session management stuff

2023-06-30 15:02:20 +02:00 · 2023-06-30 15:02:20 +02:00 · 1d6270c551
parent 4bdb810e19
commit 1d6270c551
15 changed files with 263 additions and 105 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,3 @@
 /target
 /docker-data
+/.vscode
--- a/Cargo.toml
+++ b/Cargo.toml
@ -14,7 +14,7 @@ uuid = { version = "1.3", features = ["v4", "fast-rng", "serde"] }
 serde = { version = "1" }
 serde_json = { version = "1", features = ["raw_value"] }
 figment = { version = "0.10", features = ["toml", "env"] }
-chrono = { version = "0.4", features = ["serde"] }
+chrono = { version = "0.4", features = ["serde", "clock"] }
 anyhow = "1.0"
 argon2 = "0.5"

--- a/migrations/20230628223219_create-base.up.sql
+++ b/migrations/20230628223219_create-base.up.sql
@ -1,4 +1,4 @@
-CREATE EXTENSION IF NOT EXISTS "uuid-ossp";
+CREATE EXTENSION IF NOT EXISTS "uuid-ossp"; -- noqa: RF05

 CREATE TABLE users (
    id UUID PRIMARY KEY DEFAULT uuid_generate_v4(),
--- a/migrations/20230630080241_add-sessions.down.sql
+++ b/migrations/20230630080241_add-sessions.down.sql
@ -0,0 +1 @@
+DROP TABLE sessions;
--- a/migrations/20230630080241_add-sessions.up.sql
+++ b/migrations/20230630080241_add-sessions.up.sql
@ -0,0 +1,9 @@
+CREATE EXTENSION IF NOT EXISTS "uuid-ossp"; -- noqa: RF05
+
+CREATE TABLE sessions (
+    id UUID PRIMARY KEY DEFAULT uuid_generate_v4(),
+    actor UUID NOT NULL REFERENCES users (id) ON DELETE CASCADE,
+    secret VARCHAR NOT NULL,
+    created_at TIMESTAMP NOT NULL DEFAULT now(),
+    expires_at TIMESTAMP NOT NULL
+);
--- a/src/auth.rs
+++ b/src/auth.rs
@ -3,6 +3,135 @@ use argon2::{
    password_hash::{rand_core::OsRng, SaltString},
    Argon2, PasswordHash, PasswordHasher, PasswordVerifier,
 };
+use chrono::{
+    serde::{ts_seconds, ts_seconds_option},
+    DateTime, Duration, Utc,
+};
+use serde::{Deserialize, Serialize};
+use sqlx::{FromRow, Pool, Postgres};
+use uuid::Uuid;
+
+#[derive(Deserialize, Serialize, FromRow)]
+pub struct User {
+    /// User internal ID
+    pub id: Uuid,
+
+    /// User name (unique per instance, shows up in URLs)
+    pub name: String,
+
+    /// User email (for validation/login)
+    pub email: Option<String>,
+
+    /// Hashed password
+    pub password: Option<Vec<u8>>,
+
+    /// User's chosen displayed name
+    pub display_name: Option<String>,
+
+    /// Biography / User description
+    pub bio: Option<String>,
+
+    /// User roles (as role IDs)
+    pub roles: Vec<Uuid>,
+
+    /// Times
+    #[serde(with = "ts_seconds")]
+    pub created_at: DateTime<Utc>,
+    #[serde(with = "ts_seconds_option")]
+    pub modified_at: Option<DateTime<Utc>>,
+    #[serde(with = "ts_seconds_option")]
+    pub deleted_at: Option<DateTime<Utc>>,
+}
+
+#[derive(Deserialize, Serialize, FromRow)]
+pub struct Role {
+    /// Role ID
+    pub id: Uuid,
+
+    /// Role scopes (permissions)
+    pub scopes: Vec<String>,
+}
+
+#[derive(Deserialize, Serialize, FromRow)]
+pub struct Session {
+    /// Role ID
+    pub id: Uuid,
+
+    /// User ID
+    pub actor: Uuid,
+
+    /// Secret
+    pub secret: String,
+
+    /// Times
+    #[serde(with = "ts_seconds")]
+    pub created_at: DateTime<Utc>,
+    #[serde(with = "ts_seconds")]
+    pub expires_at: DateTime<Utc>,
+}
+
+impl Session {
+    pub async fn create(pool: &Pool<Postgres>, user_id: Uuid, duration: Duration) -> Result<Self> {
+        let now = Utc::now();
+        let expires = now + duration;
+        let secret = random();
+        let result = sqlx::query!(
+        "INSERT INTO sessions (actor, secret, created_at, expires_at) VALUES ($1, $2, $3, $4) RETURNING id",
+        user_id,
+        secret,
+        now.naive_utc(),
+        expires.naive_utc()
+    )
+    .fetch_one(pool)
+    .await?;
+        Ok(Self {
+            id: result.id,
+            actor: user_id,
+            secret: secret,
+            created_at: now,
+            expires_at: now + duration,
+        })
+    }
+
+    pub async fn find(pool: &Pool<Postgres>, id: Uuid) -> Result<Option<Self>> {
+        Ok(sqlx::query_as("SELECT * FROM sessions WHERE id = $1")
+            .bind(id)
+            .fetch_optional(pool)
+            .await?)
+    }
+
+    pub async fn refresh(self: Self, pool: &Pool<Postgres>, duration: Duration) -> Result<Self> {
+        let expires_at = Utc::now() + duration;
+        let secret = random();
+
+        sqlx::query!(
+            "UPDATE sessions SET secret = $1, expires_at = $2 WHERE id = $3 RETURNING id",
+            secret,
+            expires_at.naive_utc(),
+            self.id
+        )
+        .fetch_one(pool)
+        .await?;
+
+        Ok(Session {
+            secret,
+            expires_at,
+            ..self
+        })
+    }
+
+    pub fn token(self: &Self) -> String {
+        format!("{}:{}", self.id.as_u128(), self.secret)
+    }
+
+    pub fn parse_token(token: String) -> Result<(Uuid, String)> {
+        let (uuid_str, token_str) = token.split_once(":").ok_or(anyhow!("malformed token"))?;
+        Ok((
+            Uuid::from_u128(uuid_str.parse::<u128>()?),
+            token_str.to_string(),
+        ))
+    }
+}

 pub fn random() -> String {
    SaltString::generate(&mut OsRng).to_string()
--- a/src/content.rs
+++ b/src/content.rs
@ -3,47 +3,6 @@ use serde::{Deserialize, Serialize};
 use sqlx::{types::Json, FromRow};
 use uuid::Uuid;

-#[derive(Deserialize, Serialize, FromRow)]
-pub struct User {
-    /// User internal ID
-    pub id: Uuid,
-
-    /// User name (unique per instance, shows up in URLs)
-    pub name: String,
-
-    /// User email (for validation/login)
-    pub email: Option<String>,
-
-    /// Hashed password
-    pub password: Option<Vec<u8>>,
-
-    /// User's chosen displayed name
-    pub display_name: Option<String>,
-
-    /// Biography / User description
-    pub bio: Option<String>,
-
-    /// User roles (as role IDs)
-    pub roles: Vec<Uuid>,
-
-    /// Times
-    #[serde(with = "ts_seconds")]
-    pub created_at: DateTime<Utc>,
-    #[serde(with = "ts_seconds_option")]
-    pub modified_at: Option<DateTime<Utc>>,
-    #[serde(with = "ts_seconds_option")]
-    pub deleted_at: Option<DateTime<Utc>>,
-}
-
-#[derive(Deserialize, Serialize, FromRow)]
-pub struct Role {
-    /// Role ID
-    pub id: Uuid,
-
-    /// Role scopes (permissions)
-    pub scopes: Vec<String>,
-}
-
 #[derive(Deserialize, Serialize, FromRow)]
 pub struct Site {
    /// Site internal ID
--- a/src/error.rs
+++ b/src/error.rs
@ -1,3 +1,5 @@
+use std::error::Error;
+
 use axum::{
    http::StatusCode,
    response::{IntoResponse, Response},
--- a/src/main.rs
+++ b/src/main.rs
@ -14,25 +14,11 @@ use figment::{
    providers::{Env, Format, Serialized, Toml},
    Figment,
 };
-use serde::{Deserialize, Serialize};
 use sqlx::postgres::PgPoolOptions;
 use state::AppState;
 use std::{net::SocketAddr, sync::Arc};

-#[derive(Deserialize, Serialize)]
-struct Config {
-    bind: String,
-    database_url: String,
-}
-
-impl Default for Config {
-    fn default() -> Self {
-        Config {
-            bind: "127.0.0.1:3000".to_owned(),
-            database_url: "postgres://artificiale:changeme@localhost/artificiale".to_owned(),
-        }
-    }
-}
+use crate::state::Config;

 #[tokio::main]
 async fn main() -> Result<()> {
@ -42,22 +28,23 @@ async fn main() -> Result<()> {
        .merge(Toml::file("mabel.toml"))
        .merge(Env::prefixed("MABEL_"))
        .extract()?;
+    let addr: SocketAddr = config.bind.parse()?;

-    let pool = PgPoolOptions::new()
+    let database = PgPoolOptions::new()
        .max_connections(5)
        .connect(config.database_url.as_str())
        .await?;

-    sqlx::migrate!().run(&pool).await?;
+    sqlx::migrate!().run(&database).await?;

-    let shared_state = Arc::new(AppState { database: pool });
+    let shared_state = Arc::new(AppState { database, config });

    let app = Router::new()
+        .route("/auth/login", post(routes::auth::login))
        .route("/pages/:site/:slug", get(routes::content::page))
        .route("/admin/bootstrap", post(routes::admin::bootstrap))
        .with_state(shared_state);

-    let addr: SocketAddr = config.bind.parse()?;
    tracing::debug!("listening on {}", addr);
    Server::bind(&addr).serve(app.into_make_service()).await?;
    Ok(())
--- a/src/routes/admin.rs
+++ b/src/routes/admin.rs
@ -1,9 +1,8 @@
-use std::sync::Arc;
-
 use axum::extract::State;
 use axum::http::StatusCode;
 use axum::Json;
 use serde_json::{json, Value};
+use std::sync::Arc;

 use crate::auth::{hash, random};
 use crate::error::AppError;
@ -22,8 +21,8 @@ pub async fn bootstrap(State(state): State<Arc<AppState>>) -> Result<Json<Value>
    if empty {
        return Err(AppError::ClientError {
            status: StatusCode::BAD_REQUEST,
-            code: "already-setup".to_string(),
-            message: "The instance was already bootstrapped".to_string(),
+            code: "already-setup".into(),
+            message: "The instance was already bootstrapped".into(),
        });
    }

--- a/src/routes/auth.rs
+++ b/src/routes/auth.rs
@ -0,0 +1,52 @@
+use axum::{extract::State, http::StatusCode, Json};
+use chrono::Duration;
+use serde::Deserialize;
+use serde_json::{json, Value};
+use std::sync::Arc;
+
+use crate::{
+    auth::{verify, Session},
+    error::AppError,
+    state::AppState,
+};
+
+#[derive(Deserialize)]
+pub struct LoginRequest {
+    pub username: String,
+    pub password: String,
+}
+
+pub async fn login(
+    State(state): State<Arc<AppState>>,
+    Json(payload): Json<LoginRequest>,
+) -> Result<Json<Value>, AppError> {
+    let user = sqlx::query!("SELECT * FROM users WHERE name = $1", payload.username)
+        .fetch_optional(&state.database)
+        .await?;
+
+    let invalid = || -> AppError {
+        AppError::ClientError {
+            status: StatusCode::UNAUTHORIZED,
+            code: "invalid-login".into(),
+            message: "No matching user was found".into(),
+        }
+    };
+
+    let user = user.ok_or_else(invalid)?;
+    let plaintext = user.password.ok_or_else(invalid)?;
+
+    if !verify(&payload.password, &plaintext)? {
+        return Err(invalid());
+    }
+
+    let session = Session::create(
+        &state.database,
+        user.id,
+        Duration::seconds(state.config.session_duration.into()),
+    )
+    .await?;
+
+    Ok(Json(
+        json!({ "session_token": session.token(), "expires_at": session.expires_at }),
+    ))
+}
--- a/src/routes/content.rs
+++ b/src/routes/content.rs
@ -1,7 +1,6 @@
-use std::sync::Arc;
-
 use crate::{content::Page, error::AppError, state::AppState};
 use axum::extract::{Path, State};
+use std::sync::Arc;

 pub async fn page(
    State(state): State<Arc<AppState>>,
--- a/src/routes/mod.rs
+++ b/src/routes/mod.rs
@ -1,2 +1,3 @@
 pub mod admin;
+pub mod auth;
 pub mod content;
--- a/src/state.rs
+++ b/src/state.rs
@ -1,5 +1,24 @@
+use serde::{Deserialize, Serialize};
 use sqlx::{Pool, Postgres};

+#[derive(Deserialize, Serialize, Clone)]
+pub struct Config {
+    pub bind: String,
+    pub database_url: String,
+    pub session_duration: i32, // in seconds
+}
+
+impl Default for Config {
+    fn default() -> Self {
+        Config {
+            bind: "127.0.0.1:3000".to_owned(),
+            database_url: "postgres://artificiale:changeme@localhost/artificiale".to_owned(),
+            session_duration: 1440, // 24min
+        }
+    }
+}
+
 pub struct AppState {
    pub database: Pool<Postgres>,
+    pub config: Config,
 }