Merge branch 'revamp-errors' into develop
commit
c64eaf2ff5
|
@ -1,4 +1,3 @@
|
||||||
use argon2::verify_encoded;
|
|
||||||
use chrono::Utc;
|
use chrono::Utc;
|
||||||
use diesel::{insert_into, prelude::*, PgConnection};
|
use diesel::{insert_into, prelude::*, PgConnection};
|
||||||
use hmac::{Hmac, NewMac};
|
use hmac::{Hmac, NewMac};
|
||||||
|
@ -10,31 +9,12 @@ use sha2::Sha256;
|
||||||
use crate::{
|
use crate::{
|
||||||
db::{
|
db::{
|
||||||
tokens::{NewRefreshToken, RefreshToken},
|
tokens::{NewRefreshToken, RefreshToken},
|
||||||
users::{NewUser, User},
|
users::User,
|
||||||
},
|
},
|
||||||
errors::RBError,
|
errors::RbError,
|
||||||
schema::{refresh_tokens::dsl as refresh_tokens, users::dsl as users},
|
schema::{refresh_tokens::dsl as refresh_tokens, users::dsl as users},
|
||||||
};
|
};
|
||||||
|
|
||||||
pub fn verify_user(conn: &PgConnection, username: &str, password: &str) -> crate::Result<User>
|
|
||||||
{
|
|
||||||
// TODO handle non-"NotFound" Diesel errors accordingely
|
|
||||||
let user = users::users
|
|
||||||
.filter(users::username.eq(username))
|
|
||||||
.first::<User>(conn)
|
|
||||||
.map_err(|_| RBError::UnknownUser)?;
|
|
||||||
|
|
||||||
// Check if a user is blocked
|
|
||||||
if user.blocked {
|
|
||||||
return Err(RBError::BlockedUser);
|
|
||||||
}
|
|
||||||
|
|
||||||
match verify_encoded(user.password.as_str(), password.as_bytes()) {
|
|
||||||
Ok(true) => Ok(user),
|
|
||||||
_ => Err(RBError::InvalidPassword),
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
#[derive(Serialize)]
|
#[derive(Serialize)]
|
||||||
#[serde(rename_all = "camelCase")]
|
#[serde(rename_all = "camelCase")]
|
||||||
pub struct JWTResponse
|
pub struct JWTResponse
|
||||||
|
@ -54,9 +34,9 @@ pub struct Claims
|
||||||
|
|
||||||
pub fn generate_jwt_token(conn: &PgConnection, user: &User) -> crate::Result<JWTResponse>
|
pub fn generate_jwt_token(conn: &PgConnection, user: &User) -> crate::Result<JWTResponse>
|
||||||
{
|
{
|
||||||
let secret = std::env::var("JWT_KEY").map_err(|_| RBError::MissingJWTKey)?;
|
let secret = std::env::var("JWT_KEY").map_err(|_| RbError::Custom("Missing JWT key."))?;
|
||||||
let key: Hmac<Sha256> =
|
let key: Hmac<Sha256> = Hmac::new_from_slice(secret.as_bytes())
|
||||||
Hmac::new_from_slice(secret.as_bytes()).map_err(|_| RBError::JWTCreationError)?;
|
.map_err(|_| RbError::Custom("Couldn't create Hmac key."))?;
|
||||||
|
|
||||||
let current_time = Utc::now();
|
let current_time = Utc::now();
|
||||||
|
|
||||||
|
@ -71,7 +51,7 @@ pub fn generate_jwt_token(conn: &PgConnection, user: &User) -> crate::Result<JWT
|
||||||
// Sign the claims into a new token
|
// Sign the claims into a new token
|
||||||
let token = claims
|
let token = claims
|
||||||
.sign_with_key(&key)
|
.sign_with_key(&key)
|
||||||
.map_err(|_| RBError::JWTCreationError)?;
|
.map_err(|_| RbError::Custom("Couldn't sign JWT."))?;
|
||||||
|
|
||||||
// Generate a random refresh token
|
// Generate a random refresh token
|
||||||
let mut refresh_token = [0u8; crate::REFRESH_TOKEN_N_BYTES];
|
let mut refresh_token = [0u8; crate::REFRESH_TOKEN_N_BYTES];
|
||||||
|
@ -88,7 +68,7 @@ pub fn generate_jwt_token(conn: &PgConnection, user: &User) -> crate::Result<JWT
|
||||||
expires_at: refresh_expire,
|
expires_at: refresh_expire,
|
||||||
})
|
})
|
||||||
.execute(conn)
|
.execute(conn)
|
||||||
.map_err(|_| RBError::JWTCreationError)?;
|
.map_err(|_| RbError::Custom("Couldn't insert refresh token."))?;
|
||||||
|
|
||||||
Ok(JWTResponse {
|
Ok(JWTResponse {
|
||||||
token,
|
token,
|
||||||
|
@ -96,48 +76,17 @@ pub fn generate_jwt_token(conn: &PgConnection, user: &User) -> crate::Result<JWT
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
pub fn hash_password(password: &str) -> crate::Result<String>
|
|
||||||
{
|
|
||||||
// Generate a random salt
|
|
||||||
let mut salt = [0u8; 64];
|
|
||||||
thread_rng().fill(&mut salt[..]);
|
|
||||||
|
|
||||||
// Encode the actual password
|
|
||||||
let config = argon2::Config::default();
|
|
||||||
argon2::hash_encoded(password.as_bytes(), &salt, &config).map_err(|_| RBError::PWSaltError)
|
|
||||||
}
|
|
||||||
|
|
||||||
pub fn create_admin_user(conn: &PgConnection, username: &str, password: &str)
|
|
||||||
-> crate::Result<bool>
|
|
||||||
{
|
|
||||||
let pass_hashed = hash_password(password)?;
|
|
||||||
let new_user = NewUser {
|
|
||||||
username: username.to_string(),
|
|
||||||
password: pass_hashed,
|
|
||||||
admin: true,
|
|
||||||
};
|
|
||||||
|
|
||||||
insert_into(users::users)
|
|
||||||
.values(&new_user)
|
|
||||||
.on_conflict(users::username)
|
|
||||||
.do_update()
|
|
||||||
.set(&new_user)
|
|
||||||
.execute(conn)
|
|
||||||
.map_err(|_| RBError::AdminCreationError)?;
|
|
||||||
|
|
||||||
Ok(true)
|
|
||||||
}
|
|
||||||
|
|
||||||
pub fn refresh_token(conn: &PgConnection, refresh_token: &str) -> crate::Result<JWTResponse>
|
pub fn refresh_token(conn: &PgConnection, refresh_token: &str) -> crate::Result<JWTResponse>
|
||||||
{
|
{
|
||||||
let token_bytes = base64::decode(refresh_token).map_err(|_| RBError::InvalidRefreshToken)?;
|
let token_bytes =
|
||||||
|
base64::decode(refresh_token).map_err(|_| RbError::AuthInvalidRefreshToken)?;
|
||||||
|
|
||||||
// First, we request the token from the database to see if it's really a valid token
|
// First, we request the token from the database to see if it's really a valid token
|
||||||
let (token_entry, user) = refresh_tokens::refresh_tokens
|
let (token_entry, user) = refresh_tokens::refresh_tokens
|
||||||
.inner_join(users::users)
|
.inner_join(users::users)
|
||||||
.filter(refresh_tokens::token.eq(token_bytes))
|
.filter(refresh_tokens::token.eq(token_bytes))
|
||||||
.first::<(RefreshToken, User)>(conn)
|
.first::<(RefreshToken, User)>(conn)
|
||||||
.map_err(|_| RBError::InvalidRefreshToken)?;
|
.map_err(|_| RbError::AuthInvalidRefreshToken)?;
|
||||||
|
|
||||||
// If we see that the token has already been used before, we block the user.
|
// If we see that the token has already been used before, we block the user.
|
||||||
if token_entry.last_used_at.is_some() {
|
if token_entry.last_used_at.is_some() {
|
||||||
|
@ -145,16 +94,16 @@ pub fn refresh_token(conn: &PgConnection, refresh_token: &str) -> crate::Result<
|
||||||
diesel::update(target)
|
diesel::update(target)
|
||||||
.set(users::blocked.eq(true))
|
.set(users::blocked.eq(true))
|
||||||
.execute(conn)
|
.execute(conn)
|
||||||
.map_err(|_| RBError::DBError)?;
|
.map_err(|_| RbError::Custom("Couldn't block user."))?;
|
||||||
|
|
||||||
return Err(RBError::DuplicateRefreshToken);
|
return Err(RbError::AuthDuplicateRefreshToken);
|
||||||
}
|
}
|
||||||
|
|
||||||
// Now we check if the token has already expired
|
// Now we check if the token has already expired
|
||||||
let cur_time = Utc::now().naive_utc();
|
let cur_time = Utc::now().naive_utc();
|
||||||
|
|
||||||
if token_entry.expires_at < cur_time {
|
if token_entry.expires_at < cur_time {
|
||||||
return Err(RBError::TokenExpired);
|
return Err(RbError::AuthTokenExpired);
|
||||||
}
|
}
|
||||||
|
|
||||||
// We update the last_used_at value for the refresh token
|
// We update the last_used_at value for the refresh token
|
||||||
|
@ -162,7 +111,7 @@ pub fn refresh_token(conn: &PgConnection, refresh_token: &str) -> crate::Result<
|
||||||
diesel::update(target)
|
diesel::update(target)
|
||||||
.set(refresh_tokens::last_used_at.eq(cur_time))
|
.set(refresh_tokens::last_used_at.eq(cur_time))
|
||||||
.execute(conn)
|
.execute(conn)
|
||||||
.map_err(|_| RBError::DBError)?;
|
.map_err(|_| RbError::Custom("Couldn't update last used time."))?;
|
||||||
|
|
||||||
generate_jwt_token(conn, &user)
|
generate_jwt_token(conn, &user)
|
||||||
}
|
}
|
|
@ -0,0 +1,63 @@
|
||||||
|
use argon2::verify_encoded;
|
||||||
|
use diesel::{insert_into, prelude::*, PgConnection};
|
||||||
|
use rand::{thread_rng, Rng};
|
||||||
|
|
||||||
|
use crate::{
|
||||||
|
db::users::{NewUser, User},
|
||||||
|
errors::RbError,
|
||||||
|
schema::users::dsl as users,
|
||||||
|
};
|
||||||
|
|
||||||
|
pub mod jwt;
|
||||||
|
|
||||||
|
pub fn verify_user(conn: &PgConnection, username: &str, password: &str) -> crate::Result<User>
|
||||||
|
{
|
||||||
|
// TODO handle non-"NotFound" Diesel errors accordingely
|
||||||
|
let user = users::users
|
||||||
|
.filter(users::username.eq(username))
|
||||||
|
.first::<User>(conn)
|
||||||
|
.map_err(|_| RbError::AuthUnknownUser)?;
|
||||||
|
|
||||||
|
// Check if a user is blocked
|
||||||
|
if user.blocked {
|
||||||
|
return Err(RbError::AuthBlockedUser);
|
||||||
|
}
|
||||||
|
|
||||||
|
match verify_encoded(user.password.as_str(), password.as_bytes()) {
|
||||||
|
Ok(true) => Ok(user),
|
||||||
|
_ => Err(RbError::AuthInvalidPassword),
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
pub fn hash_password(password: &str) -> crate::Result<String>
|
||||||
|
{
|
||||||
|
// Generate a random salt
|
||||||
|
let mut salt = [0u8; 64];
|
||||||
|
thread_rng().fill(&mut salt[..]);
|
||||||
|
|
||||||
|
// Encode the actual password
|
||||||
|
let config = argon2::Config::default();
|
||||||
|
argon2::hash_encoded(password.as_bytes(), &salt, &config)
|
||||||
|
.map_err(|_| RbError::Custom("Couldn't hash password."))
|
||||||
|
}
|
||||||
|
|
||||||
|
pub fn create_admin_user(conn: &PgConnection, username: &str, password: &str)
|
||||||
|
-> crate::Result<bool>
|
||||||
|
{
|
||||||
|
let pass_hashed = hash_password(password)?;
|
||||||
|
let new_user = NewUser {
|
||||||
|
username: username.to_string(),
|
||||||
|
password: pass_hashed,
|
||||||
|
admin: true,
|
||||||
|
};
|
||||||
|
|
||||||
|
insert_into(users::users)
|
||||||
|
.values(&new_user)
|
||||||
|
.on_conflict(users::username)
|
||||||
|
.do_update()
|
||||||
|
.set(&new_user)
|
||||||
|
.execute(conn)
|
||||||
|
.map_err(|_| RbError::Custom("Couldn't create admin."))?;
|
||||||
|
|
||||||
|
Ok(true)
|
||||||
|
}
|
|
@ -1,2 +1,5 @@
|
||||||
pub mod tokens;
|
pub mod tokens;
|
||||||
pub mod users;
|
pub mod users;
|
||||||
|
|
||||||
|
pub use tokens::{NewRefreshToken, RefreshToken};
|
||||||
|
pub use users::{NewUser, User};
|
||||||
|
|
|
@ -3,7 +3,7 @@ use serde::{Deserialize, Serialize};
|
||||||
use uuid::Uuid;
|
use uuid::Uuid;
|
||||||
|
|
||||||
use crate::{
|
use crate::{
|
||||||
errors::RBError,
|
errors::RbError,
|
||||||
schema::{users, users::dsl::*},
|
schema::{users, users::dsl::*},
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -30,7 +30,9 @@ pub struct NewUser
|
||||||
|
|
||||||
pub fn all(conn: &PgConnection) -> crate::Result<Vec<User>>
|
pub fn all(conn: &PgConnection) -> crate::Result<Vec<User>>
|
||||||
{
|
{
|
||||||
users.load::<User>(conn).map_err(|_| RBError::DBError)
|
users
|
||||||
|
.load::<User>(conn)
|
||||||
|
.map_err(|_| RbError::DbError("Couldn't get all users."))
|
||||||
}
|
}
|
||||||
|
|
||||||
pub fn find(conn: &PgConnection, user_id: Uuid) -> Option<User>
|
pub fn find(conn: &PgConnection, user_id: Uuid) -> Option<User>
|
||||||
|
@ -43,10 +45,10 @@ pub fn create(conn: &PgConnection, new_user: &NewUser) -> crate::Result<()>
|
||||||
let count = diesel::insert_into(users)
|
let count = diesel::insert_into(users)
|
||||||
.values(new_user)
|
.values(new_user)
|
||||||
.execute(conn)
|
.execute(conn)
|
||||||
.map_err(|_| RBError::DBError)?;
|
.map_err(|_| RbError::DbError("Couldn't create user."))?;
|
||||||
|
|
||||||
if count == 0 {
|
if count == 0 {
|
||||||
return Err(RBError::DuplicateUser);
|
return Err(RbError::UMDuplicateUser);
|
||||||
}
|
}
|
||||||
|
|
||||||
Ok(())
|
Ok(())
|
||||||
|
@ -56,7 +58,7 @@ pub fn delete(conn: &PgConnection, user_id: Uuid) -> crate::Result<()>
|
||||||
{
|
{
|
||||||
diesel::delete(users.filter(id.eq(user_id)))
|
diesel::delete(users.filter(id.eq(user_id)))
|
||||||
.execute(conn)
|
.execute(conn)
|
||||||
.map_err(|_| RBError::DBError)?;
|
.map_err(|_| RbError::DbError("Couldn't delete user."))?;
|
||||||
|
|
||||||
Ok(())
|
Ok(())
|
||||||
}
|
}
|
||||||
|
|
117
src/errors.rs
117
src/errors.rs
|
@ -1,62 +1,87 @@
|
||||||
use std::io;
|
|
||||||
|
|
||||||
use rocket::{
|
use rocket::{
|
||||||
http::Status,
|
http::Status,
|
||||||
request::Request,
|
request::Request,
|
||||||
response::{self, Responder, Response},
|
response::{self, Responder},
|
||||||
|
serde::json::json,
|
||||||
};
|
};
|
||||||
|
|
||||||
#[derive(Debug)]
|
#[derive(Debug)]
|
||||||
pub enum RBError
|
pub enum RbError
|
||||||
{
|
{
|
||||||
/// When the login requests an unknown user
|
AuthUnknownUser,
|
||||||
UnknownUser,
|
AuthBlockedUser,
|
||||||
BlockedUser,
|
AuthInvalidPassword,
|
||||||
/// Invalid login password.
|
AuthUnauthorized,
|
||||||
InvalidPassword,
|
AuthTokenExpired,
|
||||||
/// When a non-admin user tries to use an admin endpoint
|
AuthRefreshTokenExpired,
|
||||||
Unauthorized,
|
AuthInvalidRefreshToken,
|
||||||
/// When an expired JWT token is used for auth.
|
AuthDuplicateRefreshToken,
|
||||||
JWTTokenExpired,
|
|
||||||
/// Umbrella error for when something goes wrong whilst creating a JWT token pair
|
// UM = User Management
|
||||||
JWTCreationError,
|
UMDuplicateUser,
|
||||||
JWTError,
|
UMUnknownUser,
|
||||||
MissingJWTKey,
|
|
||||||
PWSaltError,
|
DbError(&'static str),
|
||||||
AdminCreationError,
|
Custom(&'static str),
|
||||||
TokenExpired,
|
|
||||||
InvalidRefreshToken,
|
|
||||||
DuplicateRefreshToken,
|
|
||||||
DBError,
|
|
||||||
DuplicateUser,
|
|
||||||
}
|
}
|
||||||
|
|
||||||
impl<'r> Responder<'r, 'static> for RBError
|
impl RbError
|
||||||
{
|
{
|
||||||
fn respond_to(self, _: &'r Request<'_>) -> response::Result<'static>
|
pub fn status(&self) -> Status
|
||||||
{
|
{
|
||||||
let (status, message): (Status, &str) = match self {
|
// Every entry gets its own line for easy editing later when needed
|
||||||
RBError::UnknownUser => (Status::NotFound, "Unknown user"),
|
match self {
|
||||||
RBError::BlockedUser => (Status::Unauthorized, "This user is blocked"),
|
RbError::AuthUnknownUser => Status::NotFound,
|
||||||
RBError::InvalidPassword => (Status::Unauthorized, "Invalid password"),
|
RbError::AuthBlockedUser => Status::Forbidden,
|
||||||
RBError::Unauthorized => (Status::Unauthorized, "Unauthorized"),
|
RbError::AuthInvalidPassword => Status::Unauthorized,
|
||||||
RBError::JWTTokenExpired => (Status::Unauthorized, "Token expired"),
|
RbError::AuthUnauthorized => Status::Unauthorized,
|
||||||
RBError::JWTCreationError | RBError::MissingJWTKey => {
|
RbError::AuthTokenExpired => Status::Unauthorized,
|
||||||
(Status::InternalServerError, "Failed to create tokens.")
|
RbError::AuthRefreshTokenExpired => Status::Unauthorized,
|
||||||
}
|
RbError::AuthInvalidRefreshToken => Status::Unauthorized,
|
||||||
RBError::InvalidRefreshToken | RBError::DuplicateRefreshToken => {
|
RbError::AuthDuplicateRefreshToken => Status::Unauthorized,
|
||||||
(Status::Unauthorized, "Invalid refresh token.")
|
|
||||||
}
|
|
||||||
RBError::DuplicateUser => (Status::Conflict, "User already exists"),
|
|
||||||
_ => (Status::InternalServerError, "Internal server error"),
|
|
||||||
};
|
|
||||||
|
|
||||||
let mut res = Response::new();
|
RbError::UMDuplicateUser => Status::Conflict,
|
||||||
res.set_status(status);
|
|
||||||
res.set_sized_body(message.len(), io::Cursor::new(message));
|
|
||||||
|
|
||||||
Ok(res)
|
RbError::Custom(_) => Status::InternalServerError,
|
||||||
|
_ => Status::InternalServerError,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
pub fn message(&self) -> &'static str
|
||||||
|
{
|
||||||
|
match self {
|
||||||
|
RbError::AuthUnknownUser => "This user doesn't exist.",
|
||||||
|
RbError::AuthBlockedUser => "This user is blocked.",
|
||||||
|
RbError::AuthInvalidPassword => "Invalid credentials.",
|
||||||
|
RbError::AuthUnauthorized => "You are not authorized to access this resource.",
|
||||||
|
RbError::AuthTokenExpired => "This token is not valid anymore.",
|
||||||
|
RbError::AuthRefreshTokenExpired => "This refresh token is not valid anymore.",
|
||||||
|
RbError::AuthInvalidRefreshToken => "This refresh token is not valid.",
|
||||||
|
RbError::AuthDuplicateRefreshToken => {
|
||||||
|
"This refresh token has already been used. The user has been blocked."
|
||||||
|
}
|
||||||
|
|
||||||
|
RbError::UMDuplicateUser => "This user already exists.",
|
||||||
|
|
||||||
|
RbError::Custom(message) => message,
|
||||||
|
_ => "",
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
pub type Result<T> = std::result::Result<T, RBError>;
|
impl<'r> Responder<'r, 'static> for RbError
|
||||||
|
{
|
||||||
|
fn respond_to(self, req: &'r Request<'_>) -> response::Result<'static>
|
||||||
|
{
|
||||||
|
let status = self.status();
|
||||||
|
let content = json!({
|
||||||
|
"status": status.code,
|
||||||
|
"message": self.message(),
|
||||||
|
});
|
||||||
|
|
||||||
|
// TODO add status to response
|
||||||
|
content.respond_to(req)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
pub type Result<T> = std::result::Result<T, RbError>;
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
use hmac::{Hmac, NewMac};
|
use hmac::{Hmac, NewMac};
|
||||||
use jwt::VerifyWithKey;
|
use jwt::VerifyWithKey;
|
||||||
use rb::auth::Claims;
|
use rb::auth::jwt::Claims;
|
||||||
use rocket::{
|
use rocket::{
|
||||||
http::Status,
|
http::Status,
|
||||||
outcome::try_outcome,
|
outcome::try_outcome,
|
||||||
|
@ -14,7 +14,7 @@ pub struct Bearer<'a>(&'a str);
|
||||||
#[rocket::async_trait]
|
#[rocket::async_trait]
|
||||||
impl<'r> FromRequest<'r> for Bearer<'r>
|
impl<'r> FromRequest<'r> for Bearer<'r>
|
||||||
{
|
{
|
||||||
type Error = rb::errors::RBError;
|
type Error = rb::errors::RbError;
|
||||||
|
|
||||||
async fn from_request(req: &'r Request<'_>) -> Outcome<Self, Self::Error>
|
async fn from_request(req: &'r Request<'_>) -> Outcome<Self, Self::Error>
|
||||||
{
|
{
|
||||||
|
@ -39,12 +39,12 @@ impl<'r> FromRequest<'r> for Bearer<'r>
|
||||||
}
|
}
|
||||||
|
|
||||||
/// Verifies the provided JWT is valid.
|
/// Verifies the provided JWT is valid.
|
||||||
pub struct JWT(Claims);
|
pub struct Jwt(Claims);
|
||||||
|
|
||||||
#[rocket::async_trait]
|
#[rocket::async_trait]
|
||||||
impl<'r> FromRequest<'r> for JWT
|
impl<'r> FromRequest<'r> for Jwt
|
||||||
{
|
{
|
||||||
type Error = rb::errors::RBError;
|
type Error = rb::errors::RbError;
|
||||||
|
|
||||||
async fn from_request(req: &'r Request<'_>) -> Outcome<Self, Self::Error>
|
async fn from_request(req: &'r Request<'_>) -> Outcome<Self, Self::Error>
|
||||||
{
|
{
|
||||||
|
@ -54,19 +54,27 @@ impl<'r> FromRequest<'r> for JWT
|
||||||
let secret = match std::env::var("JWT_KEY") {
|
let secret = match std::env::var("JWT_KEY") {
|
||||||
Ok(key) => key,
|
Ok(key) => key,
|
||||||
Err(_) => {
|
Err(_) => {
|
||||||
return Outcome::Failure((Status::InternalServerError, Self::Error::MissingJWTKey))
|
return Outcome::Failure((
|
||||||
|
Status::InternalServerError,
|
||||||
|
Self::Error::AuthUnauthorized,
|
||||||
|
))
|
||||||
}
|
}
|
||||||
};
|
};
|
||||||
let key: Hmac<Sha256> = match Hmac::new_from_slice(secret.as_bytes()) {
|
let key: Hmac<Sha256> = match Hmac::new_from_slice(secret.as_bytes()) {
|
||||||
Ok(key) => key,
|
Ok(key) => key,
|
||||||
Err(_) => {
|
Err(_) => {
|
||||||
return Outcome::Failure((Status::InternalServerError, Self::Error::JWTError))
|
return Outcome::Failure((
|
||||||
|
Status::InternalServerError,
|
||||||
|
Self::Error::Custom("Failed to do Hmac thing."),
|
||||||
|
))
|
||||||
}
|
}
|
||||||
};
|
};
|
||||||
// Verify token using key
|
// Verify token using key
|
||||||
let claims: Claims = match bearer.verify_with_key(&key) {
|
let claims: Claims = match bearer.verify_with_key(&key) {
|
||||||
Ok(claims) => claims,
|
Ok(claims) => claims,
|
||||||
Err(_) => return Outcome::Failure((Status::Unauthorized, Self::Error::Unauthorized)),
|
Err(_) => {
|
||||||
|
return Outcome::Failure((Status::Unauthorized, Self::Error::AuthUnauthorized))
|
||||||
|
}
|
||||||
};
|
};
|
||||||
|
|
||||||
Outcome::Success(Self(claims))
|
Outcome::Success(Self(claims))
|
||||||
|
@ -79,15 +87,15 @@ pub struct User(Claims);
|
||||||
#[rocket::async_trait]
|
#[rocket::async_trait]
|
||||||
impl<'r> FromRequest<'r> for User
|
impl<'r> FromRequest<'r> for User
|
||||||
{
|
{
|
||||||
type Error = rb::errors::RBError;
|
type Error = rb::errors::RbError;
|
||||||
|
|
||||||
async fn from_request(req: &'r Request<'_>) -> Outcome<Self, Self::Error>
|
async fn from_request(req: &'r Request<'_>) -> Outcome<Self, Self::Error>
|
||||||
{
|
{
|
||||||
let claims = try_outcome!(req.guard::<JWT>().await).0;
|
let claims = try_outcome!(req.guard::<Jwt>().await).0;
|
||||||
|
|
||||||
// Verify key hasn't yet expired
|
// Verify key hasn't yet expired
|
||||||
if chrono::Utc::now().timestamp() > claims.exp {
|
if chrono::Utc::now().timestamp() > claims.exp {
|
||||||
return Outcome::Failure((Status::Forbidden, Self::Error::TokenExpired));
|
return Outcome::Failure((Status::Forbidden, Self::Error::AuthTokenExpired));
|
||||||
}
|
}
|
||||||
|
|
||||||
Outcome::Success(Self(claims))
|
Outcome::Success(Self(claims))
|
||||||
|
@ -100,7 +108,7 @@ pub struct Admin(Claims);
|
||||||
#[rocket::async_trait]
|
#[rocket::async_trait]
|
||||||
impl<'r> FromRequest<'r> for Admin
|
impl<'r> FromRequest<'r> for Admin
|
||||||
{
|
{
|
||||||
type Error = rb::errors::RBError;
|
type Error = rb::errors::RbError;
|
||||||
|
|
||||||
async fn from_request(req: &'r Request<'_>) -> Outcome<Self, Self::Error>
|
async fn from_request(req: &'r Request<'_>) -> Outcome<Self, Self::Error>
|
||||||
{
|
{
|
||||||
|
|
|
@ -1,10 +1,4 @@
|
||||||
use rb::{
|
use rb::{db, errors::RbError};
|
||||||
db::{
|
|
||||||
users as db_users,
|
|
||||||
users::{NewUser, User},
|
|
||||||
},
|
|
||||||
errors::RBError,
|
|
||||||
};
|
|
||||||
use rocket::serde::json::Json;
|
use rocket::serde::json::Json;
|
||||||
use uuid::Uuid;
|
use uuid::Uuid;
|
||||||
|
|
||||||
|
@ -12,30 +6,34 @@ use crate::{guards::Admin, RbDbConn};
|
||||||
|
|
||||||
pub fn routes() -> Vec<rocket::Route>
|
pub fn routes() -> Vec<rocket::Route>
|
||||||
{
|
{
|
||||||
routes![get_users, get_user_info]
|
routes![get_users, get_user_info, create_user]
|
||||||
}
|
}
|
||||||
|
|
||||||
#[get("/users")]
|
#[get("/users")]
|
||||||
async fn get_users(admin: Admin, conn: RbDbConn) -> rb::Result<Json<Vec<User>>>
|
async fn get_users(_admin: Admin, conn: RbDbConn) -> rb::Result<Json<Vec<db::User>>>
|
||||||
{
|
{
|
||||||
Ok(Json(conn.run(|c| rb::db::users::all(c)).await?))
|
Ok(Json(conn.run(|c| db::users::all(c)).await?))
|
||||||
}
|
}
|
||||||
|
|
||||||
#[post("/users", data = "<user>")]
|
#[post("/users", data = "<user>")]
|
||||||
async fn create_user(admin: Admin, conn: RbDbConn, user: Json<NewUser>) -> rb::Result<()>
|
async fn create_user(_admin: Admin, conn: RbDbConn, user: Json<db::NewUser>) -> rb::Result<()>
|
||||||
{
|
{
|
||||||
Ok(conn
|
Ok(conn
|
||||||
.run(move |c| db_users::create(c, &user.into_inner()))
|
.run(move |c| db::users::create(c, &user.into_inner()))
|
||||||
.await?)
|
.await?)
|
||||||
}
|
}
|
||||||
|
|
||||||
#[get("/users/<user_id_str>")]
|
#[get("/users/<user_id_str>")]
|
||||||
async fn get_user_info(_admin: Admin, conn: RbDbConn, user_id_str: &str) -> rb::Result<Json<User>>
|
async fn get_user_info(
|
||||||
|
_admin: Admin,
|
||||||
|
conn: RbDbConn,
|
||||||
|
user_id_str: &str,
|
||||||
|
) -> rb::Result<Json<db::User>>
|
||||||
{
|
{
|
||||||
let user_id = Uuid::parse_str(user_id_str).map_err(|_| RBError::UnknownUser)?;
|
let user_id = Uuid::parse_str(user_id_str).map_err(|_| RbError::UMUnknownUser)?;
|
||||||
|
|
||||||
match conn.run(move |c| db_users::find(c, user_id)).await {
|
match conn.run(move |c| db::users::find(c, user_id)).await {
|
||||||
Some(user) => Ok(Json(user)),
|
Some(user) => Ok(Json(user)),
|
||||||
None => Err(RBError::UnknownUser),
|
None => Err(RbError::UMUnknownUser),
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,4 +1,7 @@
|
||||||
use rb::auth::{generate_jwt_token, verify_user, JWTResponse};
|
use rb::auth::{
|
||||||
|
jwt::{generate_jwt_token, JWTResponse},
|
||||||
|
verify_user,
|
||||||
|
};
|
||||||
use rocket::serde::json::Json;
|
use rocket::serde::json::Json;
|
||||||
use serde::Deserialize;
|
use serde::Deserialize;
|
||||||
|
|
||||||
|
@ -51,7 +54,7 @@ async fn refresh_token(
|
||||||
let refresh_token = refresh_token_request.into_inner().refresh_token;
|
let refresh_token = refresh_token_request.into_inner().refresh_token;
|
||||||
|
|
||||||
Ok(Json(
|
Ok(Json(
|
||||||
conn.run(move |c| rb::auth::refresh_token(c, &refresh_token))
|
conn.run(move |c| rb::auth::jwt::refresh_token(c, &refresh_token))
|
||||||
.await?,
|
.await?,
|
||||||
))
|
))
|
||||||
}
|
}
|
||||||
|
|
Reference in New Issue