cenere/mabel
cenere/mabel
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

refactor db code to more repositories
Some checks failed
continuous-integration/drone/push Build is failing
Details

Browse source
This commit is contained in:
Hamcha 2023-07-14 13:45:26 +02:00
parent 6058346808
commit bfbcda5304
Signed by: hamcha
GPG key ID: 1669C533B8CF6D89
11 changed files with 308 additions and 195 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

39
src/auth/hash.rs
View file

@ -21,3 +21,42 @@ pub fn verify(plaintext: &str, hash: &str) -> Result<bool> {
.verify_password(plaintext.as_bytes(), &parsed_hash) .verify_password(plaintext.as_bytes(), &parsed_hash)
.is_ok()) .is_ok())
} }
#[cfg(test)]
mod tests {
use std::collections::HashSet;
#[test]
fn test_hash_and_verify() {
// Create random password
let random = super::random();
// Hash password
let hash = super::hash(&random).unwrap();
// Verify should be true
assert!(super::verify(&random, &hash).unwrap());
}
#[test]
fn test_random_requirements() {
// Test that a large number of random strings are unique
const NUM_STRINGS: usize = 10000;
let mut strings = HashSet::new();
for _ in 0..NUM_STRINGS {
let random_string = super::random();
// Strings should also be long enough
assert!(random_string.len() >= 20);
assert!(
!strings.contains(&random_string),
"Duplicate string found: {}",
random_string
);
strings.insert(random_string);
}
}
}

140
src/auth/session.rs
View file

@ -1,14 +1,15 @@
use anyhow::{anyhow, Result}; use anyhow::anyhow;
use async_trait::async_trait;
use axum::http::StatusCode; use axum::http::StatusCode;
use chrono::{Duration, NaiveDateTime, Utc}; use chrono::{Duration, NaiveDateTime};
use cookie::Cookie; use cookie::Cookie;
use serde::{Deserialize, Serialize}; use serde::{Deserialize, Serialize};
use sqlx::{FromRow, Pool, Postgres}; use sqlx::FromRow;
use uuid::Uuid; use uuid::Uuid;
use crate::http::error::ApiError; use crate::{content::Error, http::error::ApiError};
use super::{hash::random, user::User}; use super::user::User;
pub const USER_NOT_FOUND: ApiError<'static> = ApiError::Client { pub const USER_NOT_FOUND: ApiError<'static> = ApiError::Client {
status: StatusCode::UNAUTHORIZED, status: StatusCode::UNAUTHORIZED,
@ -32,126 +33,39 @@ pub struct Session {
pub expires_at: NaiveDateTime, pub expires_at: NaiveDateTime,
} }
#[async_trait]
pub trait SessionRepository {
async fn create_session(&self, user_id: Uuid, duration: Duration) -> Result<Session, Error>;
async fn find_session(&self, session_id: Uuid) -> Result<Option<(Session, User)>, Error>;
async fn refresh_session(&self, session: Session, duration: Duration)
-> Result<Session, Error>;
async fn destroy_session(&self, session_id: Uuid) -> Result<(), Error>;
async fn prune_dead_sessions(&self) -> Result<u64, Error>;
}
impl Session { impl Session {
pub async fn create(pool: &Pool<Postgres>, user_id: Uuid, duration: Duration) -> Result<Self> {
let now = Utc::now().naive_utc();
let expires = now + duration;
let secret = random();
let result = sqlx::query!(
"INSERT INTO sessions (id, actor, secret, created_at, expires_at) VALUES ($1, $2, $3, $4, $5) RETURNING id",
Uuid::now_v7(),
user_id,
secret,
now,
expires
)
.fetch_one(pool)
.await?;
Ok(Self {
id: result.id,
actor: user_id,
secret,
created_at: now,
expires_at: now + duration,
})
}
pub async fn find(pool: &Pool<Postgres>, session_id: Uuid) -> Result<Option<(Self, User)>> {
let record = sqlx::query!(
"SELECT
sessions.id AS session_id,
sessions.actor AS session_actor,
sessions.secret,
sessions.created_at AS session_created_at,
sessions.expires_at,
users.id AS user_id,
users.name,
users.email,
users.display_name,
users.bio,
users.roles,
users.created_at AS user_created_at,
users.modified_at,
users.deleted_at
FROM
sessions
JOIN
users ON sessions.actor = users.id
WHERE
sessions.id = $1",
session_id
)
.fetch_optional(pool)
.await?;
Ok(record.map(|record| {
(
Self {
id: record.session_id,
actor: record.session_actor,
secret: record.secret,
created_at: record.session_created_at,
expires_at: record.expires_at,
},
User {
id: record.user_id,
name: record.name,
email: record.email,
password: None,
display_name: record.display_name,
bio: record.bio,
roles: record.roles,
created_at: record.user_created_at,
modified_at: record.modified_at,
deleted_at: record.deleted_at,
},
)
}))
}
pub async fn refresh(self, pool: &Pool<Postgres>, duration: Duration) -> Result<Self> {
let expires_at = (Utc::now() + duration).naive_utc();
sqlx::query!(
"UPDATE sessions SET expires_at = $1 WHERE id = $2 RETURNING id",
expires_at,
self.id
)
.fetch_one(pool)
.await?;
Ok(Session { expires_at, ..self })
}
pub fn token(&self) -> String { pub fn token(&self) -> String {
format!("{}:{}", self.id.as_u128(), self.secret) format!("{}:{}", self.id.as_u128(), self.secret)
} }
pub fn parse_token(token: &str) -> Result<(Uuid, String)> { pub fn parse_token(token: &str) -> Result<(Uuid, String), Error> {
let (uuid_str, token_str) = token let (uuid_str, token_str) = token
.split_once(':') .split_once(':')
.ok_or_else(|| anyhow!("malformed token"))?; .ok_or_else(|| Error::Internal(anyhow!("malformed token")))?;
Ok(( Ok((
Uuid::from_u128(uuid_str.parse::<u128>()?), Uuid::from_u128(
uuid_str
.parse::<u128>()
.map_err(|e| Error::Internal(e.into()))?,
),
token_str.to_string(), token_str.to_string(),
)) ))
} }
pub async fn destroy(&self, pool: &Pool<Postgres>) -> Result<()> {
sqlx::query!("DELETE FROM sessions WHERE id = $1", self.id)
.execute(pool)
.await?;
Ok(())
}
pub async fn prune_dead(pool: &Pool<Postgres>) -> Result<u64> {
let now = Utc::now().naive_utc();
let result = sqlx::query!("DELETE FROM sessions WHERE expires_at < $1", now)
.execute(pool)
.await?;
Ok(result.rows_affected())
}
pub fn cookie(&self, domain: &str, secure: bool) -> String { pub fn cookie(&self, domain: &str, secure: bool) -> String {
Cookie::build("session", self.token()) Cookie::build("session", self.token())
.domain(domain) .domain(domain)

42
src/auth/user.rs
View file

@ -1,10 +1,10 @@
use anyhow::Result; use async_trait::async_trait;
use chrono::NaiveDateTime; use chrono::NaiveDateTime;
use serde::{Deserialize, Serialize}; use serde::{Deserialize, Serialize};
use sqlx::{FromRow, Pool, Postgres}; use sqlx::FromRow;
use uuid::Uuid; use uuid::Uuid;
use super::hash::hash; use crate::content::Error;
#[derive(Deserialize, Serialize, Clone, FromRow)] #[derive(Deserialize, Serialize, Clone, FromRow)]
pub struct User { pub struct User {
@ -52,38 +52,18 @@ impl Default for User {
} }
} }
impl User { #[async_trait]
pub async fn create( pub trait UserRepository {
pool: &Pool<Postgres>, async fn create_user(
&self,
username: &str, username: &str,
password: &str, password: &str,
roles: &Vec<Uuid>, roles: &Vec<Uuid>,
) -> Result<Self> { ) -> Result<User, Error>;
let result = sqlx::query!(
r#"INSERT INTO users ( id, name, password, roles )
VALUES ( $1,$2,$3,$4 ) RETURNING id, created_at"#,
Uuid::now_v7(),
username,
hash(&password)?,
roles,
)
.fetch_one(pool)
.await?;
Ok(Self {
id: result.id,
name: username.to_owned(),
roles: roles.to_owned(),
created_at: result.created_at,
..Default::default()
})
}
pub async fn find(pool: &Pool<Postgres>, name: &str) -> Result<Option<Self>> { async fn find_user(&self, name: &str) -> Result<Option<User>, Error>;
Ok(sqlx::query_as("SELECT * FROM users WHERE name = $1")
.bind(name) async fn has_no_users(&self) -> Result<bool, Error>;
.fetch_optional(pool)
.await?)
}
} }
#[derive(Deserialize, Serialize, FromRow)] #[derive(Deserialize, Serialize, FromRow)]

3
src/content/mod.rs
View file

@ -15,4 +15,7 @@ pub enum Error {
#[error("Database error: {0}")] #[error("Database error: {0}")]
QueryFailed(#[from] sqlx::Error), QueryFailed(#[from] sqlx::Error),
#[error("Internal error: {0}")]
Internal(anyhow::Error),
} }

2
src/database/mod.rs
View file

@ -5,7 +5,9 @@ use crate::state::AppState;
pub mod collection; pub mod collection;
pub mod post; pub mod post;
pub mod session;
pub mod site; pub mod site;
pub mod user;
pub struct Database { pub struct Database {
pool: PgPool, pool: PgPool,

129
src/database/session.rs Normal file
View file

@ -0,0 +1,129 @@
use async_trait::async_trait;
use chrono::{Duration, Utc};
use uuid::Uuid;
use crate::{
auth::{
hash::random,
session::{Session, SessionRepository},
user::User,
},
content::Error,
};
use super::Database;
#[async_trait]
impl SessionRepository for Database {
async fn create_session(&self, user_id: Uuid, duration: Duration) -> Result<Session, Error> {
let now = Utc::now().naive_utc();
let expires = now + duration;
let secret = random();
let result = sqlx::query!(
"INSERT INTO sessions (id, actor, secret, created_at, expires_at) VALUES ($1, $2, $3, $4, $5) RETURNING id",
Uuid::now_v7(),
user_id,
secret,
now,
expires
)
.fetch_one(&self.pool)
.await?;
Ok(Session {
id: result.id,
actor: user_id,
secret,
created_at: now,
expires_at: now + duration,
})
}
async fn find_session(&self, session_id: Uuid) -> Result<Option<(Session, User)>, Error> {
let record = sqlx::query!(
"SELECT
sessions.id AS session_id,
sessions.actor AS session_actor,
sessions.secret,
sessions.created_at AS session_created_at,
sessions.expires_at,
users.id AS user_id,
users.name,
users.email,
users.display_name,
users.bio,
users.roles,
users.created_at AS user_created_at,
users.modified_at,
users.deleted_at
FROM
sessions
JOIN
users ON sessions.actor = users.id
WHERE
sessions.id = $1",
session_id
)
.fetch_optional(&self.pool)
.await?;
Ok(record.map(|record| {
(
Session {
id: record.session_id,
actor: record.session_actor,
secret: record.secret,
created_at: record.session_created_at,
expires_at: record.expires_at,
},
User {
id: record.user_id,
name: record.name,
email: record.email,
password: None,
display_name: record.display_name,
bio: record.bio,
roles: record.roles,
created_at: record.user_created_at,
modified_at: record.modified_at,
deleted_at: record.deleted_at,
},
)
}))
}
async fn refresh_session(
&self,
session: Session,
duration: Duration,
) -> Result<Session, Error> {
let expires_at = (Utc::now() + duration).naive_utc();
sqlx::query!(
"UPDATE sessions SET expires_at = $1 WHERE id = $2 RETURNING id",
expires_at,
session.id
)
.fetch_one(&self.pool)
.await?;
Ok(Session {
expires_at,
..session
})
}
async fn destroy_session(&self, session_id: Uuid) -> Result<(), Error> {
sqlx::query!("DELETE FROM sessions WHERE id = $1", session_id)
.execute(&self.pool)
.await?;
Ok(())
}
async fn prune_dead_sessions(&self) -> Result<u64, Error> {
let now = Utc::now().naive_utc();
let result = sqlx::query!("DELETE FROM sessions WHERE expires_at < $1", now)
.execute(&self.pool)
.await?;
Ok(result.rows_affected())
}
}

57
src/database/user.rs Normal file
View file

@ -0,0 +1,57 @@
use async_trait::async_trait;
use uuid::Uuid;
use crate::{
auth::hash::hash,
auth::user::{User, UserRepository},
content::Error,
};
use super::Database;
#[async_trait]
impl UserRepository for Database {
async fn create_user(
&self,
username: &str,
password: &str,
roles: &Vec<Uuid>,
) -> Result<User, Error> {
let result = sqlx::query!(
r#"INSERT INTO users ( id, name, password, roles )
VALUES ( $1,$2,$3,$4 ) RETURNING id, created_at"#,
Uuid::now_v7(),
username,
hash(&password).map_err(|e| Error::Internal(e))?,
roles,
)
.fetch_one(&self.pool)
.await?;
Ok(User {
id: result.id,
name: username.to_owned(),
roles: roles.to_owned(),
created_at: result.created_at,
..Default::default()
})
}
async fn find_user(&self, name: &str) -> Result<Option<User>, Error> {
Ok(sqlx::query_as("SELECT * FROM users WHERE name = $1")
.bind(name)
.fetch_optional(&self.pool)
.await?)
}
async fn has_no_users(&self) -> Result<bool, Error> {
// Check if the user table is completely empty
let empty = sqlx::query!(
"SELECT CASE WHEN EXISTS(SELECT 1 FROM users) THEN false ELSE true END AS empty;"
)
.map(|row| row.empty.unwrap_or(true))
.fetch_one(&self.pool)
.await?;
Ok(empty)
}
}

1
src/http/error.rs
View file

@ -87,6 +87,7 @@ impl From<content::Error> for ApiError<'_> {
content::Error::IdentifierNotAvailable => ERR_NOT_AVAILABLE, content::Error::IdentifierNotAvailable => ERR_NOT_AVAILABLE,
content::Error::AccessDenied => ERR_UNAUTHORIZED, content::Error::AccessDenied => ERR_UNAUTHORIZED,
content::Error::QueryFailed(err) => err.into(), content::Error::QueryFailed(err) => err.into(),
content::Error::Internal(err) => err.into(),
} }
} }
} }

26
src/http/session.rs
View file

@ -5,7 +5,7 @@ use axum::{
http::{ http::{
header::{COOKIE, SET_COOKIE}, header::{COOKIE, SET_COOKIE},
request::Parts, request::Parts,
HeaderValue, Request, StatusCode, Request, StatusCode,
}, },
middleware::Next, middleware::Next,
response::Response, response::Response,
@ -14,10 +14,13 @@ use axum::{
use chrono::{Duration, Utc}; use chrono::{Duration, Utc};
use cookie::Cookie; use cookie::Cookie;
use std::sync::Arc; use std::sync::Arc;
use uuid::Uuid;
use crate::{ use crate::{
auth::{session::Session, user::User}, auth::{
session::{Session, SessionRepository},
user::User,
},
database::Database,
http::error::ApiError, http::error::ApiError,
state::AppState, state::AppState,
}; };
@ -28,10 +31,6 @@ pub const INVALID_SESSION: ApiError = ApiError::Client {
message: "Please log-in and submit a valid session as a cookie", message: "Please log-in and submit a valid session as a cookie",
}; };
fn extract_session_token(header: &HeaderValue) -> Result<(Uuid, String)> {
Session::parse_token(Cookie::parse(header.to_str()?)?.value())
}
pub struct RequireUser(pub User); pub struct RequireUser(pub User);
#[async_trait] #[async_trait]
@ -91,17 +90,16 @@ pub async fn refresh_sessions<B>(
if let Some((session_id, session_secret)) = req if let Some((session_id, session_secret)) = req
.headers() .headers()
.get(COOKIE) .get(COOKIE)
.and_then(|header| extract_session_token(header).ok()) .and_then(|header| Cookie::parse(header.to_str().unwrap_or_default()).ok())
.and_then(|cookie| Session::parse_token(cookie.value()).ok())
{ {
if let Ok(Some((session, user))) = Session::find(&state.database, session_id).await { let database = Database::from(&state);
if let Ok(Some((session, user))) = database.find_session(session_id).await {
// session validity requirements: secret must match, session must not have been expired // session validity requirements: secret must match, session must not have been expired
if session.secret == session_secret && session.expires_at >= Utc::now().naive_utc() { if session.secret == session_secret && session.expires_at >= Utc::now().naive_utc() {
// in the future we might wanna change the session secret, if we do, do it here! // in the future we might wanna change the session secret, if we do, do it here!
if let Ok((session, user)) = session if let Ok((session, user)) = database
.refresh( .refresh_session(session, Duration::seconds(state.config.session_duration))
&state.database,
Duration::seconds(state.config.session_duration),
)
.await .await
.map(|s| (s, user)) .map(|s| (s, user))
{ {

32
src/routes/admin.rs
View file

@ -6,24 +6,15 @@ use axum::{extract::State, Router};
use serde_json::json; use serde_json::json;
use std::sync::Arc; use std::sync::Arc;
use crate::auth::user::UserRepository;
use crate::database::Database;
use crate::{ use crate::{
auth::{hash::random, user::User}, auth::hash::random, builtins::ROLE_SUPERADMIN, http::error::ApiError, state::AppState,
builtins::ROLE_SUPERADMIN,
http::error::ApiError,
state::AppState,
}; };
async fn bootstrap(State(state): State<Arc<AppState>>) -> impl IntoResponse { async fn bootstrap<Repo: UserRepository>(repository: Repo) -> impl IntoResponse {
// Only allow this request if the user table is completely empty! // Only allow this request if the user table is completely empty!
let empty = sqlx::query!( if !repository.has_no_users().await? {
"SELECT CASE WHEN EXISTS(SELECT 1 FROM users) THEN false ELSE true END AS empty;"
)
.map(|row| row.empty.unwrap_or(true))
.fetch_one(&state.database)
.await
.map_err(anyhow::Error::from)?;
if !empty {
return Err(ApiError::Client { return Err(ApiError::Client {
status: StatusCode::BAD_REQUEST, status: StatusCode::BAD_REQUEST,
code: "already-setup", code: "already-setup",
@ -34,18 +25,13 @@ async fn bootstrap(State(state): State<Arc<AppState>>) -> impl IntoResponse {
let username = "admin"; let username = "admin";
let password = random(); let password = random();
User::create( repository
&state.database, .create_user(username, &password, &[ROLE_SUPERADMIN].to_vec())
username, .await?;
&password,
&[ROLE_SUPERADMIN].to_vec(),
)
.await
.map_err(ApiError::from)?;
Ok(Json(json!({"username": username, "password": password}))) Ok(Json(json!({"username": username, "password": password})))
} }
pub fn router() -> Router<Arc<AppState>> { pub fn router() -> Router<Arc<AppState>> {
Router::new().route("/bootstrap", post(bootstrap)) Router::new().route("/bootstrap", post(bootstrap::<Database>))
} }

32
src/routes/auth.rs
View file

@ -11,7 +11,12 @@ use serde_json::json;
use std::sync::Arc; use std::sync::Arc;
use crate::{ use crate::{
auth::{hash::verify, session::Session, user::User}, auth::{
hash::verify,
session::{Session, SessionRepository},
user::UserRepository,
},
database::Database,
http::{ http::{
error::ApiError, error::ApiError,
json::JsonBody, json::JsonBody,
@ -26,11 +31,13 @@ struct LoginRequest {
pub password: String, pub password: String,
} }
async fn login( async fn login<Repo: UserRepository + SessionRepository>(
repository: Repo,
State(state): State<Arc<AppState>>, State(state): State<Arc<AppState>>,
JsonBody(payload): JsonBody<LoginRequest>, JsonBody(payload): JsonBody<LoginRequest>,
) -> impl IntoResponse { ) -> impl IntoResponse {
let user = User::find(&state.database, payload.username.as_str()) let user = repository
.find_user(payload.username.as_str())
.await .await
.map_err(ApiError::from)?; .map_err(ApiError::from)?;
@ -49,13 +56,9 @@ async fn login(
return Err(invalid()); return Err(invalid());
} }
let session = Session::create( let session = repository
&state.database, .create_session(user.id, Duration::seconds(state.config.session_duration))
user.id, .await?;
Duration::seconds(state.config.session_duration),
)
.await
.map_err(ApiError::from)?;
let token = session.token(); let token = session.token();
let mut response: Response = let mut response: Response =
@ -76,11 +79,12 @@ async fn me(RequireUser(user): RequireUser) -> Result<String, ApiError<'static>>
Ok(user.name) Ok(user.name)
} }
async fn logout( async fn logout<Repo: SessionRepository>(
repository: Repo,
State(state): State<Arc<AppState>>, State(state): State<Arc<AppState>>,
RequireSession(session): RequireSession, RequireSession(session): RequireSession,
) -> Result<impl IntoResponse, ApiError<'static>> { ) -> Result<impl IntoResponse, ApiError<'static>> {
session.destroy(&state.database).await?; repository.destroy_session(session.id).await?;
let mut response: Response = Json(json!({ "ok": true })).into_response(); let mut response: Response = Json(json!({ "ok": true })).into_response();
response.headers_mut().insert( response.headers_mut().insert(
@ -94,7 +98,7 @@ async fn logout(
pub fn router() -> Router<Arc<AppState>> { pub fn router() -> Router<Arc<AppState>> {
Router::new() Router::new()
.route("/login", post(login)) .route("/login", post(login::<Database>))
.route("/logout", post(logout)) .route("/logout", post(logout::<Database>))
.route("/me", get(me)) .route("/me", get(me))
} }