gorb/backend
4
0
Fork 1
Code Issues 1 Pull requests 1 Projects Releases Packages 1 Wiki Activity Actions

feat: migrate to diesel and new error type in auth

Browse source
This commit is contained in:
Radical 2025-05-23 12:55:27 +02:00
parent 49db25e454
commit bf51f623e4
5 changed files with 162 additions and 346 deletions
Download patch file Download diff file Expand all files Collapse all files

152
src/api/v1/auth/login.rs
View file

@ -1,14 +1,14 @@
use std::time::{SystemTime, UNIX_EPOCH}; use std::time::{SystemTime, UNIX_EPOCH};
use actix_web::{Error, HttpResponse, post, web}; use actix_web::{HttpResponse, post, web};
use argon2::{PasswordHash, PasswordVerifier}; use argon2::{PasswordHash, PasswordVerifier};
use log::error; use diesel::{dsl::insert_into, ExpressionMethods, QueryDsl};
use diesel_async::RunQueryDsl;
use serde::Deserialize; use serde::Deserialize;
use uuid::Uuid;
use crate::{ use crate::{
Data, error::Error, api::v1::auth::{EMAIL_REGEX, PASSWORD_REGEX, USERNAME_REGEX}, schema::*, utils::{generate_access_token, generate_refresh_token, refresh_token_cookie}, Data
api::v1::auth::{EMAIL_REGEX, PASSWORD_REGEX, USERNAME_REGEX},
utils::{generate_access_token, generate_refresh_token, refresh_token_cookie},
}; };
use super::Response; use super::Response;
@ -29,66 +29,42 @@ pub async fn response(
return Ok(HttpResponse::Forbidden().json(r#"{ "password_hashed": false }"#)); return Ok(HttpResponse::Forbidden().json(r#"{ "password_hashed": false }"#));
} }
use users::dsl;
let mut conn = data.pool.get().await?;
if EMAIL_REGEX.is_match(&login_information.username) { if EMAIL_REGEX.is_match(&login_information.username) {
let row = // FIXME: error handling, right now i just want this to work
sqlx::query_as("SELECT CAST(uuid as VARCHAR), password FROM users WHERE email = $1") let (uuid, password): (Uuid, String) = dsl::users
.bind(&login_information.username) .filter(dsl::email.eq(&login_information.username))
.fetch_one(&data.pool) .select((dsl::uuid, dsl::password))
.await; .get_result(&mut conn)
.await?;
if let Err(error) = row { return login(
if error.to_string()
== "no rows returned by a query that expected to return at least one row"
{
return Ok(HttpResponse::Unauthorized().finish());
}
error!("{}", error);
return Ok(HttpResponse::InternalServerError().json(
r#"{ "error": "Unhandled exception occured, contact the server administrator" }"#,
));
}
let (uuid, password): (String, String) = row.unwrap();
return Ok(login(
data.clone(), data.clone(),
uuid, uuid,
login_information.password.clone(), login_information.password.clone(),
password, password,
login_information.device_name.clone(), login_information.device_name.clone(),
) )
.await); .await;
} else if USERNAME_REGEX.is_match(&login_information.username) { } else if USERNAME_REGEX.is_match(&login_information.username) {
let row = // FIXME: error handling, right now i just want this to work
sqlx::query_as("SELECT CAST(uuid as VARCHAR), password FROM users WHERE username = $1") let (uuid, password): (Uuid, String) = dsl::users
.bind(&login_information.username) .filter(dsl::username.eq(&login_information.username))
.fetch_one(&data.pool) .select((dsl::uuid, dsl::password))
.await; .get_result(&mut conn)
.await?;
if let Err(error) = row { return login(
if error.to_string()
== "no rows returned by a query that expected to return at least one row"
{
return Ok(HttpResponse::Unauthorized().finish());
}
error!("{}", error);
return Ok(HttpResponse::InternalServerError().json(
r#"{ "error": "Unhandled exception occured, contact the server administrator" }"#,
));
}
let (uuid, password): (String, String) = row.unwrap();
return Ok(login(
data.clone(), data.clone(),
uuid, uuid,
login_information.password.clone(), login_information.password.clone(),
password, password,
login_information.device_name.clone(), login_information.device_name.clone(),
) )
.await); .await;
} }
Ok(HttpResponse::Unauthorized().finish()) Ok(HttpResponse::Unauthorized().finish())
@ -96,79 +72,45 @@ pub async fn response(
async fn login( async fn login(
data: actix_web::web::Data<Data>, data: actix_web::web::Data<Data>,
uuid: String, uuid: Uuid,
request_password: String, request_password: String,
database_password: String, database_password: String,
device_name: String, device_name: String,
) -> HttpResponse { ) -> Result<HttpResponse, Error> {
let parsed_hash_raw = PasswordHash::new(&database_password); let mut conn = data.pool.get().await?;
if let Err(error) = parsed_hash_raw { let parsed_hash = PasswordHash::new(&database_password).map_err(|e| Error::PasswordHashError(e.to_string()))?;
error!("{}", error);
return HttpResponse::InternalServerError().finish();
}
let parsed_hash = parsed_hash_raw.unwrap();
if data if data
.argon2 .argon2
.verify_password(request_password.as_bytes(), &parsed_hash) .verify_password(request_password.as_bytes(), &parsed_hash)
.is_err() .is_err()
{ {
return HttpResponse::Unauthorized().finish(); return Err(Error::Unauthorized("Wrong username or password".to_string()));
} }
let refresh_token_raw = generate_refresh_token(); let refresh_token = generate_refresh_token()?;
let access_token_raw = generate_access_token(); let access_token = generate_access_token()?;
if let Err(error) = refresh_token_raw {
error!("{}", error);
return HttpResponse::InternalServerError().finish();
}
let refresh_token = refresh_token_raw.unwrap();
if let Err(error) = access_token_raw {
error!("{}", error);
return HttpResponse::InternalServerError().finish();
}
let access_token = access_token_raw.unwrap();
let current_time = SystemTime::now() let current_time = SystemTime::now()
.duration_since(UNIX_EPOCH) .duration_since(UNIX_EPOCH)?
.unwrap()
.as_secs() as i64; .as_secs() as i64;
if let Err(error) = sqlx::query(&format!( use refresh_tokens::dsl as rdsl;
"INSERT INTO refresh_tokens (token, uuid, created_at, device_name) VALUES ($1, '{}', $2, $3 )",
uuid
))
.bind(&refresh_token)
.bind(current_time)
.bind(device_name)
.execute(&data.pool)
.await
{
error!("{}", error);
return HttpResponse::InternalServerError().finish();
}
if let Err(error) = sqlx::query(&format!( insert_into(refresh_tokens::table)
"INSERT INTO access_tokens (token, refresh_token, uuid, created_at) VALUES ($1, $2, '{}', $3 )", .values((rdsl::token.eq(&refresh_token), rdsl::uuid.eq(uuid), rdsl::created_at.eq(current_time), rdsl::device_name.eq(device_name)))
uuid .execute(&mut conn)
)) .await?;
.bind(&access_token)
.bind(&refresh_token)
.bind(current_time)
.execute(&data.pool)
.await
{
error!("{}", error);
return HttpResponse::InternalServerError().finish()
}
HttpResponse::Ok() use access_tokens::dsl as adsl;
insert_into(access_tokens::table)
.values((adsl::token.eq(&access_token), adsl::refresh_token.eq(&refresh_token), adsl::uuid.eq(uuid), adsl::created_at.eq(current_time)))
.execute(&mut conn)
.await?;
Ok(HttpResponse::Ok()
.cookie(refresh_token_cookie(refresh_token)) .cookie(refresh_token_cookie(refresh_token))
.json(Response { access_token }) .json(Response { access_token }))
} }

53
src/api/v1/auth/mod.rs
View file

@ -1,16 +1,17 @@
use std::{ use std::{
str::FromStr,
sync::LazyLock, sync::LazyLock,
time::{SystemTime, UNIX_EPOCH}, time::{SystemTime, UNIX_EPOCH},
}; };
use actix_web::{HttpResponse, Scope, web}; use actix_web::{Scope, web};
use log::error; use diesel::{ExpressionMethods, QueryDsl};
use diesel_async::RunQueryDsl;
use regex::Regex; use regex::Regex;
use serde::Serialize; use serde::Serialize;
use sqlx::Postgres;
use uuid::Uuid; use uuid::Uuid;
use crate::{error::Error, Conn, schema::access_tokens::dsl};
mod login; mod login;
mod refresh; mod refresh;
mod register; mod register;
@ -40,40 +41,30 @@ pub fn web() -> Scope {
pub async fn check_access_token( pub async fn check_access_token(
access_token: &str, access_token: &str,
pool: &sqlx::Pool<Postgres>, conn: &mut Conn,
) -> Result<Uuid, HttpResponse> { ) -> Result<Uuid, Error> {
let row = sqlx::query_as( let (uuid, created_at): (Uuid, i64) = dsl::access_tokens
"SELECT CAST(uuid as VARCHAR), created_at FROM access_tokens WHERE token = $1", .filter(dsl::token.eq(access_token))
) .select((dsl::uuid, dsl::created_at))
.bind(access_token) .get_result(conn)
.fetch_one(pool) .await
.await; .map_err(|error| {
if error == diesel::result::Error::NotFound {
if let Err(error) = row { Error::Unauthorized("Invalid access token".to_string())
if error.to_string() } else {
== "no rows returned by a query that expected to return at least one row" Error::from(error)
{ }
return Err(HttpResponse::Unauthorized().finish()); })?;
}
error!("{}", error);
return Err(HttpResponse::InternalServerError().json(
r#"{ "error": "Unhandled exception occured, contact the server administrator" }"#,
));
}
let (uuid, created_at): (String, i64) = row.unwrap();
let current_time = SystemTime::now() let current_time = SystemTime::now()
.duration_since(UNIX_EPOCH) .duration_since(UNIX_EPOCH)?
.unwrap()
.as_secs() as i64; .as_secs() as i64;
let lifetime = current_time - created_at; let lifetime = current_time - created_at;
if lifetime > 3600 { if lifetime > 3600 {
return Err(HttpResponse::Unauthorized().finish()); return Err(Error::Unauthorized("Invalid access token".to_string()));
} }
Ok(Uuid::from_str(&uuid).unwrap()) Ok(uuid)
} }

75
src/api/v1/auth/refresh.rs
View file

@ -1,10 +1,11 @@
use actix_web::{Error, HttpRequest, HttpResponse, post, web}; use actix_web::{HttpRequest, HttpResponse, post, web};
use diesel::{delete, update, ExpressionMethods, QueryDsl};
use diesel_async::RunQueryDsl;
use log::error; use log::error;
use std::time::{SystemTime, UNIX_EPOCH}; use std::time::{SystemTime, UNIX_EPOCH};
use crate::{ use crate::{
Data, error::Error, schema::{access_tokens::{self, dsl}, refresh_tokens::{self, dsl as rdsl}}, utils::{generate_access_token, generate_refresh_token, refresh_token_cookie}, Data
utils::{generate_access_token, generate_refresh_token, refresh_token_cookie},
}; };
use super::Response; use super::Response;
@ -20,23 +21,23 @@ pub async fn res(req: HttpRequest, data: web::Data<Data>) -> Result<HttpResponse
let mut refresh_token = String::from(recv_refresh_token_cookie.unwrap().value()); let mut refresh_token = String::from(recv_refresh_token_cookie.unwrap().value());
let current_time = SystemTime::now() let current_time = SystemTime::now()
.duration_since(UNIX_EPOCH) .duration_since(UNIX_EPOCH)?
.unwrap()
.as_secs() as i64; .as_secs() as i64;
if let Ok(row) = sqlx::query_scalar("SELECT created_at FROM refresh_tokens WHERE token = $1") let mut conn = data.pool.get().await?;
.bind(&refresh_token)
.fetch_one(&data.pool) if let Ok(created_at) = rdsl::refresh_tokens
.filter(rdsl::token.eq(&refresh_token))
.select(rdsl::created_at)
.get_result::<i64>(&mut conn)
.await .await
{ {
let created_at: i64 = row;
let lifetime = current_time - created_at; let lifetime = current_time - created_at;
if lifetime > 2592000 { if lifetime > 2592000 {
if let Err(error) = sqlx::query("DELETE FROM refresh_tokens WHERE token = $1") if let Err(error) = delete(refresh_tokens::table)
.bind(&refresh_token) .filter(rdsl::token.eq(&refresh_token))
.execute(&data.pool) .execute(&mut conn)
.await .await
{ {
error!("{}", error); error!("{}", error);
@ -52,8 +53,7 @@ pub async fn res(req: HttpRequest, data: web::Data<Data>) -> Result<HttpResponse
} }
let current_time = SystemTime::now() let current_time = SystemTime::now()
.duration_since(UNIX_EPOCH) .duration_since(UNIX_EPOCH)?
.unwrap()
.as_secs() as i64; .as_secs() as i64;
if lifetime > 1987200 { if lifetime > 1987200 {
@ -66,14 +66,14 @@ pub async fn res(req: HttpRequest, data: web::Data<Data>) -> Result<HttpResponse
let new_refresh_token = new_refresh_token.unwrap(); let new_refresh_token = new_refresh_token.unwrap();
match sqlx::query( match update(refresh_tokens::table)
"UPDATE refresh_tokens SET token = $1, created_at = $2 WHERE token = $3", .filter(rdsl::token.eq(&refresh_token))
) .set((
.bind(&new_refresh_token) rdsl::token.eq(&new_refresh_token),
.bind(current_time) rdsl::created_at.eq(current_time),
.bind(&refresh_token) ))
.execute(&data.pool) .execute(&mut conn)
.await .await
{ {
Ok(_) => { Ok(_) => {
refresh_token = new_refresh_token; refresh_token = new_refresh_token;
@ -84,27 +84,16 @@ pub async fn res(req: HttpRequest, data: web::Data<Data>) -> Result<HttpResponse
} }
} }
let access_token = generate_access_token(); let access_token = generate_access_token()?;
if access_token.is_err() { update(access_tokens::table)
error!("{}", access_token.unwrap_err()); .filter(dsl::refresh_token.eq(&refresh_token))
return Ok(HttpResponse::InternalServerError().finish()); .set((
} dsl::token.eq(&access_token),
dsl::created_at.eq(current_time),
let access_token = access_token.unwrap(); ))
.execute(&mut conn)
if let Err(error) = sqlx::query( .await?;
"UPDATE access_tokens SET token = $1, created_at = $2 WHERE refresh_token = $3",
)
.bind(&access_token)
.bind(current_time)
.bind(&refresh_token)
.execute(&data.pool)
.await
{
error!("{}", error);
return Ok(HttpResponse::InternalServerError().finish());
}
return Ok(HttpResponse::Ok() return Ok(HttpResponse::Ok()
.cookie(refresh_token_cookie(refresh_token)) .cookie(refresh_token_cookie(refresh_token))

123
src/api/v1/auth/register.rs
View file

@ -1,19 +1,18 @@
use std::time::{SystemTime, UNIX_EPOCH}; use std::time::{SystemTime, UNIX_EPOCH};
use actix_web::{Error, HttpResponse, post, web}; use actix_web::{HttpResponse, post, web};
use argon2::{ use argon2::{
PasswordHasher, PasswordHasher,
password_hash::{SaltString, rand_core::OsRng}, password_hash::{SaltString, rand_core::OsRng},
}; };
use log::error; use diesel::{dsl::insert_into, ExpressionMethods};
use diesel_async::RunQueryDsl;
use serde::{Deserialize, Serialize}; use serde::{Deserialize, Serialize};
use uuid::Uuid; use uuid::Uuid;
use super::Response; use super::Response;
use crate::{ use crate::{
Data, api::v1::auth::{EMAIL_REGEX, PASSWORD_REGEX, USERNAME_REGEX}, error::Error, schema::{access_tokens::{self, dsl as adsl}, refresh_tokens::{self, dsl as rdsl}, users::{self, dsl as udsl}}, utils::{generate_access_token, generate_refresh_token, refresh_token_cookie}, Data
api::v1::auth::{EMAIL_REGEX, PASSWORD_REGEX, USERNAME_REGEX},
utils::{generate_access_token, generate_refresh_token, refresh_token_cookie},
}; };
#[derive(Deserialize)] #[derive(Deserialize)]
@ -92,91 +91,49 @@ pub async fn res(
.argon2 .argon2
.hash_password(account_information.password.as_bytes(), &salt) .hash_password(account_information.password.as_bytes(), &salt)
{ {
let mut conn = data.pool.get().await?;
// TODO: Check security of this implementation // TODO: Check security of this implementation
return Ok( insert_into(users::table)
match sqlx::query(&format!( .values((
"INSERT INTO users (uuid, username, password, email) VALUES ( '{}', $1, $2, $3 )", udsl::uuid.eq(uuid),
uuid udsl::username.eq(&account_information.identifier),
udsl::password.eq(hashed_password.to_string()),
udsl::email.eq(&account_information.email),
)) ))
.bind(&account_information.identifier) .execute(&mut conn)
.bind(hashed_password.to_string()) .await?;
.bind(&account_information.email)
.execute(&data.pool)
.await
{
Ok(_out) => {
let refresh_token = generate_refresh_token();
let access_token = generate_access_token();
if refresh_token.is_err() { let refresh_token = generate_refresh_token()?;
error!("{}", refresh_token.unwrap_err()); let access_token = generate_access_token()?;
return Ok(HttpResponse::InternalServerError().finish());
}
let refresh_token = refresh_token.unwrap(); let current_time = SystemTime::now()
.duration_since(UNIX_EPOCH)?
.as_secs() as i64;
if access_token.is_err() { insert_into(refresh_tokens::table)
error!("{}", access_token.unwrap_err()); .values((
return Ok(HttpResponse::InternalServerError().finish()); rdsl::token.eq(&refresh_token),
} rdsl::uuid.eq(uuid),
rdsl::created_at.eq(current_time),
rdsl::device_name.eq(&account_information.device_name),
))
.execute(&mut conn)
.await?;
let access_token = access_token.unwrap(); insert_into(access_tokens::table)
.values((
adsl::token.eq(&access_token),
adsl::refresh_token.eq(&refresh_token),
adsl::uuid.eq(uuid),
adsl::created_at.eq(current_time),
))
.execute(&mut conn)
.await?;
let current_time = SystemTime::now() return Ok(HttpResponse::Ok()
.duration_since(UNIX_EPOCH) .cookie(refresh_token_cookie(refresh_token))
.unwrap() .json(Response { access_token }))
.as_secs() as i64;
if let Err(error) = sqlx::query(&format!("INSERT INTO refresh_tokens (token, uuid, created_at, device_name) VALUES ($1, '{}', $2, $3 )", uuid))
.bind(&refresh_token)
.bind(current_time)
.bind(&account_information.device_name)
.execute(&data.pool)
.await {
error!("{}", error);
return Ok(HttpResponse::InternalServerError().finish())
}
if let Err(error) = sqlx::query(&format!("INSERT INTO access_tokens (token, refresh_token, uuid, created_at) VALUES ($1, $2, '{}', $3 )", uuid))
.bind(&access_token)
.bind(&refresh_token)
.bind(current_time)
.execute(&data.pool)
.await {
error!("{}", error);
return Ok(HttpResponse::InternalServerError().finish())
}
HttpResponse::Ok()
.cookie(refresh_token_cookie(refresh_token))
.json(Response { access_token })
}
Err(error) => {
let err_msg = error.as_database_error().unwrap().message();
match err_msg {
err_msg
if err_msg.contains("unique") && err_msg.contains("username_key") =>
{
HttpResponse::Forbidden().json(ResponseError {
gorb_id_available: false,
..Default::default()
})
}
err_msg if err_msg.contains("unique") && err_msg.contains("email_key") => {
HttpResponse::Forbidden().json(ResponseError {
email_available: false,
..Default::default()
})
}
_ => {
error!("{}", err_msg);
HttpResponse::InternalServerError().finish()
}
}
}
},
);
} }
Ok(HttpResponse::InternalServerError().finish()) Ok(HttpResponse::InternalServerError().finish())

105
src/api/v1/auth/revoke.rs
View file

@ -1,10 +1,10 @@
use actix_web::{Error, HttpRequest, HttpResponse, post, web}; use actix_web::{HttpRequest, HttpResponse, post, web};
use argon2::{PasswordHash, PasswordVerifier}; use argon2::{PasswordHash, PasswordVerifier};
use futures::future; use diesel::{delete, ExpressionMethods, QueryDsl};
use log::error; use diesel_async::RunQueryDsl;
use serde::{Deserialize, Serialize}; use serde::Deserialize;
use crate::{Data, api::v1::auth::check_access_token, utils::get_auth_header}; use crate::{api::v1::auth::check_access_token, error::Error, schema::users::dsl as udsl, schema::refresh_tokens::{self, dsl as rdsl}, utils::get_auth_header, Data};
#[derive(Deserialize)] #[derive(Deserialize)]
struct RevokeRequest { struct RevokeRequest {
@ -12,17 +12,6 @@ struct RevokeRequest {
device_name: String, device_name: String,
} }
#[derive(Serialize)]
struct Response {
deleted: bool,
}
impl Response {
fn new(deleted: bool) -> Self {
Self { deleted }
}
}
// TODO: Should maybe be a delete request? // TODO: Should maybe be a delete request?
#[post("/revoke")] #[post("/revoke")]
pub async fn res( pub async fn res(
@ -32,85 +21,33 @@ pub async fn res(
) -> Result<HttpResponse, Error> { ) -> Result<HttpResponse, Error> {
let headers = req.headers(); let headers = req.headers();
let auth_header = get_auth_header(headers); let auth_header = get_auth_header(headers)?;
if let Err(error) = auth_header { let mut conn = data.pool.get().await?;
return Ok(error);
}
let authorized = check_access_token(auth_header.unwrap(), &data.pool).await; let uuid = check_access_token(auth_header, &mut conn).await?;
if let Err(error) = authorized { let database_password: String = udsl::users
return Ok(error); .filter(udsl::uuid.eq(uuid))
} .select(udsl::password)
.get_result(&mut conn)
.await?;
let uuid = authorized.unwrap(); let hashed_password = PasswordHash::new(&database_password).map_err(|e| Error::PasswordHashError(e.to_string()))?;
let database_password_raw = sqlx::query_scalar(&format!(
"SELECT password FROM users WHERE uuid = '{}'",
uuid
))
.fetch_one(&data.pool)
.await;
if let Err(error) = database_password_raw {
error!("{}", error);
return Ok(HttpResponse::InternalServerError().json(Response::new(false)));
}
let database_password: String = database_password_raw.unwrap();
let hashed_password_raw = PasswordHash::new(&database_password);
if let Err(error) = hashed_password_raw {
error!("{}", error);
return Ok(HttpResponse::InternalServerError().json(Response::new(false)));
}
let hashed_password = hashed_password_raw.unwrap();
if data if data
.argon2 .argon2
.verify_password(revoke_request.password.as_bytes(), &hashed_password) .verify_password(revoke_request.password.as_bytes(), &hashed_password)
.is_err() .is_err()
{ {
return Ok(HttpResponse::Unauthorized().finish()); return Err(Error::Unauthorized("Wrong username or password".to_string()));
} }
let tokens_raw = sqlx::query_scalar(&format!( delete(refresh_tokens::table)
"SELECT token FROM refresh_tokens WHERE uuid = '{}' AND device_name = $1", .filter(rdsl::uuid.eq(uuid))
uuid .filter(rdsl::device_name.eq(&revoke_request.device_name))
)) .execute(&mut conn)
.bind(&revoke_request.device_name) .await?;
.fetch_all(&data.pool)
.await;
if tokens_raw.is_err() { Ok(HttpResponse::Ok().finish())
error!("{:?}", tokens_raw);
return Ok(HttpResponse::InternalServerError().json(Response::new(false)));
}
let tokens: Vec<String> = tokens_raw.unwrap();
let mut refresh_tokens_delete = vec![];
for token in tokens {
refresh_tokens_delete.push(
sqlx::query("DELETE FROM refresh_tokens WHERE token = $1")
.bind(token.clone())
.execute(&data.pool),
);
}
let results = future::join_all(refresh_tokens_delete).await;
let errors: Vec<&Result<sqlx::postgres::PgQueryResult, sqlx::Error>> =
results.iter().filter(|r| r.is_err()).collect();
if !errors.is_empty() {
error!("{:?}", errors);
return Ok(HttpResponse::InternalServerError().finish());
}
Ok(HttpResponse::Ok().json(Response::new(true)))
} }