rusty-bever/src/guards.rs

use hmac::{Hmac, NewMac};
use jwt::VerifyWithKey;
use rocket::{
    http::Status,
    outcome::try_outcome,
    request::{FromRequest, Outcome, Request},
    State,
};
use sha2::Sha256;

use crate::{auth::jwt::Claims, errors::RbError, RbConfig};

/// Extracts a "Authorization: Bearer" string from the headers.
pub struct Bearer<'a>(&'a str);

#[rocket::async_trait]
impl<'r> FromRequest<'r> for Bearer<'r>
{
    type Error = crate::errors::RbError;

    async fn from_request(req: &'r Request<'_>) -> Outcome<Self, Self::Error>
    {
        // If the header isn't present, just forward to the next route
        let header = match req.headers().get_one("Authorization") {
            None => return Outcome::Failure((Status::BadRequest, Self::Error::AuthMissingHeader)),
            Some(val) => val,
        };

        if !header.starts_with("Bearer ") {
            return Outcome::Forward(());
        }

        // Extract the jwt token from the header
        let auth_string = match header.get(7..) {
            Some(s) => s,
            None => return Outcome::Failure((Status::Unauthorized, Self::Error::AuthUnauthorized)),
        };

        Outcome::Success(Self(auth_string))
    }
}

/// Verifies the provided JWT is valid.
pub struct Jwt(Claims);

#[rocket::async_trait]
impl<'r> FromRequest<'r> for Jwt
{
    type Error = RbError;

    async fn from_request(req: &'r Request<'_>) -> Outcome<Self, Self::Error>
    {
        let bearer = try_outcome!(req.guard::<Bearer>().await).0;
        let config = try_outcome!(req.guard::<&State<RbConfig>>().await.map_failure(|_| (
            Status::InternalServerError,
            RbError::Custom("Couldn't get config guard.")
        )));

        let key: Hmac<Sha256> = match Hmac::new_from_slice(&config.jwt.key.as_bytes()) {
            Ok(key) => key,
            Err(_) => {
                return Outcome::Failure((
                    Status::InternalServerError,
                    Self::Error::Custom("Failed to do Hmac thing."),
                ))
            }
        };
        // Verify token using key
        let claims: Claims = match bearer.verify_with_key(&key) {
            Ok(claims) => claims,
            Err(_) => {
                return Outcome::Failure((Status::Unauthorized, Self::Error::AuthUnauthorized))
            }
        };

        Outcome::Success(Self(claims))
    }
}

/// Verifies the JWT has not expired.
pub struct User(Claims);

#[rocket::async_trait]
impl<'r> FromRequest<'r> for User
{
    type Error = crate::errors::RbError;

    async fn from_request(req: &'r Request<'_>) -> Outcome<Self, Self::Error>
    {
        let claims = try_outcome!(req.guard::<Jwt>().await).0;

        // Verify key hasn't yet expired
        if chrono::Utc::now().timestamp() > claims.exp {
            return Outcome::Failure((Status::Forbidden, Self::Error::AuthTokenExpired));
        }

        Outcome::Success(Self(claims))
    }
}

/// Verifies the JWT belongs to an admin.
pub struct Admin(Claims);

#[rocket::async_trait]
impl<'r> FromRequest<'r> for Admin
{
    type Error = crate::errors::RbError;

    async fn from_request(req: &'r Request<'_>) -> Outcome<Self, Self::Error>
    {
        let user = try_outcome!(req.guard::<User>().await).0;

        if user.admin {
            Outcome::Success(Self(user))
        } else {
            Outcome::Failure((Status::Unauthorized, RbError::AuthUnauthorized))
        }
    }
}
Further split guards 2021-08-21 22:41:38 +02:00			`use hmac::{Hmac, NewMac};`
			`use jwt::VerifyWithKey;`
Added Admin & User guards 2021-08-21 21:42:36 +02:00			`use rocket::{`
			`http::Status,`
			`outcome::try_outcome,`
Further split guards 2021-08-21 22:41:38 +02:00			`request::{FromRequest, Outcome, Request},`
Fixed guard still using env var for jwt key 2021-09-01 16:18:48 +02:00			`State,`
Added Admin & User guards 2021-08-21 21:42:36 +02:00			`};`
			`use sha2::Sha256;`

Fixed guard still using env var for jwt key 2021-09-01 16:18:48 +02:00			`use crate::{auth::jwt::Claims, errors::RbError, RbConfig};`
Switched to binary-only project 2021-08-29 20:30:33 +02:00
Further split guards 2021-08-21 22:41:38 +02:00			`/// Extracts a "Authorization: Bearer" string from the headers.`
Added lifetime thingy 2021-08-23 12:01:04 +02:00			`pub struct Bearer<'a>(&'a str);`
Added Admin & User guards 2021-08-21 21:42:36 +02:00
			`#[rocket::async_trait]`
Added lifetime thingy 2021-08-23 12:01:04 +02:00			`impl<'r> FromRequest<'r> for Bearer<'r>`
Configured Rustfmt 2021-08-22 16:45:01 +02:00			`{`
Switched to binary-only project 2021-08-29 20:30:33 +02:00			`type Error = crate::errors::RbError;`
Added Admin & User guards 2021-08-21 21:42:36 +02:00
Configured Rustfmt 2021-08-22 16:45:01 +02:00			`async fn from_request(req: &'r Request<'_>) -> Outcome<Self, Self::Error>`
			`{`
Added Admin & User guards 2021-08-21 21:42:36 +02:00			`// If the header isn't present, just forward to the next route`
			`let header = match req.headers().get_one("Authorization") {`
Default catcher now returns json 2021-09-01 17:29:39 +02:00			`None => return Outcome::Failure((Status::BadRequest, Self::Error::AuthMissingHeader)),`
Added Admin & User guards 2021-08-21 21:42:36 +02:00			`Some(val) => val,`
			`};`

			`if !header.starts_with("Bearer ") {`
			`return Outcome::Forward(());`
			`}`

			`// Extract the jwt token from the header`
Further split guards 2021-08-21 22:41:38 +02:00			`let auth_string = match header.get(7..) {`
			`Some(s) => s,`
Default catcher now returns json 2021-09-01 17:29:39 +02:00			`None => return Outcome::Failure((Status::Unauthorized, Self::Error::AuthUnauthorized)),`
Added Admin & User guards 2021-08-21 21:42:36 +02:00			`};`

Added lifetime thingy 2021-08-23 12:01:04 +02:00			`Outcome::Success(Self(auth_string))`
Separated JWT header into own guard 2021-08-21 22:21:42 +02:00			`}`
			`}`

Further split guards 2021-08-21 22:41:38 +02:00			`/// Verifies the provided JWT is valid.`
Pleased the linters 2021-08-29 19:07:36 +02:00			`pub struct Jwt(Claims);`
Separated JWT header into own guard 2021-08-21 22:21:42 +02:00
			`#[rocket::async_trait]`
Pleased the linters 2021-08-29 19:07:36 +02:00			`impl<'r> FromRequest<'r> for Jwt`
Configured Rustfmt 2021-08-22 16:45:01 +02:00			`{`
Fixed guard still using env var for jwt key 2021-09-01 16:18:48 +02:00			`type Error = RbError;`
Separated JWT header into own guard 2021-08-21 22:21:42 +02:00
Configured Rustfmt 2021-08-22 16:45:01 +02:00			`async fn from_request(req: &'r Request<'_>) -> Outcome<Self, Self::Error>`
			`{`
Further split guards 2021-08-21 22:41:38 +02:00			`let bearer = try_outcome!(req.guard::<Bearer>().await).0;`
Fixed guard still using env var for jwt key 2021-09-01 16:18:48 +02:00			`let config = try_outcome!(req.guard::<&State<RbConfig>>().await.map_failure(\|_\| (`
			`Status::InternalServerError,`
			`RbError::Custom("Couldn't get config guard.")`
			`)));`
Separated JWT header into own guard 2021-08-21 22:21:42 +02:00
Fixed guard still using env var for jwt key 2021-09-01 16:18:48 +02:00			`let key: Hmac<Sha256> = match Hmac::new_from_slice(&config.jwt.key.as_bytes()) {`
Added Admin & User guards 2021-08-21 21:42:36 +02:00			`Ok(key) => key,`
			`Err(_) => {`
Renamed errors; changed Responser implementation 2021-08-28 22:06:09 +02:00			`return Outcome::Failure((`
			`Status::InternalServerError,`
			`Self::Error::Custom("Failed to do Hmac thing."),`
			`))`
Added Admin & User guards 2021-08-21 21:42:36 +02:00			`}`
			`};`
			`// Verify token using key`
Further split guards 2021-08-21 22:41:38 +02:00			`let claims: Claims = match bearer.verify_with_key(&key) {`
Added Admin & User guards 2021-08-21 21:42:36 +02:00			`Ok(claims) => claims,`
Renamed errors; changed Responser implementation 2021-08-28 22:06:09 +02:00			`Err(_) => {`
			`return Outcome::Failure((Status::Unauthorized, Self::Error::AuthUnauthorized))`
			`}`
Added Admin & User guards 2021-08-21 21:42:36 +02:00			`};`

Further split guards 2021-08-21 22:41:38 +02:00			`Outcome::Success(Self(claims))`
			`}`
			`}`

			`/// Verifies the JWT has not expired.`
			`pub struct User(Claims);`

			`#[rocket::async_trait]`
Configured Rustfmt 2021-08-22 16:45:01 +02:00			`impl<'r> FromRequest<'r> for User`
			`{`
Switched to binary-only project 2021-08-29 20:30:33 +02:00			`type Error = crate::errors::RbError;`
Further split guards 2021-08-21 22:41:38 +02:00
Configured Rustfmt 2021-08-22 16:45:01 +02:00			`async fn from_request(req: &'r Request<'_>) -> Outcome<Self, Self::Error>`
			`{`
Pleased the linters 2021-08-29 19:07:36 +02:00			`let claims = try_outcome!(req.guard::<Jwt>().await).0;`
Further split guards 2021-08-21 22:41:38 +02:00
Added Admin & User guards 2021-08-21 21:42:36 +02:00			`// Verify key hasn't yet expired`
			`if chrono::Utc::now().timestamp() > claims.exp {`
Renamed errors; changed Responser implementation 2021-08-28 22:06:09 +02:00			`return Outcome::Failure((Status::Forbidden, Self::Error::AuthTokenExpired));`
Added Admin & User guards 2021-08-21 21:42:36 +02:00			`}`

			`Outcome::Success(Self(claims))`
			`}`
			`}`

Further split guards 2021-08-21 22:41:38 +02:00			`/// Verifies the JWT belongs to an admin.`
Added Admin & User guards 2021-08-21 21:42:36 +02:00			`pub struct Admin(Claims);`

			`#[rocket::async_trait]`
Configured Rustfmt 2021-08-22 16:45:01 +02:00			`impl<'r> FromRequest<'r> for Admin`
			`{`
Switched to binary-only project 2021-08-29 20:30:33 +02:00			`type Error = crate::errors::RbError;`
Added Admin & User guards 2021-08-21 21:42:36 +02:00
Configured Rustfmt 2021-08-22 16:45:01 +02:00			`async fn from_request(req: &'r Request<'_>) -> Outcome<Self, Self::Error>`
			`{`
Added lifetime thingy 2021-08-23 12:01:04 +02:00			`let user = try_outcome!(req.guard::<User>().await).0;`

			`if user.admin {`
			`Outcome::Success(Self(user))`
Added Admin & User guards 2021-08-21 21:42:36 +02:00			`} else {`
Default catcher now returns json 2021-09-01 17:29:39 +02:00			`Outcome::Failure((Status::Unauthorized, RbError::AuthUnauthorized))`
Added Admin & User guards 2021-08-21 21:42:36 +02:00			`}`
			`}`
			`}`