Restructured auth

pull/36/head
Jef Roosens 2021-08-29 19:04:06 +02:00
parent dd51d107e3
commit 6858e9da62
Signed by: Jef Roosens
GPG Key ID: 955C0660072F691F
5 changed files with 78 additions and 56 deletions

View File

@ -1,4 +1,3 @@
use argon2::verify_encoded;
use chrono::Utc; use chrono::Utc;
use diesel::{insert_into, prelude::*, PgConnection}; use diesel::{insert_into, prelude::*, PgConnection};
use hmac::{Hmac, NewMac}; use hmac::{Hmac, NewMac};
@ -16,25 +15,6 @@ use crate::{
schema::{refresh_tokens::dsl as refresh_tokens, users::dsl as users}, schema::{refresh_tokens::dsl as refresh_tokens, users::dsl as users},
}; };
pub fn verify_user(conn: &PgConnection, username: &str, password: &str) -> crate::Result<User>
{
// TODO handle non-"NotFound" Diesel errors accordingely
let user = users::users
.filter(users::username.eq(username))
.first::<User>(conn)
.map_err(|_| RbError::AuthUnknownUser)?;
// Check if a user is blocked
if user.blocked {
return Err(RbError::AuthBlockedUser);
}
match verify_encoded(user.password.as_str(), password.as_bytes()) {
Ok(true) => Ok(user),
_ => Err(RbError::AuthInvalidPassword),
}
}
#[derive(Serialize)] #[derive(Serialize)]
#[serde(rename_all = "camelCase")] #[serde(rename_all = "camelCase")]
pub struct JWTResponse pub struct JWTResponse
@ -96,39 +76,6 @@ pub fn generate_jwt_token(conn: &PgConnection, user: &User) -> crate::Result<JWT
}) })
} }
pub fn hash_password(password: &str) -> crate::Result<String>
{
// Generate a random salt
let mut salt = [0u8; 64];
thread_rng().fill(&mut salt[..]);
// Encode the actual password
let config = argon2::Config::default();
argon2::hash_encoded(password.as_bytes(), &salt, &config)
.map_err(|_| RbError::Custom("Couldn't hash password."))
}
pub fn create_admin_user(conn: &PgConnection, username: &str, password: &str)
-> crate::Result<bool>
{
let pass_hashed = hash_password(password)?;
let new_user = NewUser {
username: username.to_string(),
password: pass_hashed,
admin: true,
};
insert_into(users::users)
.values(&new_user)
.on_conflict(users::username)
.do_update()
.set(&new_user)
.execute(conn)
.map_err(|_| RbError::Custom("Couldn't create admin."))?;
Ok(true)
}
pub fn refresh_token(conn: &PgConnection, refresh_token: &str) -> crate::Result<JWTResponse> pub fn refresh_token(conn: &PgConnection, refresh_token: &str) -> crate::Result<JWTResponse>
{ {
let token_bytes = let token_bytes =

71
src/auth/mod.rs 100644
View File

@ -0,0 +1,71 @@
use ::jwt::SignWithKey;
use argon2::verify_encoded;
use chrono::Utc;
use diesel::{insert_into, prelude::*, PgConnection};
use hmac::{Hmac, NewMac};
use rand::{thread_rng, Rng};
use serde::{Deserialize, Serialize};
use sha2::Sha256;
use crate::{
db::{
tokens::{NewRefreshToken, RefreshToken},
users::{NewUser, User},
},
errors::RbError,
schema::{refresh_tokens::dsl as refresh_tokens, users::dsl as users},
};
pub mod jwt;
pub fn verify_user(conn: &PgConnection, username: &str, password: &str) -> crate::Result<User>
{
// TODO handle non-"NotFound" Diesel errors accordingely
let user = users::users
.filter(users::username.eq(username))
.first::<User>(conn)
.map_err(|_| RbError::AuthUnknownUser)?;
// Check if a user is blocked
if user.blocked {
return Err(RbError::AuthBlockedUser);
}
match verify_encoded(user.password.as_str(), password.as_bytes()) {
Ok(true) => Ok(user),
_ => Err(RbError::AuthInvalidPassword),
}
}
pub fn hash_password(password: &str) -> crate::Result<String>
{
// Generate a random salt
let mut salt = [0u8; 64];
thread_rng().fill(&mut salt[..]);
// Encode the actual password
let config = argon2::Config::default();
argon2::hash_encoded(password.as_bytes(), &salt, &config)
.map_err(|_| RbError::Custom("Couldn't hash password."))
}
pub fn create_admin_user(conn: &PgConnection, username: &str, password: &str)
-> crate::Result<bool>
{
let pass_hashed = hash_password(password)?;
let new_user = NewUser {
username: username.to_string(),
password: pass_hashed,
admin: true,
};
insert_into(users::users)
.values(&new_user)
.on_conflict(users::username)
.do_update()
.set(&new_user)
.execute(conn)
.map_err(|_| RbError::Custom("Couldn't create admin."))?;
Ok(true)
}

View File

@ -79,6 +79,7 @@ impl<'r> Responder<'r, 'static> for RbError
"message": self.message(), "message": self.message(),
}); });
// TODO add status to response
content.respond_to(req) content.respond_to(req)
} }
} }

View File

@ -1,6 +1,6 @@
use hmac::{Hmac, NewMac}; use hmac::{Hmac, NewMac};
use jwt::VerifyWithKey; use jwt::VerifyWithKey;
use rb::auth::Claims; use rb::auth::jwt::Claims;
use rocket::{ use rocket::{
http::Status, http::Status,
outcome::try_outcome, outcome::try_outcome,

View File

@ -1,4 +1,7 @@
use rb::auth::{generate_jwt_token, verify_user, JWTResponse}; use rb::auth::{
jwt::{generate_jwt_token, JWTResponse},
verify_user,
};
use rocket::serde::json::Json; use rocket::serde::json::Json;
use serde::Deserialize; use serde::Deserialize;
@ -51,7 +54,7 @@ async fn refresh_token(
let refresh_token = refresh_token_request.into_inner().refresh_token; let refresh_token = refresh_token_request.into_inner().refresh_token;
Ok(Json( Ok(Json(
conn.run(move |c| rb::auth::refresh_token(c, &refresh_token)) conn.run(move |c| rb::auth::jwt::refresh_token(c, &refresh_token))
.await?, .await?,
)) ))
} }