From cbf0131d14d975e50011e6c8a94f8fe02cf128e3 Mon Sep 17 00:00:00 2001 From: Radical Date: Sun, 4 May 2025 19:05:51 +0200 Subject: [PATCH] feat: switch to headers for auth --- src/api/v1/auth/mod.rs | 27 ++++++++++--------- src/api/v1/auth/refresh.rs | 54 +++++++++++--------------------------- src/api/v1/auth/revoke.rs | 51 +++++++++++++++-------------------- src/api/v1/users/me.rs | 37 ++++++++------------------ src/api/v1/users/mod.rs | 50 +++++++++++++++-------------------- src/api/v1/users/uuid.rs | 36 +++++++++---------------- 6 files changed, 96 insertions(+), 159 deletions(-) diff --git a/src/api/v1/auth/mod.rs b/src/api/v1/auth/mod.rs index ff74c6b..e9b29d1 100644 --- a/src/api/v1/auth/mod.rs +++ b/src/api/v1/auth/mod.rs @@ -34,33 +34,36 @@ pub fn web() -> Scope { } pub async fn check_access_token( - access_token: String, + access_token: &str, pool: &sqlx::Pool, ) -> Result { - let row = sqlx::query_as( - "SELECT CAST(uuid as VARCHAR), created FROM access_tokens WHERE token = $1", - ) - .bind(&access_token) - .fetch_one(pool) - .await; + let row = + sqlx::query_as("SELECT CAST(uuid as VARCHAR), created_at FROM access_tokens WHERE token = $1") + .bind(&access_token) + .fetch_one(pool) + .await; if let Err(error) = row { - if error.to_string() == "no rows returned by a query that expected to return at least one row" { - return Err(HttpResponse::Unauthorized().finish()) + if error.to_string() + == "no rows returned by a query that expected to return at least one row" + { + return Err(HttpResponse::Unauthorized().finish()); } error!("{}", error); - return Err(HttpResponse::InternalServerError().json(r#"{ "error": "Unhandled exception occured, contact the server administrator" }"#)) + return Err(HttpResponse::InternalServerError().json( + r#"{ "error": "Unhandled exception occured, contact the server administrator" }"#, + )); } - let (uuid, created): (String, i64) = row.unwrap(); + let (uuid, created_at): (String, i64) = row.unwrap(); let current_time = SystemTime::now() .duration_since(UNIX_EPOCH) .unwrap() .as_secs() as i64; - let lifetime = current_time - created; + let lifetime = current_time - created_at; if lifetime > 3600 { return Err(HttpResponse::Unauthorized().finish()); diff --git a/src/api/v1/auth/refresh.rs b/src/api/v1/auth/refresh.rs index 5ac2402..e17ecc7 100644 --- a/src/api/v1/auth/refresh.rs +++ b/src/api/v1/auth/refresh.rs @@ -1,7 +1,6 @@ -use actix_web::{Error, HttpResponse, error, post, web}; -use futures::StreamExt; +use actix_web::{post, web, Error, HttpRequest, HttpResponse}; use log::error; -use serde::{Deserialize, Serialize}; +use serde::Serialize; use std::time::{SystemTime, UNIX_EPOCH}; use crate::{ @@ -9,32 +8,21 @@ use crate::{ crypto::{generate_access_token, generate_refresh_token}, }; -#[derive(Deserialize)] -struct RefreshRequest { - refresh_token: String, -} - #[derive(Serialize)] struct Response { refresh_token: String, access_token: String, } -const MAX_SIZE: usize = 262_144; - #[post("/refresh")] -pub async fn res(mut payload: web::Payload, data: web::Data) -> Result { - let mut body = web::BytesMut::new(); - while let Some(chunk) = payload.next().await { - let chunk = chunk?; - // limit max size of in-memory payload - if (body.len() + chunk.len()) > MAX_SIZE { - return Err(error::ErrorBadRequest("overflow")); - } - body.extend_from_slice(&chunk); +pub async fn res(req: HttpRequest, data: web::Data) -> Result { + let refresh_token_cookie = req.cookie("refresh_token"); + + if let None = refresh_token_cookie { + return Ok(HttpResponse::Unauthorized().finish()) } - let refresh_request = serde_json::from_slice::(&body)?; + let mut refresh_token = String::from(refresh_token_cookie.unwrap().value()); let current_time = SystemTime::now() .duration_since(UNIX_EPOCH) @@ -42,26 +30,18 @@ pub async fn res(mut payload: web::Payload, data: web::Data) -> Result 2592000 { if let Err(error) = sqlx::query("DELETE FROM refresh_tokens WHERE token = $1") - .bind(&refresh_request.refresh_token) + .bind(&refresh_token) .execute(&data.pool) .await { @@ -76,8 +56,6 @@ pub async fn res(mut payload: web::Payload, data: web::Data) -> Result 1987200 { let new_refresh_token = generate_refresh_token(); @@ -88,7 +66,7 @@ pub async fn res(mut payload: web::Payload, data: web::Data) -> Result) -> Result) -> Result { +pub async fn res( + req: HttpRequest, + mut payload: web::Payload, + data: web::Data, +) -> Result { + let headers = req.headers(); + + let auth_header = get_auth_header(headers); + + if let Err(error) = auth_header { + return Ok(error); + } + let mut body = web::BytesMut::new(); while let Some(chunk) = payload.next().await { let chunk = chunk?; @@ -40,7 +51,7 @@ pub async fn res(mut payload: web::Payload, data: web::Data) -> Result(&body)?; - let authorized = check_access_token(revoke_request.access_token, &data.pool).await; + let authorized = check_access_token(auth_header.unwrap(), &data.pool).await; if let Err(error) = authorized { return Ok(error); @@ -94,16 +105,9 @@ pub async fn res(mut payload: web::Payload, data: web::Data) -> Result = tokens_raw.unwrap(); - let mut access_tokens_delete = vec![]; let mut refresh_tokens_delete = vec![]; for token in tokens { - access_tokens_delete.push( - sqlx::query("DELETE FROM access_tokens WHERE refresh_token = $1") - .bind(token.clone()) - .execute(&data.pool), - ); - refresh_tokens_delete.push( sqlx::query("DELETE FROM refresh_tokens WHERE token = $1") .bind(token.clone()) @@ -111,29 +115,16 @@ pub async fn res(mut payload: web::Payload, data: web::Data) -> Result> = - results_access_tokens - .iter() - .filter(|r| r.is_err()) - .collect(); - let refresh_tokens_errors: Vec<&Result> = - results_refresh_tokens + let errors: Vec<&Result> = + results .iter() .filter(|r| r.is_err()) .collect(); - if !access_tokens_errors.is_empty() && !refresh_tokens_errors.is_empty() { - error!("{:?}", access_tokens_errors); - error!("{:?}", refresh_tokens_errors); - return Ok(HttpResponse::InternalServerError().finish()); - } else if !access_tokens_errors.is_empty() { - error!("{:?}", access_tokens_errors); - return Ok(HttpResponse::InternalServerError().finish()); - } else if !refresh_tokens_errors.is_empty() { - error!("{:?}", refresh_tokens_errors); + if !errors.is_empty() { + error!("{:?}", errors); return Ok(HttpResponse::InternalServerError().finish()); } diff --git a/src/api/v1/users/me.rs b/src/api/v1/users/me.rs index 18e6ba8..f641678 100644 --- a/src/api/v1/users/me.rs +++ b/src/api/v1/users/me.rs @@ -1,14 +1,8 @@ -use actix_web::{Error, HttpResponse, error, post, web}; -use futures::StreamExt; +use actix_web::{Error, HttpRequest, HttpResponse, get, web}; use log::error; -use serde::{Deserialize, Serialize}; +use serde::Serialize; -use crate::{Data, api::v1::auth::check_access_token}; - -#[derive(Deserialize)] -struct AuthenticationRequest { - access_token: String, -} +use crate::{Data, api::v1::auth::check_access_token, utils::get_auth_header}; #[derive(Serialize)] struct Response { @@ -17,26 +11,17 @@ struct Response { display_name: String, } -const MAX_SIZE: usize = 262_144; +#[get("/me")] +pub async fn res(req: HttpRequest, data: web::Data) -> Result { + let headers = req.headers(); -#[post("/me")] -pub async fn res( - mut payload: web::Payload, - data: web::Data, -) -> Result { - let mut body = web::BytesMut::new(); - while let Some(chunk) = payload.next().await { - let chunk = chunk?; - // limit max size of in-memory payload - if (body.len() + chunk.len()) > MAX_SIZE { - return Err(error::ErrorBadRequest("overflow")); - } - body.extend_from_slice(&chunk); + let auth_header = get_auth_header(headers); + + if let Err(error) = auth_header { + return Ok(error); } - let authentication_request = serde_json::from_slice::(&body)?; - - let authorized = check_access_token(authentication_request.access_token, &data.pool).await; + let authorized = check_access_token(auth_header.unwrap(), &data.pool).await; if let Err(error) = authorized { return Ok(error); diff --git a/src/api/v1/users/mod.rs b/src/api/v1/users/mod.rs index 937d857..d7cb1c6 100644 --- a/src/api/v1/users/mod.rs +++ b/src/api/v1/users/mod.rs @@ -1,18 +1,16 @@ -use actix_web::{error, post, web, Error, HttpResponse, Scope}; -use futures::StreamExt; +use crate::{Data, api::v1::auth::check_access_token, utils::get_auth_header}; +use actix_web::{get, web, Error, HttpRequest, HttpResponse, Scope}; use log::error; use serde::{Deserialize, Serialize}; use sqlx::prelude::FromRow; -use crate::{Data, api::v1::auth::check_access_token}; mod me; mod uuid; #[derive(Deserialize)] -struct Request { - access_token: String, - start: i32, - amount: i32, +struct RequestQuery { + start: Option, + amount: Option, } #[derive(Serialize, FromRow)] @@ -23,8 +21,6 @@ struct Response { email: String, } -const MAX_SIZE: usize = 262_144; - pub fn web() -> Scope { web::scope("/users") .service(res) @@ -32,36 +28,33 @@ pub fn web() -> Scope { .service(uuid::res) } -#[post("")] +#[get("")] pub async fn res( - mut payload: web::Payload, + req: HttpRequest, + request_query: web::Query, data: web::Data, ) -> Result { - let mut body = web::BytesMut::new(); - while let Some(chunk) = payload.next().await { - let chunk = chunk?; - // limit max size of in-memory payload - if (body.len() + chunk.len()) > MAX_SIZE { - return Err(error::ErrorBadRequest("overflow")); - } - body.extend_from_slice(&chunk); + let headers = req.headers(); + + let auth_header = get_auth_header(headers); + + let start = request_query.start.unwrap_or(0); + + let amount = request_query.amount.unwrap_or(10); + + if amount > 100 { + return Ok(HttpResponse::BadRequest().finish()); } - let request = serde_json::from_slice::(&body)?; - - if request.amount > 100 { - return Ok(HttpResponse::BadRequest().finish()) - } - - let authorized = check_access_token(request.access_token, &data.pool).await; + let authorized = check_access_token(auth_header.unwrap(), &data.pool).await; if let Err(error) = authorized { return Ok(error); } let row = sqlx::query_as("SELECT CAST(uuid AS VARCHAR), username, display_name, email FROM users ORDER BY username LIMIT $1 OFFSET $2") - .bind(request.amount) - .bind(request.start) + .bind(amount) + .bind(start) .fetch_all(&data.pool) .await; @@ -74,4 +67,3 @@ pub async fn res( Ok(HttpResponse::Ok().json(accounts)) } - diff --git a/src/api/v1/users/uuid.rs b/src/api/v1/users/uuid.rs index 41d87cc..f4c1f13 100644 --- a/src/api/v1/users/uuid.rs +++ b/src/api/v1/users/uuid.rs @@ -1,15 +1,9 @@ -use actix_web::{Error, HttpResponse, error, post, web}; -use futures::StreamExt; +use actix_web::{Error, HttpRequest, HttpResponse, get, web}; use log::error; -use serde::{Deserialize, Serialize}; +use serde::Serialize; use uuid::Uuid; -use crate::{Data, api::v1::auth::check_access_token}; - -#[derive(Deserialize)] -struct AuthenticationRequest { - access_token: String, -} +use crate::{Data, api::v1::auth::check_access_token, utils::get_auth_header}; #[derive(Serialize)] struct Response { @@ -18,29 +12,23 @@ struct Response { display_name: String, } -const MAX_SIZE: usize = 262_144; - -#[post("/{uuid}")] +#[get("/{uuid}")] pub async fn res( - mut payload: web::Payload, + req: HttpRequest, path: web::Path<(Uuid,)>, data: web::Data, ) -> Result { - let mut body = web::BytesMut::new(); - while let Some(chunk) = payload.next().await { - let chunk = chunk?; - // limit max size of in-memory payload - if (body.len() + chunk.len()) > MAX_SIZE { - return Err(error::ErrorBadRequest("overflow")); - } - body.extend_from_slice(&chunk); - } + let headers = req.headers(); let uuid = path.into_inner().0; - let authentication_request = serde_json::from_slice::(&body)?; + let auth_header = get_auth_header(headers); - let authorized = check_access_token(authentication_request.access_token, &data.pool).await; + if let Err(error) = auth_header { + return Ok(error); + } + + let authorized = check_access_token(auth_header.unwrap(), &data.pool).await; if let Err(error) = authorized { return Ok(error);