Merge pull request 'wip/authorization-header' (#7) from wip/authorization-header into main

Reviewed-on: #7
Reviewed-by: SauceyRed <saucey@saucey.red>

Uses authorization headers instead of keeping access_token and refresh_token in body.

auth header is used for `access_token`

## Changes
Moved everything to /api

### POST -> GET /v1/users/me
Request: auth header

### POST -> GET /v1/users/{uuid}
Request: auth header

### POST -> GET /v1/users
Request: auth header and query params `start=int` and `amount=int`

### POST /v1/auth/register
Response: Remove `refresh_token` from body and instead set-cookie `refresh_token`

### POST /v1/auth/login
Response: Remove `refresh_token` from body and instead set-cookie `refresh_token`

### POST /v1/auth/refresh
Request: cookie `refresh_token`
Response: Remove `refresh_token` from body and instead set-cookie `refresh_token`

### POST /v1/auth/revoke
Request: auth header (password still in body)

src/api/mod.rs

@@ -1,2 +1,11 @@
-pub mod v1;
+use actix_web::Scope;
-pub mod versions;
+use actix_web::web;
+
+mod v1;
+mod versions;
+
+pub fn web() -> Scope {
+    web::scope("/api")
+        .service(v1::web())
+        .service(versions::res)
+}

src/api/v1/auth/login.rs

@@ -1,17 +1,17 @@
 use std::time::{SystemTime, UNIX_EPOCH};
 
-use actix_web::{Error, HttpResponse, error, post, web};
+use actix_web::{error, post, web, Error, HttpResponse};
 use argon2::{PasswordHash, PasswordVerifier};
 use futures::StreamExt;
 use log::error;
-use serde::{Deserialize, Serialize};
+use serde::Deserialize;
 
 use crate::{
-    Data,
+    api::v1::auth::{EMAIL_REGEX, PASSWORD_REGEX, USERNAME_REGEX}, crypto::{generate_access_token, generate_refresh_token}, utils::refresh_token_cookie, Data
-    api::v1::auth::{EMAIL_REGEX, PASSWORD_REGEX, USERNAME_REGEX},
-    crypto::{generate_access_token, generate_refresh_token},
 };
 
+use super::Response;
+
 #[derive(Deserialize)]
 struct LoginInformation {
     username: String,
@@ -19,12 +19,6 @@ struct LoginInformation {
     device_name: String,
 }
 
-#[derive(Serialize)]
-pub struct Response {
-    pub access_token: String,
-    pub refresh_token: String,
-}
-
 const MAX_SIZE: usize = 262_144;
 
 #[post("/login")]
@@ -160,7 +154,7 @@ async fn login(
         .as_secs() as i64;
 
     if let Err(error) = sqlx::query(&format!(
-        "INSERT INTO refresh_tokens (token, uuid, created, device_name) VALUES ($1, '{}', $2, $3 )",
+        "INSERT INTO refresh_tokens (token, uuid, created_at, device_name) VALUES ($1, '{}', $2, $3 )",
         uuid
     ))
     .bind(&refresh_token)
@@ -174,7 +168,7 @@ async fn login(
     }
 
     if let Err(error) = sqlx::query(&format!(
-        "INSERT INTO access_tokens (token, refresh_token, uuid, created) VALUES ($1, $2, '{}', $3 )",
+        "INSERT INTO access_tokens (token, refresh_token, uuid, created_at) VALUES ($1, $2, '{}', $3 )",
         uuid
     ))
     .bind(&access_token)
@@ -187,8 +181,7 @@ async fn login(
         return HttpResponse::InternalServerError().finish()
     }
 
-    HttpResponse::Ok().json(Response {
+    HttpResponse::Ok().cookie(refresh_token_cookie(refresh_token)).json(Response {
         access_token,
-        refresh_token,
     })
 }

src/api/v1/auth/mod.rs

@@ -7,6 +7,7 @@ use std::{
 use actix_web::{HttpResponse, Scope, web};
 use log::error;
 use regex::Regex;
+use serde::Serialize;
 use sqlx::Postgres;
 use uuid::Uuid;
 
@@ -15,6 +16,11 @@ mod refresh;
 mod register;
 mod revoke;
 
+#[derive(Serialize)]
+struct Response {
+    access_token: String,
+}
+
 static EMAIL_REGEX: LazyLock<Regex> = LazyLock::new(|| {
     Regex::new(r"[-A-Za-z0-9!#$%&'*+/=?^_`{|}~]+(?:\.[-A-Za-z0-9!#$%&'*+/=?^_`{|}~]+)*@(?:[A-Za-z0-9](?:[-A-Za-z0-9]*[A-Za-z0-9])?\.)+[A-Za-z0-9](?:[-A-Za-z0-9]*[A-Za-z0-9])?").unwrap()
 });
@@ -34,33 +40,36 @@ pub fn web() -> Scope {
 }
 
 pub async fn check_access_token(
-    access_token: String,
+    access_token: &str,
     pool: &sqlx::Pool<Postgres>,
 ) -> Result<Uuid, HttpResponse> {
-    let row = sqlx::query_as(
+    let row =
-        "SELECT CAST(uuid as VARCHAR), created FROM access_tokens WHERE token = $1",
+        sqlx::query_as("SELECT CAST(uuid as VARCHAR), created_at FROM access_tokens WHERE token = $1")
-    )
+            .bind(&access_token)
-    .bind(&access_token)
+            .fetch_one(pool)
-    .fetch_one(pool)
+            .await;
-    .await;
 
     if let Err(error) = row {
-        if error.to_string() == "no rows returned by a query that expected to return at least one row" {
+        if error.to_string()
-            return Err(HttpResponse::Unauthorized().finish())
+            == "no rows returned by a query that expected to return at least one row"
+        {
+            return Err(HttpResponse::Unauthorized().finish());
         }
 
         error!("{}", error);
-        return Err(HttpResponse::InternalServerError().json(r#"{ "error": "Unhandled exception occured, contact the server administrator" }"#))
+        return Err(HttpResponse::InternalServerError().json(
+            r#"{ "error": "Unhandled exception occured, contact the server administrator" }"#,
+        ));
     }
 
-    let (uuid, created): (String, i64) = row.unwrap();
+    let (uuid, created_at): (String, i64) = row.unwrap();
 
     let current_time = SystemTime::now()
         .duration_since(UNIX_EPOCH)
         .unwrap()
         .as_secs() as i64;
 
-    let lifetime = current_time - created;
+    let lifetime = current_time - created_at;
 
     if lifetime > 3600 {
         return Err(HttpResponse::Unauthorized().finish());

src/api/v1/auth/refresh.rs

@@ -1,40 +1,22 @@
-use actix_web::{Error, HttpResponse, error, post, web};
+use actix_web::{post, web, Error, HttpRequest, HttpResponse};
-use futures::StreamExt;
 use log::error;
-use serde::{Deserialize, Serialize};
 use std::time::{SystemTime, UNIX_EPOCH};
 
 use crate::{
-    Data,
+    crypto::{generate_access_token, generate_refresh_token}, utils::refresh_token_cookie, Data
-    crypto::{generate_access_token, generate_refresh_token},
 };
 
-#[derive(Deserialize)]
+use super::Response;
-struct RefreshRequest {
-    refresh_token: String,
-}
-
-#[derive(Serialize)]
-struct Response {
-    refresh_token: String,
-    access_token: String,
-}
-
-const MAX_SIZE: usize = 262_144;
 
 #[post("/refresh")]
-pub async fn res(mut payload: web::Payload, data: web::Data<Data>) -> Result<HttpResponse, Error> {
+pub async fn res(req: HttpRequest, data: web::Data<Data>) -> Result<HttpResponse, Error> {
-    let mut body = web::BytesMut::new();
+    let recv_refresh_token_cookie = req.cookie("refresh_token");
-    while let Some(chunk) = payload.next().await {
+
-        let chunk = chunk?;
+    if let None = recv_refresh_token_cookie {
-        // limit max size of in-memory payload
+        return Ok(HttpResponse::Unauthorized().finish())
-        if (body.len() + chunk.len()) > MAX_SIZE {
-            return Err(error::ErrorBadRequest("overflow"));
-        }
-        body.extend_from_slice(&chunk);
     }
 
-    let refresh_request = serde_json::from_slice::<RefreshRequest>(&body)?;
+    let mut refresh_token = String::from(recv_refresh_token_cookie.unwrap().value());
 
     let current_time = SystemTime::now()
         .duration_since(UNIX_EPOCH)
@@ -42,33 +24,29 @@ pub async fn res(mut payload: web::Payload, data: web::Data<Data>) -> Result<Htt
         .as_secs() as i64;
 
     if let Ok(row) =
-        sqlx::query_as("SELECT CAST(uuid as VARCHAR), created FROM refresh_tokens WHERE token = $1")
+        sqlx::query_scalar("SELECT created_at FROM refresh_tokens WHERE token = $1")
-            .bind(&refresh_request.refresh_token)
+            .bind(&refresh_token)
             .fetch_one(&data.pool)
             .await
     {
-        let (uuid, created): (String, i64) = row;
+        let created_at: i64 = row;
 
-        if let Err(error) = sqlx::query("DELETE FROM access_tokens WHERE refresh_token = $1")
+        let lifetime = current_time - created_at;
-            .bind(&refresh_request.refresh_token)
-            .execute(&data.pool)
-            .await
-        {
-            error!("{}", error);
-        }
-
-        let lifetime = current_time - created;
 
         if lifetime > 2592000 {
             if let Err(error) = sqlx::query("DELETE FROM refresh_tokens WHERE token = $1")
-                .bind(&refresh_request.refresh_token)
+                .bind(&refresh_token)
                 .execute(&data.pool)
                 .await
             {
                 error!("{}", error);
             }
 
-            return Ok(HttpResponse::Unauthorized().finish());
+            let mut refresh_token_cookie = refresh_token_cookie(refresh_token);
+
+            refresh_token_cookie.make_removal();
+
+            return Ok(HttpResponse::Unauthorized().cookie(refresh_token_cookie).finish());
         }
 
         let current_time = SystemTime::now()
@@ -76,8 +54,6 @@ pub async fn res(mut payload: web::Payload, data: web::Data<Data>) -> Result<Htt
             .unwrap()
             .as_secs() as i64;
 
-        let mut refresh_token = refresh_request.refresh_token;
-
         if lifetime > 1987200 {
             let new_refresh_token = generate_refresh_token();
 
@@ -88,7 +64,7 @@ pub async fn res(mut payload: web::Payload, data: web::Data<Data>) -> Result<Htt
 
             let new_refresh_token = new_refresh_token.unwrap();
 
-            match sqlx::query("UPDATE refresh_tokens SET token = $1, created = $2 WHERE token = $3")
+            match sqlx::query("UPDATE refresh_tokens SET token = $1, created_at = $2 WHERE token = $3")
                 .bind(&new_refresh_token)
                 .bind(current_time)
                 .bind(&refresh_token)
@@ -113,21 +89,24 @@ pub async fn res(mut payload: web::Payload, data: web::Data<Data>) -> Result<Htt
 
         let access_token = access_token.unwrap();
 
-        if let Err(error) = sqlx::query(&format!("INSERT INTO access_tokens (token, refresh_token, uuid, created) VALUES ($1, $2, '{}', $3 )", uuid))
+        if let Err(error) = sqlx::query("UPDATE access_tokens SET token = $1, created_at = $2 WHERE refresh_token = $3")
             .bind(&access_token)
-            .bind(&refresh_token)
             .bind(current_time)
+            .bind(&refresh_token)
             .execute(&data.pool)
             .await {
             error!("{}", error);
             return Ok(HttpResponse::InternalServerError().finish())
         }
 
-        return Ok(HttpResponse::Ok().json(Response {
+        return Ok(HttpResponse::Ok().cookie(refresh_token_cookie(refresh_token)).json(Response {
-            refresh_token,
             access_token,
         }));
     }
 
-    Ok(HttpResponse::Unauthorized().finish())
+    let mut refresh_token_cookie = refresh_token_cookie(refresh_token);
+
+    refresh_token_cookie.make_removal();
+
+    Ok(HttpResponse::Unauthorized().cookie(refresh_token_cookie).finish())
 }

src/api/v1/auth/register.rs

@@ -10,11 +10,9 @@ use log::error;
 use serde::{Deserialize, Serialize};
 use uuid::Uuid;
 
-use super::login::Response;
+use super::Response;
 use crate::{
-    Data,
+    api::v1::auth::{EMAIL_REGEX, PASSWORD_REGEX, USERNAME_REGEX}, crypto::{generate_access_token, generate_refresh_token}, utils::refresh_token_cookie, Data
-    api::v1::auth::{EMAIL_REGEX, PASSWORD_REGEX, USERNAME_REGEX},
-    crypto::{generate_access_token, generate_refresh_token},
 };
 
 #[derive(Deserialize)]
@@ -139,7 +137,7 @@ pub async fn res(mut payload: web::Payload, data: web::Data<Data>) -> Result<Htt
                         .unwrap()
                         .as_secs() as i64;
 
-                    if let Err(error) = sqlx::query(&format!("INSERT INTO refresh_tokens (token, uuid, created, device_name) VALUES ($1, '{}', $2, $3 )", uuid))
+                    if let Err(error) = sqlx::query(&format!("INSERT INTO refresh_tokens (token, uuid, created_at, device_name) VALUES ($1, '{}', $2, $3 )", uuid))
                         .bind(&refresh_token)
                         .bind(current_time)
                         .bind(account_information.device_name)
@@ -149,7 +147,7 @@ pub async fn res(mut payload: web::Payload, data: web::Data<Data>) -> Result<Htt
                         return Ok(HttpResponse::InternalServerError().finish())
                     }
 
-                    if let Err(error) = sqlx::query(&format!("INSERT INTO access_tokens (token, refresh_token, uuid, created) VALUES ($1, $2, '{}', $3 )", uuid))
+                    if let Err(error) = sqlx::query(&format!("INSERT INTO access_tokens (token, refresh_token, uuid, created_at) VALUES ($1, $2, '{}', $3 )", uuid))
                         .bind(&access_token)
                         .bind(&refresh_token)
                         .bind(current_time)
@@ -159,9 +157,8 @@ pub async fn res(mut payload: web::Payload, data: web::Data<Data>) -> Result<Htt
                         return Ok(HttpResponse::InternalServerError().finish())
                     }
 
-                    HttpResponse::Ok().json(Response {
+                    HttpResponse::Ok().cookie(refresh_token_cookie(refresh_token)).json(Response {
                         access_token,
-                        refresh_token,
                     })
                 }
                 Err(error) => {

src/api/v1/auth/revoke.rs

@@ -1,14 +1,13 @@
-use actix_web::{Error, HttpResponse, error, post, web};
+use actix_web::{Error, HttpRequest, HttpResponse, error, post, web};
 use argon2::{PasswordHash, PasswordVerifier};
 use futures::{StreamExt, future};
 use log::error;
 use serde::{Deserialize, Serialize};
 
-use crate::{Data, api::v1::auth::check_access_token};
+use crate::{Data, api::v1::auth::check_access_token, utils::get_auth_header};
 
 #[derive(Deserialize)]
 struct RevokeRequest {
-    access_token: String,
     password: String,
     device_name: String,
 }
@@ -27,7 +26,19 @@ impl Response {
 const MAX_SIZE: usize = 262_144;
 
 #[post("/revoke")]
-pub async fn res(mut payload: web::Payload, data: web::Data<Data>) -> Result<HttpResponse, Error> {
+pub async fn res(
+    req: HttpRequest,
+    mut payload: web::Payload,
+    data: web::Data<Data>,
+) -> Result<HttpResponse, Error> {
+    let headers = req.headers();
+
+    let auth_header = get_auth_header(headers);
+
+    if let Err(error) = auth_header {
+        return Ok(error);
+    }
+
     let mut body = web::BytesMut::new();
     while let Some(chunk) = payload.next().await {
         let chunk = chunk?;
@@ -40,7 +51,7 @@ pub async fn res(mut payload: web::Payload, data: web::Data<Data>) -> Result<Htt
 
     let revoke_request = serde_json::from_slice::<RevokeRequest>(&body)?;
 
-    let authorized = check_access_token(revoke_request.access_token, &data.pool).await;
+    let authorized = check_access_token(auth_header.unwrap(), &data.pool).await;
 
     if let Err(error) = authorized {
         return Ok(error);
@@ -94,16 +105,9 @@ pub async fn res(mut payload: web::Payload, data: web::Data<Data>) -> Result<Htt
 
     let tokens: Vec<String> = tokens_raw.unwrap();
 
-    let mut access_tokens_delete = vec![];
     let mut refresh_tokens_delete = vec![];
 
     for token in tokens {
-        access_tokens_delete.push(
-            sqlx::query("DELETE FROM access_tokens WHERE refresh_token = $1")
-                .bind(token.clone())
-                .execute(&data.pool),
-        );
-
         refresh_tokens_delete.push(
             sqlx::query("DELETE FROM refresh_tokens WHERE token = $1")
                 .bind(token.clone())
@@ -111,29 +115,16 @@ pub async fn res(mut payload: web::Payload, data: web::Data<Data>) -> Result<Htt
         );
     }
 
-    let results_access_tokens = future::join_all(access_tokens_delete).await;
+    let results = future::join_all(refresh_tokens_delete).await;
-    let results_refresh_tokens = future::join_all(refresh_tokens_delete).await;
 
-    let access_tokens_errors: Vec<&Result<sqlx::postgres::PgQueryResult, sqlx::Error>> =
+    let errors: Vec<&Result<sqlx::postgres::PgQueryResult, sqlx::Error>> =
-        results_access_tokens
+        results
-            .iter()
-            .filter(|r| r.is_err())
-            .collect();
-    let refresh_tokens_errors: Vec<&Result<sqlx::postgres::PgQueryResult, sqlx::Error>> =
-        results_refresh_tokens
             .iter()
             .filter(|r| r.is_err())
             .collect();
 
-    if !access_tokens_errors.is_empty() && !refresh_tokens_errors.is_empty() {
+    if !errors.is_empty() {
-        error!("{:?}", access_tokens_errors);
+        error!("{:?}", errors);
-        error!("{:?}", refresh_tokens_errors);
-        return Ok(HttpResponse::InternalServerError().finish());
-    } else if !access_tokens_errors.is_empty() {
-        error!("{:?}", access_tokens_errors);
-        return Ok(HttpResponse::InternalServerError().finish());
-    } else if !refresh_tokens_errors.is_empty() {
-        error!("{:?}", refresh_tokens_errors);
         return Ok(HttpResponse::InternalServerError().finish());
     }
 

src/api/v1/users/me.rs

@@ -1,14 +1,8 @@
-use actix_web::{Error, HttpResponse, error, post, web};
+use actix_web::{Error, HttpRequest, HttpResponse, get, web};
-use futures::StreamExt;
 use log::error;
-use serde::{Deserialize, Serialize};
+use serde::Serialize;
 
-use crate::{Data, api::v1::auth::check_access_token};
+use crate::{Data, api::v1::auth::check_access_token, utils::get_auth_header};
-
-#[derive(Deserialize)]
-struct AuthenticationRequest {
-    access_token: String,
-}
 
 #[derive(Serialize)]
 struct Response {
@@ -17,26 +11,17 @@ struct Response {
     display_name: String,
 }
 
-const MAX_SIZE: usize = 262_144;
+#[get("/me")]
+pub async fn res(req: HttpRequest, data: web::Data<Data>) -> Result<HttpResponse, Error> {
+    let headers = req.headers();
 
-#[post("/me")]
+    let auth_header = get_auth_header(headers);
-pub async fn res(
+
-    mut payload: web::Payload,
+    if let Err(error) = auth_header {
-    data: web::Data<Data>,
+        return Ok(error);
-) -> Result<HttpResponse, Error> {
-    let mut body = web::BytesMut::new();
-    while let Some(chunk) = payload.next().await {
-        let chunk = chunk?;
-        // limit max size of in-memory payload
-        if (body.len() + chunk.len()) > MAX_SIZE {
-            return Err(error::ErrorBadRequest("overflow"));
-        }
-        body.extend_from_slice(&chunk);
     }
 
-    let authentication_request = serde_json::from_slice::<AuthenticationRequest>(&body)?;
+    let authorized = check_access_token(auth_header.unwrap(), &data.pool).await;
-
-    let authorized = check_access_token(authentication_request.access_token, &data.pool).await;
 
     if let Err(error) = authorized {
         return Ok(error);

src/api/v1/users/mod.rs

@@ -1,18 +1,16 @@
-use actix_web::{error, post, web, Error, HttpResponse, Scope};
+use crate::{Data, api::v1::auth::check_access_token, utils::get_auth_header};
-use futures::StreamExt;
+use actix_web::{get, web, Error, HttpRequest, HttpResponse, Scope};
 use log::error;
 use serde::{Deserialize, Serialize};
 use sqlx::prelude::FromRow;
-use crate::{Data, api::v1::auth::check_access_token};
 
 mod me;
 mod uuid;
 
 #[derive(Deserialize)]
-struct Request {
+struct RequestQuery {
-    access_token: String,
+    start: Option<i32>,
-    start: i32,
+    amount: Option<i32>,
-    amount: i32,
 }
 
 #[derive(Serialize, FromRow)]
@@ -23,8 +21,6 @@ struct Response {
     email: String,
 }
 
-const MAX_SIZE: usize = 262_144;
-
 pub fn web() -> Scope {
     web::scope("/users")
         .service(res)
@@ -32,36 +28,33 @@ pub fn web() -> Scope {
         .service(uuid::res)
 }
 
-#[post("")]
+#[get("")]
 pub async fn res(
-    mut payload: web::Payload,
+    req: HttpRequest,
+    request_query: web::Query<RequestQuery>,
     data: web::Data<Data>,
 ) -> Result<HttpResponse, Error> {
-    let mut body = web::BytesMut::new();
+    let headers = req.headers();
-    while let Some(chunk) = payload.next().await {
+
-        let chunk = chunk?;
+    let auth_header = get_auth_header(headers);
-        // limit max size of in-memory payload
+
-        if (body.len() + chunk.len()) > MAX_SIZE {
+    let start = request_query.start.unwrap_or(0);
-            return Err(error::ErrorBadRequest("overflow"));
+
-        }
+    let amount = request_query.amount.unwrap_or(10);
-        body.extend_from_slice(&chunk);
+
+    if amount > 100 {
+        return Ok(HttpResponse::BadRequest().finish());
     }
 
-    let request = serde_json::from_slice::<Request>(&body)?;
+    let authorized = check_access_token(auth_header.unwrap(), &data.pool).await;
-
-    if request.amount > 100 {
-        return Ok(HttpResponse::BadRequest().finish())
-    }
-
-    let authorized = check_access_token(request.access_token, &data.pool).await;
 
     if let Err(error) = authorized {
         return Ok(error);
     }
 
     let row = sqlx::query_as("SELECT CAST(uuid AS VARCHAR), username, display_name, email FROM users ORDER BY username LIMIT $1 OFFSET $2")
-        .bind(request.amount)
+        .bind(amount)
-        .bind(request.start)
+        .bind(start)
         .fetch_all(&data.pool)
         .await;
 
@@ -74,4 +67,3 @@ pub async fn res(
 
     Ok(HttpResponse::Ok().json(accounts))
 }
-

src/api/v1/users/uuid.rs

@@ -1,15 +1,9 @@
-use actix_web::{Error, HttpResponse, error, post, web};
+use actix_web::{Error, HttpRequest, HttpResponse, get, web};
-use futures::StreamExt;
 use log::error;
-use serde::{Deserialize, Serialize};
+use serde::Serialize;
 use uuid::Uuid;
 
-use crate::{Data, api::v1::auth::check_access_token};
+use crate::{Data, api::v1::auth::check_access_token, utils::get_auth_header};
-
-#[derive(Deserialize)]
-struct AuthenticationRequest {
-    access_token: String,
-}
 
 #[derive(Serialize)]
 struct Response {
@@ -18,29 +12,23 @@ struct Response {
     display_name: String,
 }
 
-const MAX_SIZE: usize = 262_144;
+#[get("/{uuid}")]
-
-#[post("/{uuid}")]
 pub async fn res(
-    mut payload: web::Payload,
+    req: HttpRequest,
     path: web::Path<(Uuid,)>,
     data: web::Data<Data>,
 ) -> Result<HttpResponse, Error> {
-    let mut body = web::BytesMut::new();
+    let headers = req.headers();
-    while let Some(chunk) = payload.next().await {
-        let chunk = chunk?;
-        // limit max size of in-memory payload
-        if (body.len() + chunk.len()) > MAX_SIZE {
-            return Err(error::ErrorBadRequest("overflow"));
-        }
-        body.extend_from_slice(&chunk);
-    }
 
     let uuid = path.into_inner().0;
 
-    let authentication_request = serde_json::from_slice::<AuthenticationRequest>(&body)?;
+    let auth_header = get_auth_header(headers);
 
-    let authorized = check_access_token(authentication_request.access_token, &data.pool).await;
+    if let Err(error) = auth_header {
+        return Ok(error);
+    }
+
+    let authorized = check_access_token(auth_header.unwrap(), &data.pool).await;
 
     if let Err(error) = authorized {
         return Ok(error);

src/main.rs

@@ -8,6 +8,7 @@ mod config;
 use config::{Config, ConfigBuilder};
 mod api;
 pub mod crypto;
+pub mod utils;
 
 type Error = Box<dyn std::error::Error>;
 
@@ -63,14 +64,14 @@ async fn main() -> Result<(), Error> {
         CREATE TABLE IF NOT EXISTS refresh_tokens (
             token varchar(64) PRIMARY KEY UNIQUE NOT NULL,
             uuid uuid NOT NULL REFERENCES users(uuid),
-            created int8 NOT NULL,
+            created_at int8 NOT NULL,
             device_name varchar(16) NOT NULL
         );
         CREATE TABLE IF NOT EXISTS access_tokens (
             token varchar(32) PRIMARY KEY UNIQUE NOT NULL,
-            refresh_token varchar(64) UNIQUE NOT NULL REFERENCES refresh_tokens(token),
+            refresh_token varchar(64) UNIQUE NOT NULL REFERENCES refresh_tokens(token) ON UPDATE CASCADE ON DELETE CASCADE,
             uuid uuid NOT NULL REFERENCES users(uuid),
-            created int8 NOT NULL
+            created_at int8 NOT NULL
         )
     "#,
     )
@@ -88,8 +89,7 @@ async fn main() -> Result<(), Error> {
     HttpServer::new(move || {
         App::new()
             .app_data(web::Data::new(data.clone()))
-            .service(api::versions::res)
+            .service(api::web())
-            .service(api::v1::web())
     })
     .bind((web.url, web.port))?
     .run()

src/utils.rs

@@ -0,0 +1,33 @@
+use actix_web::{cookie::{time::Duration, Cookie, SameSite}, http::header::HeaderMap, HttpResponse};
+
+pub fn get_auth_header(headers: &HeaderMap) -> Result<&str, HttpResponse> {
+    let auth_token = headers.get(actix_web::http::header::AUTHORIZATION);
+
+    if let None = auth_token {
+        return Err(HttpResponse::Unauthorized().finish());
+    }
+
+    let auth = auth_token.unwrap().to_str();
+
+    if let Err(error) = auth {
+        return Err(HttpResponse::Unauthorized().json(format!(r#" {{ "error": "{}" }} "#, error)));
+    }
+
+    let auth_value = auth.unwrap().split_whitespace().nth(1);
+
+    if let None = auth_value {
+        return Err(HttpResponse::BadRequest().finish());
+    }
+
+    Ok(auth_value.unwrap())
+}
+
+pub fn refresh_token_cookie(refresh_token: String) -> Cookie<'static> {
+    Cookie::build("refresh_token", refresh_token)
+        .http_only(true)
+        .secure(true)
+        .same_site(SameSite::None)
+        .path("/api")
+        .max_age(Duration::days(30))
+        .finish()
+}