Compare commits
2 Commits
fb2a6126fe
...
505907d3a1
| Author | SHA1 | Date |
|---|---|---|
 Jef Roosens
|
505907d3a1
|
|
|
Jef Roosens
|
f50008ff99
|
2
Rb.yaml
2
Rb.yaml
|
|
@ -16,7 +16,7 @@ debug:
|
||||||
key: "secret"
|
key: "secret"
|
||||||
refresh_token_size: 64
|
refresh_token_size: 64
|
||||||
# Just 5 seconds for debugging
|
# Just 5 seconds for debugging
|
||||||
refresh_token_expire: 5
|
refresh_token_expire: 60
|
||||||
|
|
||||||
databases:
|
databases:
|
||||||
postgres_rb:
|
postgres_rb:
|
||||||
|
|
|
||||||
|
|
@ -49,7 +49,7 @@ reorder_imports = true
|
||||||
reorder_modules = true
|
reorder_modules = true
|
||||||
report_fixme = "Always"
|
report_fixme = "Always"
|
||||||
report_todo = "Always"
|
report_todo = "Always"
|
||||||
required_version = "1.4.36"
|
required_version = "1.4.37"
|
||||||
skip_children = false
|
skip_children = false
|
||||||
space_after_colon = true
|
space_after_colon = true
|
||||||
space_before_colon = false
|
space_before_colon = false
|
||||||
|
|
|
||||||
|
|
@ -16,6 +16,7 @@ pub enum RbError
|
||||||
AuthRefreshTokenExpired,
|
AuthRefreshTokenExpired,
|
||||||
AuthInvalidRefreshToken,
|
AuthInvalidRefreshToken,
|
||||||
AuthDuplicateRefreshToken,
|
AuthDuplicateRefreshToken,
|
||||||
|
AuthMissingHeader,
|
||||||
|
|
||||||
// UM = User Management
|
// UM = User Management
|
||||||
UMDuplicateUser,
|
UMDuplicateUser,
|
||||||
|
|
@ -39,6 +40,7 @@ impl RbError
|
||||||
RbError::AuthRefreshTokenExpired => Status::Unauthorized,
|
RbError::AuthRefreshTokenExpired => Status::Unauthorized,
|
||||||
RbError::AuthInvalidRefreshToken => Status::Unauthorized,
|
RbError::AuthInvalidRefreshToken => Status::Unauthorized,
|
||||||
RbError::AuthDuplicateRefreshToken => Status::Unauthorized,
|
RbError::AuthDuplicateRefreshToken => Status::Unauthorized,
|
||||||
|
RbError::AuthMissingHeader => Status::BadRequest,
|
||||||
|
|
||||||
RbError::UMDuplicateUser => Status::Conflict,
|
RbError::UMDuplicateUser => Status::Conflict,
|
||||||
|
|
||||||
|
|
@ -60,6 +62,7 @@ impl RbError
|
||||||
RbError::AuthDuplicateRefreshToken => {
|
RbError::AuthDuplicateRefreshToken => {
|
||||||
"This refresh token has already been used. The user has been blocked."
|
"This refresh token has already been used. The user has been blocked."
|
||||||
}
|
}
|
||||||
|
RbError::AuthMissingHeader => "Missing Authorization header.",
|
||||||
|
|
||||||
RbError::UMDuplicateUser => "This user already exists.",
|
RbError::UMDuplicateUser => "This user already exists.",
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -4,10 +4,11 @@ use rocket::{
|
||||||
http::Status,
|
http::Status,
|
||||||
outcome::try_outcome,
|
outcome::try_outcome,
|
||||||
request::{FromRequest, Outcome, Request},
|
request::{FromRequest, Outcome, Request},
|
||||||
|
State,
|
||||||
};
|
};
|
||||||
use sha2::Sha256;
|
use sha2::Sha256;
|
||||||
|
|
||||||
use crate::auth::jwt::Claims;
|
use crate::{auth::jwt::Claims, errors::RbError, RbConfig};
|
||||||
|
|
||||||
/// Extracts a "Authorization: Bearer" string from the headers.
|
/// Extracts a "Authorization: Bearer" string from the headers.
|
||||||
pub struct Bearer<'a>(&'a str);
|
pub struct Bearer<'a>(&'a str);
|
||||||
|
|
@ -21,7 +22,7 @@ impl<'r> FromRequest<'r> for Bearer<'r>
|
||||||
{
|
{
|
||||||
// If the header isn't present, just forward to the next route
|
// If the header isn't present, just forward to the next route
|
||||||
let header = match req.headers().get_one("Authorization") {
|
let header = match req.headers().get_one("Authorization") {
|
||||||
None => return Outcome::Forward(()),
|
None => return Outcome::Failure((Status::BadRequest, Self::Error::AuthMissingHeader)),
|
||||||
Some(val) => val,
|
Some(val) => val,
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
@ -32,7 +33,7 @@ impl<'r> FromRequest<'r> for Bearer<'r>
|
||||||
// Extract the jwt token from the header
|
// Extract the jwt token from the header
|
||||||
let auth_string = match header.get(7..) {
|
let auth_string = match header.get(7..) {
|
||||||
Some(s) => s,
|
Some(s) => s,
|
||||||
None => return Outcome::Forward(()),
|
None => return Outcome::Failure((Status::Unauthorized, Self::Error::AuthUnauthorized)),
|
||||||
};
|
};
|
||||||
|
|
||||||
Outcome::Success(Self(auth_string))
|
Outcome::Success(Self(auth_string))
|
||||||
|
|
@ -45,23 +46,17 @@ pub struct Jwt(Claims);
|
||||||
#[rocket::async_trait]
|
#[rocket::async_trait]
|
||||||
impl<'r> FromRequest<'r> for Jwt
|
impl<'r> FromRequest<'r> for Jwt
|
||||||
{
|
{
|
||||||
type Error = crate::errors::RbError;
|
type Error = RbError;
|
||||||
|
|
||||||
async fn from_request(req: &'r Request<'_>) -> Outcome<Self, Self::Error>
|
async fn from_request(req: &'r Request<'_>) -> Outcome<Self, Self::Error>
|
||||||
{
|
{
|
||||||
let bearer = try_outcome!(req.guard::<Bearer>().await).0;
|
let bearer = try_outcome!(req.guard::<Bearer>().await).0;
|
||||||
|
let config = try_outcome!(req.guard::<&State<RbConfig>>().await.map_failure(|_| (
|
||||||
|
Status::InternalServerError,
|
||||||
|
RbError::Custom("Couldn't get config guard.")
|
||||||
|
)));
|
||||||
|
|
||||||
// Get secret & key
|
let key: Hmac<Sha256> = match Hmac::new_from_slice(&config.jwt.key.as_bytes()) {
|
||||||
let secret = match std::env::var("JWT_KEY") {
|
|
||||||
Ok(key) => key,
|
|
||||||
Err(_) => {
|
|
||||||
return Outcome::Failure((
|
|
||||||
Status::InternalServerError,
|
|
||||||
Self::Error::AuthUnauthorized,
|
|
||||||
))
|
|
||||||
}
|
|
||||||
};
|
|
||||||
let key: Hmac<Sha256> = match Hmac::new_from_slice(secret.as_bytes()) {
|
|
||||||
Ok(key) => key,
|
Ok(key) => key,
|
||||||
Err(_) => {
|
Err(_) => {
|
||||||
return Outcome::Failure((
|
return Outcome::Failure((
|
||||||
|
|
@ -118,7 +113,7 @@ impl<'r> FromRequest<'r> for Admin
|
||||||
if user.admin {
|
if user.admin {
|
||||||
Outcome::Success(Self(user))
|
Outcome::Success(Self(user))
|
||||||
} else {
|
} else {
|
||||||
Outcome::Forward(())
|
Outcome::Failure((Status::Unauthorized, RbError::AuthUnauthorized))
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
14
src/main.rs
14
src/main.rs
|
|
@ -12,7 +12,12 @@ use figment::{
|
||||||
providers::{Env, Format, Yaml},
|
providers::{Env, Format, Yaml},
|
||||||
Figment,
|
Figment,
|
||||||
};
|
};
|
||||||
use rocket::{fairing::AdHoc, Build, Rocket};
|
use rocket::{
|
||||||
|
fairing::AdHoc,
|
||||||
|
http::Status,
|
||||||
|
serde::json::{json, Value},
|
||||||
|
Build, Request, Rocket,
|
||||||
|
};
|
||||||
use rocket_sync_db_pools::database;
|
use rocket_sync_db_pools::database;
|
||||||
use serde::{Deserialize, Serialize};
|
use serde::{Deserialize, Serialize};
|
||||||
|
|
||||||
|
|
@ -26,6 +31,12 @@ pub(crate) mod schema;
|
||||||
#[database("postgres_rb")]
|
#[database("postgres_rb")]
|
||||||
pub struct RbDbConn(diesel::PgConnection);
|
pub struct RbDbConn(diesel::PgConnection);
|
||||||
|
|
||||||
|
#[catch(default)]
|
||||||
|
fn default_catcher(status: Status, _: &Request) -> Value
|
||||||
|
{
|
||||||
|
json!({"status": status.code, "message": ""})
|
||||||
|
}
|
||||||
|
|
||||||
embed_migrations!();
|
embed_migrations!();
|
||||||
|
|
||||||
async fn run_db_migrations(rocket: Rocket<Build>) -> Result<Rocket<Build>, Rocket<Build>>
|
async fn run_db_migrations(rocket: Rocket<Build>) -> Result<Rocket<Build>, Rocket<Build>>
|
||||||
|
|
@ -88,6 +99,7 @@ fn rocket() -> _
|
||||||
))
|
))
|
||||||
.attach(AdHoc::try_on_ignite("Create admin user", create_admin_user))
|
.attach(AdHoc::try_on_ignite("Create admin user", create_admin_user))
|
||||||
.attach(AdHoc::config::<RbConfig>())
|
.attach(AdHoc::config::<RbConfig>())
|
||||||
|
.register("/", catchers![default_catcher])
|
||||||
.mount(
|
.mount(
|
||||||
"/api/auth",
|
"/api/auth",
|
||||||
routes![auth::already_logged_in, auth::login, auth::refresh_token,],
|
routes![auth::already_logged_in, auth::login, auth::refresh_token,],
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,64 @@
|
||||||
|
import requests
|
||||||
|
|
||||||
|
|
||||||
|
class RbClient:
|
||||||
|
def __init__(self, username, password, base_url = "http://localhost:8000/api"):
|
||||||
|
self.username = username
|
||||||
|
self.password = password
|
||||||
|
self.base_url = base_url
|
||||||
|
|
||||||
|
self.jwt = None
|
||||||
|
self.refresh_token = None
|
||||||
|
|
||||||
|
def _login(self):
|
||||||
|
r = requests.post(f"{self.base_url}/auth/login", json={
|
||||||
|
"username": self.username,
|
||||||
|
"password": self.password,
|
||||||
|
})
|
||||||
|
|
||||||
|
if r.status_code != 200:
|
||||||
|
raise Exception("Couldn't login")
|
||||||
|
|
||||||
|
res = r.json()
|
||||||
|
self.jwt = res["token"]
|
||||||
|
self.refresh_token = res["refreshToken"]
|
||||||
|
|
||||||
|
def _refresh(self):
|
||||||
|
r = requests.post(f"{self.base_url}/auth/refresh", json={"refreshToken": self.refresh_token})
|
||||||
|
|
||||||
|
if r.status_code != 200:
|
||||||
|
raise Exception("Couldn't refresh")
|
||||||
|
|
||||||
|
res = r.json()
|
||||||
|
self.jwt = res["token"]
|
||||||
|
self.refresh_token = res["refreshToken"]
|
||||||
|
|
||||||
|
def _request(self, type_, url, retry=2, *args, **kwargs):
|
||||||
|
if self.jwt:
|
||||||
|
headers = kwargs.get("headers", {})
|
||||||
|
headers["Authorization"] = f"Bearer {self.jwt}"
|
||||||
|
kwargs["headers"] = headers
|
||||||
|
print(kwargs["headers"])
|
||||||
|
|
||||||
|
r = requests.request(type_, url, *args, **kwargs)
|
||||||
|
|
||||||
|
if r.status_code != 200 and retry > 0:
|
||||||
|
if self.refresh_token:
|
||||||
|
self._refresh()
|
||||||
|
|
||||||
|
else:
|
||||||
|
self._login()
|
||||||
|
|
||||||
|
r = self._request(type_, url, *args, **kwargs, retry=retry - 1)
|
||||||
|
|
||||||
|
return r
|
||||||
|
|
||||||
|
def get(self, url, *args, **kwargs):
|
||||||
|
return self._request("GET", f"{self.base_url}{url}", *args, **kwargs)
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
if __name__ == "__main__":
|
||||||
|
client = RbClient("admin", "password")
|
||||||
|
|
||||||
|
print(client.get("/admin/users").json())
|
||||||
Reference in New Issue