Chewing_Bever
/
rusty-bever
Archived
1
0
Fork 1
Code Issues 41 Pull Requests 1 Projects Releases Activity

Compare commits

base: Chewing_Bever:c64eaf2ff59a9887b22547b692538b7f42c3ba17
Branches Tags
Chewing_Bever:microservice-split
Chewing_Bever:develop
Chewing_Bever:sections-backend
Chewing_Bever:main
..
compare: Chewing_Bever:7d11d4ad175615c6f71eaa6f1d40b63fd495778e
Branches Tags
Chewing_Bever:microservice-split
Chewing_Bever:develop
Chewing_Bever:sections-backend
Chewing_Bever:main

No commits in common. "c64eaf2ff59a9887b22547b692538b7f42c3ba17" and "7d11d4ad175615c6f71eaa6f1d40b63fd495778e" have entirely different histories.
c64eaf2ff5 ... 7d11d4ad17

8 changed files with 145 additions and 196 deletions
Show Stats Expand all files Collapse all files

79
src/auth/jwt.rs → src/auth.rs
View File

@ -1,3 +1,4 @@
use argon2::verify_encoded;
use chrono::Utc; use chrono::Utc;
use diesel::{insert_into, prelude::*, PgConnection}; use diesel::{insert_into, prelude::*, PgConnection};
use hmac::{Hmac, NewMac}; use hmac::{Hmac, NewMac};
@ -9,12 +10,31 @@ use sha2::Sha256;
use crate::{ use crate::{
db::{ db::{
tokens::{NewRefreshToken, RefreshToken}, tokens::{NewRefreshToken, RefreshToken},
users::User, users::{NewUser, User},
}, },
errors::RbError, errors::RBError,
schema::{refresh_tokens::dsl as refresh_tokens, users::dsl as users}, schema::{refresh_tokens::dsl as refresh_tokens, users::dsl as users},
}; };
pub fn verify_user(conn: &PgConnection, username: &str, password: &str) -> crate::Result<User>
{
// TODO handle non-"NotFound" Diesel errors accordingely
let user = users::users
.filter(users::username.eq(username))
.first::<User>(conn)
.map_err(|_| RBError::UnknownUser)?;
// Check if a user is blocked
if user.blocked {
return Err(RBError::BlockedUser);
}
match verify_encoded(user.password.as_str(), password.as_bytes()) {
Ok(true) => Ok(user),
_ => Err(RBError::InvalidPassword),
}
}
#[derive(Serialize)] #[derive(Serialize)]
#[serde(rename_all = "camelCase")] #[serde(rename_all = "camelCase")]
pub struct JWTResponse pub struct JWTResponse
@ -34,9 +54,9 @@ pub struct Claims
pub fn generate_jwt_token(conn: &PgConnection, user: &User) -> crate::Result<JWTResponse> pub fn generate_jwt_token(conn: &PgConnection, user: &User) -> crate::Result<JWTResponse>
{ {
let secret = std::env::var("JWT_KEY").map_err(|_| RbError::Custom("Missing JWT key."))?; let secret = std::env::var("JWT_KEY").map_err(|_| RBError::MissingJWTKey)?;
let key: Hmac<Sha256> = Hmac::new_from_slice(secret.as_bytes()) let key: Hmac<Sha256> =
.map_err(|_| RbError::Custom("Couldn't create Hmac key."))?; Hmac::new_from_slice(secret.as_bytes()).map_err(|_| RBError::JWTCreationError)?;
let current_time = Utc::now(); let current_time = Utc::now();
@ -51,7 +71,7 @@ pub fn generate_jwt_token(conn: &PgConnection, user: &User) -> crate::Result<JWT
// Sign the claims into a new token // Sign the claims into a new token
let token = claims let token = claims
.sign_with_key(&key) .sign_with_key(&key)
.map_err(|_| RbError::Custom("Couldn't sign JWT."))?; .map_err(|_| RBError::JWTCreationError)?;
// Generate a random refresh token // Generate a random refresh token
let mut refresh_token = [0u8; crate::REFRESH_TOKEN_N_BYTES]; let mut refresh_token = [0u8; crate::REFRESH_TOKEN_N_BYTES];
@ -68,7 +88,7 @@ pub fn generate_jwt_token(conn: &PgConnection, user: &User) -> crate::Result<JWT
expires_at: refresh_expire, expires_at: refresh_expire,
}) })
.execute(conn) .execute(conn)
.map_err(|_| RbError::Custom("Couldn't insert refresh token."))?; .map_err(|_| RBError::JWTCreationError)?;
Ok(JWTResponse { Ok(JWTResponse {
token, token,
@ -76,17 +96,48 @@ pub fn generate_jwt_token(conn: &PgConnection, user: &User) -> crate::Result<JWT
}) })
} }
pub fn hash_password(password: &str) -> crate::Result<String>
{
// Generate a random salt
let mut salt = [0u8; 64];
thread_rng().fill(&mut salt[..]);
// Encode the actual password
let config = argon2::Config::default();
argon2::hash_encoded(password.as_bytes(), &salt, &config).map_err(|_| RBError::PWSaltError)
}
pub fn create_admin_user(conn: &PgConnection, username: &str, password: &str)
-> crate::Result<bool>
{
let pass_hashed = hash_password(password)?;
let new_user = NewUser {
username: username.to_string(),
password: pass_hashed,
admin: true,
};
insert_into(users::users)
.values(&new_user)
.on_conflict(users::username)
.do_update()
.set(&new_user)
.execute(conn)
.map_err(|_| RBError::AdminCreationError)?;
Ok(true)
}
pub fn refresh_token(conn: &PgConnection, refresh_token: &str) -> crate::Result<JWTResponse> pub fn refresh_token(conn: &PgConnection, refresh_token: &str) -> crate::Result<JWTResponse>
{ {
let token_bytes = let token_bytes = base64::decode(refresh_token).map_err(|_| RBError::InvalidRefreshToken)?;
base64::decode(refresh_token).map_err(|_| RbError::AuthInvalidRefreshToken)?;
// First, we request the token from the database to see if it's really a valid token // First, we request the token from the database to see if it's really a valid token
let (token_entry, user) = refresh_tokens::refresh_tokens let (token_entry, user) = refresh_tokens::refresh_tokens
.inner_join(users::users) .inner_join(users::users)
.filter(refresh_tokens::token.eq(token_bytes)) .filter(refresh_tokens::token.eq(token_bytes))
.first::<(RefreshToken, User)>(conn) .first::<(RefreshToken, User)>(conn)
.map_err(|_| RbError::AuthInvalidRefreshToken)?; .map_err(|_| RBError::InvalidRefreshToken)?;
// If we see that the token has already been used before, we block the user. // If we see that the token has already been used before, we block the user.
if token_entry.last_used_at.is_some() { if token_entry.last_used_at.is_some() {
@ -94,16 +145,16 @@ pub fn refresh_token(conn: &PgConnection, refresh_token: &str) -> crate::Result<
diesel::update(target) diesel::update(target)
.set(users::blocked.eq(true)) .set(users::blocked.eq(true))
.execute(conn) .execute(conn)
.map_err(|_| RbError::Custom("Couldn't block user."))?; .map_err(|_| RBError::DBError)?;
return Err(RbError::AuthDuplicateRefreshToken); return Err(RBError::DuplicateRefreshToken);
} }
// Now we check if the token has already expired // Now we check if the token has already expired
let cur_time = Utc::now().naive_utc(); let cur_time = Utc::now().naive_utc();
if token_entry.expires_at < cur_time { if token_entry.expires_at < cur_time {
return Err(RbError::AuthTokenExpired); return Err(RBError::TokenExpired);
} }
// We update the last_used_at value for the refresh token // We update the last_used_at value for the refresh token
@ -111,7 +162,7 @@ pub fn refresh_token(conn: &PgConnection, refresh_token: &str) -> crate::Result<
diesel::update(target) diesel::update(target)
.set(refresh_tokens::last_used_at.eq(cur_time)) .set(refresh_tokens::last_used_at.eq(cur_time))
.execute(conn) .execute(conn)
.map_err(|_| RbError::Custom("Couldn't update last used time."))?; .map_err(|_| RBError::DBError)?;
generate_jwt_token(conn, &user) generate_jwt_token(conn, &user)
} }

63
src/auth/mod.rs
View File

@ -1,63 +0,0 @@
use argon2::verify_encoded;
use diesel::{insert_into, prelude::*, PgConnection};
use rand::{thread_rng, Rng};
use crate::{
db::users::{NewUser, User},
errors::RbError,
schema::users::dsl as users,
};
pub mod jwt;
pub fn verify_user(conn: &PgConnection, username: &str, password: &str) -> crate::Result<User>
{
// TODO handle non-"NotFound" Diesel errors accordingely
let user = users::users
.filter(users::username.eq(username))
.first::<User>(conn)
.map_err(|_| RbError::AuthUnknownUser)?;
// Check if a user is blocked
if user.blocked {
return Err(RbError::AuthBlockedUser);
}
match verify_encoded(user.password.as_str(), password.as_bytes()) {
Ok(true) => Ok(user),
_ => Err(RbError::AuthInvalidPassword),
}
}
pub fn hash_password(password: &str) -> crate::Result<String>
{
// Generate a random salt
let mut salt = [0u8; 64];
thread_rng().fill(&mut salt[..]);
// Encode the actual password
let config = argon2::Config::default();
argon2::hash_encoded(password.as_bytes(), &salt, &config)
.map_err(|_| RbError::Custom("Couldn't hash password."))
}
pub fn create_admin_user(conn: &PgConnection, username: &str, password: &str)
-> crate::Result<bool>
{
let pass_hashed = hash_password(password)?;
let new_user = NewUser {
username: username.to_string(),
password: pass_hashed,
admin: true,
};
insert_into(users::users)
.values(&new_user)
.on_conflict(users::username)
.do_update()
.set(&new_user)
.execute(conn)
.map_err(|_| RbError::Custom("Couldn't create admin."))?;
Ok(true)
}

3
src/db/mod.rs
View File

@ -1,5 +1,2 @@
pub mod tokens; pub mod tokens;
pub mod users; pub mod users;
pub use tokens::{NewRefreshToken, RefreshToken};
pub use users::{NewUser, User};

12
src/db/users.rs
View File

@ -3,7 +3,7 @@ use serde::{Deserialize, Serialize};
use uuid::Uuid; use uuid::Uuid;
use crate::{ use crate::{
errors::RbError, errors::RBError,
schema::{users, users::dsl::*}, schema::{users, users::dsl::*},
}; };
@ -30,9 +30,7 @@ pub struct NewUser
pub fn all(conn: &PgConnection) -> crate::Result<Vec<User>> pub fn all(conn: &PgConnection) -> crate::Result<Vec<User>>
{ {
users users.load::<User>(conn).map_err(|_| RBError::DBError)
.load::<User>(conn)
.map_err(|_| RbError::DbError("Couldn't get all users."))
} }
pub fn find(conn: &PgConnection, user_id: Uuid) -> Option<User> pub fn find(conn: &PgConnection, user_id: Uuid) -> Option<User>
@ -45,10 +43,10 @@ pub fn create(conn: &PgConnection, new_user: &NewUser) -> crate::Result<()>
let count = diesel::insert_into(users) let count = diesel::insert_into(users)
.values(new_user) .values(new_user)
.execute(conn) .execute(conn)
.map_err(|_| RbError::DbError("Couldn't create user."))?; .map_err(|_| RBError::DBError)?;
if count == 0 { if count == 0 {
return Err(RbError::UMDuplicateUser); return Err(RBError::DuplicateUser);
} }
Ok(()) Ok(())
@ -58,7 +56,7 @@ pub fn delete(conn: &PgConnection, user_id: Uuid) -> crate::Result<()>
{ {
diesel::delete(users.filter(id.eq(user_id))) diesel::delete(users.filter(id.eq(user_id)))
.execute(conn) .execute(conn)
.map_err(|_| RbError::DbError("Couldn't delete user."))?; .map_err(|_| RBError::DBError)?;
Ok(()) Ok(())
} }

115
src/errors.rs
View File

@ -1,87 +1,62 @@
use std::io;
use rocket::{ use rocket::{
http::Status, http::Status,
request::Request, request::Request,
response::{self, Responder}, response::{self, Responder, Response},
serde::json::json,
}; };
#[derive(Debug)] #[derive(Debug)]
pub enum RbError pub enum RBError
{ {
AuthUnknownUser, /// When the login requests an unknown user
AuthBlockedUser, UnknownUser,
AuthInvalidPassword, BlockedUser,
AuthUnauthorized, /// Invalid login password.
AuthTokenExpired, InvalidPassword,
AuthRefreshTokenExpired, /// When a non-admin user tries to use an admin endpoint
AuthInvalidRefreshToken, Unauthorized,
AuthDuplicateRefreshToken, /// When an expired JWT token is used for auth.
JWTTokenExpired,
// UM = User Management /// Umbrella error for when something goes wrong whilst creating a JWT token pair
UMDuplicateUser, JWTCreationError,
UMUnknownUser, JWTError,
MissingJWTKey,
DbError(&'static str), PWSaltError,
Custom(&'static str), AdminCreationError,
TokenExpired,
InvalidRefreshToken,
DuplicateRefreshToken,
DBError,
DuplicateUser,
} }
impl RbError impl<'r> Responder<'r, 'static> for RBError
{ {
pub fn status(&self) -> Status fn respond_to(self, _: &'r Request<'_>) -> response::Result<'static>
{ {
// Every entry gets its own line for easy editing later when needed let (status, message): (Status, &str) = match self {
match self { RBError::UnknownUser => (Status::NotFound, "Unknown user"),
RbError::AuthUnknownUser => Status::NotFound, RBError::BlockedUser => (Status::Unauthorized, "This user is blocked"),
RbError::AuthBlockedUser => Status::Forbidden, RBError::InvalidPassword => (Status::Unauthorized, "Invalid password"),
RbError::AuthInvalidPassword => Status::Unauthorized, RBError::Unauthorized => (Status::Unauthorized, "Unauthorized"),
RbError::AuthUnauthorized => Status::Unauthorized, RBError::JWTTokenExpired => (Status::Unauthorized, "Token expired"),
RbError::AuthTokenExpired => Status::Unauthorized, RBError::JWTCreationError | RBError::MissingJWTKey => {
RbError::AuthRefreshTokenExpired => Status::Unauthorized, (Status::InternalServerError, "Failed to create tokens.")
RbError::AuthInvalidRefreshToken => Status::Unauthorized,
RbError::AuthDuplicateRefreshToken => Status::Unauthorized,
RbError::UMDuplicateUser => Status::Conflict,
RbError::Custom(_) => Status::InternalServerError,
_ => Status::InternalServerError,
}
}
pub fn message(&self) -> &'static str
{
match self {
RbError::AuthUnknownUser => "This user doesn't exist.",
RbError::AuthBlockedUser => "This user is blocked.",
RbError::AuthInvalidPassword => "Invalid credentials.",
RbError::AuthUnauthorized => "You are not authorized to access this resource.",
RbError::AuthTokenExpired => "This token is not valid anymore.",
RbError::AuthRefreshTokenExpired => "This refresh token is not valid anymore.",
RbError::AuthInvalidRefreshToken => "This refresh token is not valid.",
RbError::AuthDuplicateRefreshToken => {
"This refresh token has already been used. The user has been blocked."
} }
RBError::InvalidRefreshToken | RBError::DuplicateRefreshToken => {
(Status::Unauthorized, "Invalid refresh token.")
}
RBError::DuplicateUser => (Status::Conflict, "User already exists"),
_ => (Status::InternalServerError, "Internal server error"),
};
RbError::UMDuplicateUser => "This user already exists.", let mut res = Response::new();
res.set_status(status);
res.set_sized_body(message.len(), io::Cursor::new(message));
RbError::Custom(message) => message, Ok(res)
_ => "",
}
} }
} }
impl<'r> Responder<'r, 'static> for RbError pub type Result<T> = std::result::Result<T, RBError>;
{
fn respond_to(self, req: &'r Request<'_>) -> response::Result<'static>
{
let status = self.status();
let content = json!({
"status": status.code,
"message": self.message(),
});
// TODO add status to response
content.respond_to(req)
}
}
pub type Result<T> = std::result::Result<T, RbError>;

32
src/guards.rs
View File

@ -1,6 +1,6 @@
use hmac::{Hmac, NewMac}; use hmac::{Hmac, NewMac};
use jwt::VerifyWithKey; use jwt::VerifyWithKey;
use rb::auth::jwt::Claims; use rb::auth::Claims;
use rocket::{ use rocket::{
http::Status, http::Status,
outcome::try_outcome, outcome::try_outcome,
@ -14,7 +14,7 @@ pub struct Bearer<'a>(&'a str);
#[rocket::async_trait] #[rocket::async_trait]
impl<'r> FromRequest<'r> for Bearer<'r> impl<'r> FromRequest<'r> for Bearer<'r>
{ {
type Error = rb::errors::RbError; type Error = rb::errors::RBError;
async fn from_request(req: &'r Request<'_>) -> Outcome<Self, Self::Error> async fn from_request(req: &'r Request<'_>) -> Outcome<Self, Self::Error>
{ {
@ -39,12 +39,12 @@ impl<'r> FromRequest<'r> for Bearer<'r>
} }
/// Verifies the provided JWT is valid. /// Verifies the provided JWT is valid.
pub struct Jwt(Claims); pub struct JWT(Claims);
#[rocket::async_trait] #[rocket::async_trait]
impl<'r> FromRequest<'r> for Jwt impl<'r> FromRequest<'r> for JWT
{ {
type Error = rb::errors::RbError; type Error = rb::errors::RBError;
async fn from_request(req: &'r Request<'_>) -> Outcome<Self, Self::Error> async fn from_request(req: &'r Request<'_>) -> Outcome<Self, Self::Error>
{ {
@ -54,27 +54,19 @@ impl<'r> FromRequest<'r> for Jwt
let secret = match std::env::var("JWT_KEY") { let secret = match std::env::var("JWT_KEY") {
Ok(key) => key, Ok(key) => key,
Err(_) => { Err(_) => {
return Outcome::Failure(( return Outcome::Failure((Status::InternalServerError, Self::Error::MissingJWTKey))
Status::InternalServerError,
Self::Error::AuthUnauthorized,
))
} }
}; };
let key: Hmac<Sha256> = match Hmac::new_from_slice(secret.as_bytes()) { let key: Hmac<Sha256> = match Hmac::new_from_slice(secret.as_bytes()) {
Ok(key) => key, Ok(key) => key,
Err(_) => { Err(_) => {
return Outcome::Failure(( return Outcome::Failure((Status::InternalServerError, Self::Error::JWTError))
Status::InternalServerError,
Self::Error::Custom("Failed to do Hmac thing."),
))
} }
}; };
// Verify token using key // Verify token using key
let claims: Claims = match bearer.verify_with_key(&key) { let claims: Claims = match bearer.verify_with_key(&key) {
Ok(claims) => claims, Ok(claims) => claims,
Err(_) => { Err(_) => return Outcome::Failure((Status::Unauthorized, Self::Error::Unauthorized)),
return Outcome::Failure((Status::Unauthorized, Self::Error::AuthUnauthorized))
}
}; };
Outcome::Success(Self(claims)) Outcome::Success(Self(claims))
@ -87,15 +79,15 @@ pub struct User(Claims);
#[rocket::async_trait] #[rocket::async_trait]
impl<'r> FromRequest<'r> for User impl<'r> FromRequest<'r> for User
{ {
type Error = rb::errors::RbError; type Error = rb::errors::RBError;
async fn from_request(req: &'r Request<'_>) -> Outcome<Self, Self::Error> async fn from_request(req: &'r Request<'_>) -> Outcome<Self, Self::Error>
{ {
let claims = try_outcome!(req.guard::<Jwt>().await).0; let claims = try_outcome!(req.guard::<JWT>().await).0;
// Verify key hasn't yet expired // Verify key hasn't yet expired
if chrono::Utc::now().timestamp() > claims.exp { if chrono::Utc::now().timestamp() > claims.exp {
return Outcome::Failure((Status::Forbidden, Self::Error::AuthTokenExpired)); return Outcome::Failure((Status::Forbidden, Self::Error::TokenExpired));
} }
Outcome::Success(Self(claims)) Outcome::Success(Self(claims))
@ -108,7 +100,7 @@ pub struct Admin(Claims);
#[rocket::async_trait] #[rocket::async_trait]
impl<'r> FromRequest<'r> for Admin impl<'r> FromRequest<'r> for Admin
{ {
type Error = rb::errors::RbError; type Error = rb::errors::RBError;
async fn from_request(req: &'r Request<'_>) -> Outcome<Self, Self::Error> async fn from_request(req: &'r Request<'_>) -> Outcome<Self, Self::Error>
{ {

30
src/routes/admin.rs
View File

@ -1,4 +1,10 @@
use rb::{db, errors::RbError}; use rb::{
db::{
users as db_users,
users::{NewUser, User},
},
errors::RBError,
};
use rocket::serde::json::Json; use rocket::serde::json::Json;
use uuid::Uuid; use uuid::Uuid;
@ -6,34 +12,30 @@ use crate::{guards::Admin, RbDbConn};
pub fn routes() -> Vec<rocket::Route> pub fn routes() -> Vec<rocket::Route>
{ {
routes![get_users, get_user_info, create_user] routes![get_users, get_user_info]
} }
#[get("/users")] #[get("/users")]
async fn get_users(_admin: Admin, conn: RbDbConn) -> rb::Result<Json<Vec<db::User>>> async fn get_users(admin: Admin, conn: RbDbConn) -> rb::Result<Json<Vec<User>>>
{ {
Ok(Json(conn.run(|c| db::users::all(c)).await?)) Ok(Json(conn.run(|c| rb::db::users::all(c)).await?))
} }
#[post("/users", data = "<user>")] #[post("/users", data = "<user>")]
async fn create_user(_admin: Admin, conn: RbDbConn, user: Json<db::NewUser>) -> rb::Result<()> async fn create_user(admin: Admin, conn: RbDbConn, user: Json<NewUser>) -> rb::Result<()>
{ {
Ok(conn Ok(conn
.run(move |c| db::users::create(c, &user.into_inner())) .run(move |c| db_users::create(c, &user.into_inner()))
.await?) .await?)
} }
#[get("/users/<user_id_str>")] #[get("/users/<user_id_str>")]
async fn get_user_info( async fn get_user_info(_admin: Admin, conn: RbDbConn, user_id_str: &str) -> rb::Result<Json<User>>
_admin: Admin,
conn: RbDbConn,
user_id_str: &str,
) -> rb::Result<Json<db::User>>
{ {
let user_id = Uuid::parse_str(user_id_str).map_err(|_| RbError::UMUnknownUser)?; let user_id = Uuid::parse_str(user_id_str).map_err(|_| RBError::UnknownUser)?;
match conn.run(move |c| db::users::find(c, user_id)).await { match conn.run(move |c| db_users::find(c, user_id)).await {
Some(user) => Ok(Json(user)), Some(user) => Ok(Json(user)),
None => Err(RbError::UMUnknownUser), None => Err(RBError::UnknownUser),
} }
} }

7
src/routes/auth.rs
View File

@ -1,7 +1,4 @@
use rb::auth::{ use rb::auth::{generate_jwt_token, verify_user, JWTResponse};
jwt::{generate_jwt_token, JWTResponse},
verify_user,
};
use rocket::serde::json::Json; use rocket::serde::json::Json;
use serde::Deserialize; use serde::Deserialize;
@ -54,7 +51,7 @@ async fn refresh_token(
let refresh_token = refresh_token_request.into_inner().refresh_token; let refresh_token = refresh_token_request.into_inner().refresh_token;
Ok(Json( Ok(Json(
conn.run(move |c| rb::auth::jwt::refresh_token(c, &refresh_token)) conn.run(move |c| rb::auth::refresh_token(c, &refresh_token))
.await?, .await?,
)) ))
} }