
|
pub store: crate::gpodder::GpodderRepository,
|
||||||
}
|
}
|
||||||
|
|
||||||
pub fn app(ctx: Context) -> Router {
|
pub fn app(ctx: Context) -> Router {
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue