gorb/backend
4
0
Fork 0
Code Issues 4 Pull requests 1 Projects Releases Packages 1 Wiki Activity Actions
backend/src/api/v1/auth/login.rs
Radical 705abeb643 fix: fix password regex 
this should probably be moved to its own function so we can change it on the fly
2025-05-01 20:17:59 +02:00

122 lines
4.7 KiB
Rust
Raw Blame History

use std::time::{SystemTime, UNIX_EPOCH};
use actix_web::{error, post, web, Error, HttpResponse};
use argon2::{PasswordHash, PasswordVerifier};
use regex::Regex;
use serde::{Deserialize, Serialize};
use futures::StreamExt;
use crate::{crypto::{generate_access_token, generate_refresh_token}, Data};
#[derive(Deserialize)]
struct LoginInformation {
username: String,
password: String,
device_name: String,
}
#[derive(Serialize)]
pub struct Response {
pub access_token: String,
pub refresh_token: String,
}
const MAX_SIZE: usize = 262_144;
#[post("/login")]
pub async fn response(mut payload: web::Payload, data: web::Data<Data>) -> Result<HttpResponse, Error> {
let mut body = web::BytesMut::new();
while let Some(chunk) = payload.next().await {
let chunk = chunk?;
// limit max size of in-memory payload
if (body.len() + chunk.len()) > MAX_SIZE {
return Err(error::ErrorBadRequest("overflow"));
}
body.extend_from_slice(&chunk);
}
let login_information = serde_json::from_slice::<LoginInformation>(&body)?;
let email_regex = Regex::new(r"[-A-Za-z0-9!#$%&'*+/=?^_`{|}~]+(?:\.[-A-Za-z0-9!#$%&'*+/=?^_`{|}~]+)*@(?:[A-Za-z0-9](?:[-A-Za-z0-9]*[A-Za-z0-9])?\.)+[A-Za-z0-9](?:[-A-Za-z0-9]*[A-Za-z0-9])?").unwrap();
// FIXME: This regex doesnt seem to be working
let username_regex = Regex::new(r"[a-zA-Z0-9.-_]").unwrap();
// Password is expected to be hashed using SHA3-384
let password_regex = Regex::new(r"[0-9a-f]{96}").unwrap();
if !password_regex.is_match(&login_information.password) {
return Ok(HttpResponse::Forbidden().json(r#"{ "password_hashed": false }"#));
}
if email_regex.is_match(&login_information.username) {
if let Ok(row) = sqlx::query_as("SELECT CAST(uuid as VARCHAR), password FROM users WHERE email = $1").bind(login_information.username).fetch_one(&data.pool).await {
let (uuid, password): (String, String) = row;
return Ok(login(data.clone(), uuid, login_information.password, password).await)
}
return Ok(HttpResponse::Unauthorized().finish())
} else if username_regex.is_match(&login_information.username) {
if let Ok(row) = sqlx::query_as("SELECT CAST(uuid as VARCHAR), password FROM users WHERE username = $1").bind(login_information.username).fetch_one(&data.pool).await {
let (uuid, password): (String, String) = row;
return Ok(login(data.clone(), uuid, login_information.password, password).await)
}
return Ok(HttpResponse::Unauthorized().finish())
}
Ok(HttpResponse::Unauthorized().finish())
}
async fn login(data: actix_web::web::Data<Data>, uuid: String, request_password: String, database_password: String) -> HttpResponse {
if let Ok(parsed_hash) = PasswordHash::new(&database_password) {
if data.argon2.verify_password(request_password.as_bytes(), &parsed_hash).is_ok() {
let refresh_token = generate_refresh_token();
let access_token = generate_access_token();
if refresh_token.is_err() {
eprintln!("{}", refresh_token.unwrap_err());
return HttpResponse::InternalServerError().finish()
}
let refresh_token = refresh_token.unwrap();
if access_token.is_err() {
eprintln!("{}", access_token.unwrap_err());
return HttpResponse::InternalServerError().finish()
}
let access_token = access_token.unwrap();
let current_time = SystemTime::now().duration_since(UNIX_EPOCH).unwrap().as_secs() as i64;
if let Err(error) = sqlx::query(&format!("INSERT INTO refresh_tokens (token, uuid, created) VALUES ($1, '{}', $2 )", uuid))
.bind(&refresh_token)
.bind(current_time)
.execute(&data.pool)
.await {
eprintln!("{}", error);
return HttpResponse::InternalServerError().finish()
}
if let Err(error) = sqlx::query(&format!("INSERT INTO refresh_tokens (token, refresh_token, uuid, created) VALUES ($1, $2, '{}', $3 )", uuid))
.bind(&access_token)
.bind(&refresh_token)
.bind(current_time)
.execute(&data.pool)
.await {
eprintln!("{}", error);
return HttpResponse::InternalServerError().finish()
}
return HttpResponse::Ok().json(Response {
access_token,
refresh_token,
})
}
return HttpResponse::Unauthorized().finish()
}
HttpResponse::InternalServerError().finish()
}
Reference in a new issue View git blame Copy permalink