Further split guards

pull/36/head
Jef Roosens 2021-08-21 22:41:38 +02:00
parent dab90bc4a9
commit cc7a668ab0
Signed by: Jef Roosens
GPG Key ID: B580B976584B5F30
4 changed files with 43 additions and 30 deletions

View File

@ -47,8 +47,8 @@ pub struct Claims {
pub fn generate_jwt_token(conn: &PgConnection, user: &User) -> crate::Result<JWTResponse> { pub fn generate_jwt_token(conn: &PgConnection, user: &User) -> crate::Result<JWTResponse> {
let secret = std::env::var("JWT_KEY").map_err(|_| RBError::MissingJWTKey)?; let secret = std::env::var("JWT_KEY").map_err(|_| RBError::MissingJWTKey)?;
let key: Hmac<Sha256> = Hmac::new_from_slice(secret.as_bytes()) let key: Hmac<Sha256> =
.map_err(|_| RBError::JWTCreationError)?; Hmac::new_from_slice(secret.as_bytes()).map_err(|_| RBError::JWTCreationError)?;
let current_time = Utc::now(); let current_time = Utc::now();

View File

@ -20,6 +20,7 @@ pub enum RBError {
MissingJWTKey, MissingJWTKey,
PWSaltError, PWSaltError,
AdminCreationError, AdminCreationError,
TokenExpired,
} }
impl<'r> Responder<'r, 'static> for RBError { impl<'r> Responder<'r, 'static> for RBError {

View File

@ -1,23 +1,25 @@
use crate::guards::User;
use crate::RbDbConn; use crate::RbDbConn;
use rb::auth::{generate_jwt_token, verify_user, JWTResponse}; use rb::auth::{generate_jwt_token, verify_user, JWTResponse};
use rocket::serde::json::Json; use rocket::serde::json::Json;
use serde::Deserialize; use serde::Deserialize;
use crate::guards::User;
pub(crate) fn routes() -> Vec<rocket::Route> { pub(crate) fn routes() -> Vec<rocket::Route> {
routes![login, me] routes![login, already_logged_in, me]
} }
#[derive(Deserialize)] #[derive(Deserialize)]
struct Credentials { struct Credentials {
username: String, username: String,
password: String, password: String,
} }
// TODO add catch for when user immediately requests new JWT token (they could totally spam this) #[post("/login")]
async fn already_logged_in(_user: User) -> String {
String::from("You're already logged in!")
}
#[post("/login", data = "<credentials>")] #[post("/login", data = "<credentials>", rank = 2)]
async fn login(conn: RbDbConn, credentials: Json<Credentials>) -> rb::Result<Json<JWTResponse>> { async fn login(conn: RbDbConn, credentials: Json<Credentials>) -> rb::Result<Json<JWTResponse>> {
let credentials = credentials.into_inner(); let credentials = credentials.into_inner();
@ -29,10 +31,4 @@ async fn login(conn: RbDbConn, credentials: Json<Credentials>) -> rb::Result<Jso
Ok(Json(conn.run(move |c| generate_jwt_token(c, &user)).await?)) Ok(Json(conn.run(move |c| generate_jwt_token(c, &user)).await?))
} }
#[get("/me")] // #[post("/refresh", data=)]
async fn me(claims: User) -> String {
String::from("You are logged in!")
}
// /refresh
// /logout

View File

@ -1,17 +1,18 @@
use rocket::{
http::Status,
outcome::try_outcome,
request::{FromRequest, Outcome, Request}
};
use hmac::{Hmac, NewMac}; use hmac::{Hmac, NewMac};
use jwt::VerifyWithKey; use jwt::VerifyWithKey;
use rb::auth::Claims; use rb::auth::Claims;
use rocket::{
http::Status,
outcome::try_outcome,
request::{FromRequest, Outcome, Request},
};
use sha2::Sha256; use sha2::Sha256;
pub struct JWT(String); /// Extracts a "Authorization: Bearer" string from the headers.
pub struct Bearer(String);
#[rocket::async_trait] #[rocket::async_trait]
impl<'r> FromRequest<'r> for JWT { impl<'r> FromRequest<'r> for Bearer {
type Error = rb::errors::RBError; type Error = rb::errors::RBError;
async fn from_request(req: &'r Request<'_>) -> Outcome<Self, Self::Error> { async fn from_request(req: &'r Request<'_>) -> Outcome<Self, Self::Error> {
@ -26,23 +27,24 @@ impl<'r> FromRequest<'r> for JWT {
} }
// Extract the jwt token from the header // Extract the jwt token from the header
let jwt_token = match header.get(7..) { let auth_string = match header.get(7..) {
Some(token) => token, Some(s) => s,
None => return Outcome::Forward(()), None => return Outcome::Forward(()),
}; };
Outcome::Success(Self(jwt_token.to_string())) Outcome::Success(Self(auth_string.to_string()))
} }
} }
pub struct User(Claims); /// Verifies the provided JWT is valid.
pub struct JWT(Claims);
#[rocket::async_trait] #[rocket::async_trait]
impl<'r> FromRequest<'r> for User { impl<'r> FromRequest<'r> for JWT {
type Error = rb::errors::RBError; type Error = rb::errors::RBError;
async fn from_request(req: &'r Request<'_>) -> Outcome<Self, Self::Error> { async fn from_request(req: &'r Request<'_>) -> Outcome<Self, Self::Error> {
let jwt_token = try_outcome!(req.guard::<JWT>().await).0; let bearer = try_outcome!(req.guard::<Bearer>().await).0;
// Get secret & key // Get secret & key
let secret = match std::env::var("JWT_KEY") { let secret = match std::env::var("JWT_KEY") {
@ -57,22 +59,36 @@ impl<'r> FromRequest<'r> for User {
return Outcome::Failure((Status::InternalServerError, Self::Error::JWTError)) return Outcome::Failure((Status::InternalServerError, Self::Error::JWTError))
} }
}; };
// Verify token using key // Verify token using key
let claims: Claims = match jwt_token.verify_with_key(&key) { let claims: Claims = match bearer.verify_with_key(&key) {
Ok(claims) => claims, Ok(claims) => claims,
Err(_) => return Outcome::Failure((Status::Unauthorized, Self::Error::Unauthorized)), Err(_) => return Outcome::Failure((Status::Unauthorized, Self::Error::Unauthorized)),
}; };
Outcome::Success(Self(claims))
}
}
/// Verifies the JWT has not expired.
pub struct User(Claims);
#[rocket::async_trait]
impl<'r> FromRequest<'r> for User {
type Error = rb::errors::RBError;
async fn from_request(req: &'r Request<'_>) -> Outcome<Self, Self::Error> {
let claims = try_outcome!(req.guard::<JWT>().await).0;
// Verify key hasn't yet expired // Verify key hasn't yet expired
if chrono::Utc::now().timestamp() > claims.exp { if chrono::Utc::now().timestamp() > claims.exp {
return Outcome::Failure((Status::Unauthorized, Self::Error::Unauthorized)); return Outcome::Failure((Status::Forbidden, Self::Error::TokenExpired));
} }
Outcome::Success(Self(claims)) Outcome::Success(Self(claims))
} }
} }
/// Verifies the JWT belongs to an admin.
pub struct Admin(Claims); pub struct Admin(Claims);
#[rocket::async_trait] #[rocket::async_trait]