radical/backend-ci-testing
1
0
Fork 0
forked from gorb/backend
Code Pull requests Activity

refactor(auth): use builtin actix Json deserialization

Browse source
This commit is contained in:
Radical 2025-05-19 15:04:41 +02:00
parent de41cc6c50
commit efae619cda
3 changed files with 18 additions and 61 deletions
Download patch file Download diff file Expand all files Collapse all files

31
src/api/v1/auth/login.rs
View file

@ -1,8 +1,7 @@
use std::time::{SystemTime, UNIX_EPOCH}; use std::time::{SystemTime, UNIX_EPOCH};
use actix_web::{error, post, web, Error, HttpResponse}; use actix_web::{post, web, Error, HttpResponse};
use argon2::{PasswordHash, PasswordVerifier}; use argon2::{PasswordHash, PasswordVerifier};
use futures::StreamExt;
use log::error; use log::error;
use serde::Deserialize; use serde::Deserialize;
@ -19,25 +18,11 @@ struct LoginInformation {
device_name: String, device_name: String,
} }
const MAX_SIZE: usize = 262_144;
#[post("/login")] #[post("/login")]
pub async fn response( pub async fn response(
mut payload: web::Payload, login_information: web::Json<LoginInformation>,
data: web::Data<Data>, data: web::Data<Data>,
) -> Result<HttpResponse, Error> { ) -> Result<HttpResponse, Error> {
let mut body = web::BytesMut::new();
while let Some(chunk) = payload.next().await {
let chunk = chunk?;
// limit max size of in-memory payload
if (body.len() + chunk.len()) > MAX_SIZE {
return Err(error::ErrorBadRequest("overflow"));
}
body.extend_from_slice(&chunk);
}
let login_information = serde_json::from_slice::<LoginInformation>(&body)?;
if !PASSWORD_REGEX.is_match(&login_information.password) { if !PASSWORD_REGEX.is_match(&login_information.password) {
return Ok(HttpResponse::Forbidden().json(r#"{ "password_hashed": false }"#)); return Ok(HttpResponse::Forbidden().json(r#"{ "password_hashed": false }"#));
} }
@ -45,7 +30,7 @@ pub async fn response(
if EMAIL_REGEX.is_match(&login_information.username) { if EMAIL_REGEX.is_match(&login_information.username) {
let row = let row =
sqlx::query_as("SELECT CAST(uuid as VARCHAR), password FROM users WHERE email = $1") sqlx::query_as("SELECT CAST(uuid as VARCHAR), password FROM users WHERE email = $1")
.bind(login_information.username) .bind(&login_information.username)
.fetch_one(&data.pool) .fetch_one(&data.pool)
.await; .await;
@ -67,15 +52,15 @@ pub async fn response(
return Ok(login( return Ok(login(
data.clone(), data.clone(),
uuid, uuid,
login_information.password, login_information.password.clone(),
password, password,
login_information.device_name, login_information.device_name.clone(),
) )
.await); .await);
} else if USERNAME_REGEX.is_match(&login_information.username) { } else if USERNAME_REGEX.is_match(&login_information.username) {
let row = let row =
sqlx::query_as("SELECT CAST(uuid as VARCHAR), password FROM users WHERE username = $1") sqlx::query_as("SELECT CAST(uuid as VARCHAR), password FROM users WHERE username = $1")
.bind(login_information.username) .bind(&login_information.username)
.fetch_one(&data.pool) .fetch_one(&data.pool)
.await; .await;
@ -97,9 +82,9 @@ pub async fn response(
return Ok(login( return Ok(login(
data.clone(), data.clone(),
uuid, uuid,
login_information.password, login_information.password.clone(),
password, password,
login_information.device_name, login_information.device_name.clone(),
) )
.await); .await);
} }

25
src/api/v1/auth/register.rs
View file

@ -1,11 +1,10 @@
use std::time::{SystemTime, UNIX_EPOCH}; use std::time::{SystemTime, UNIX_EPOCH};
use actix_web::{Error, HttpResponse, error, post, web}; use actix_web::{Error, HttpResponse, post, web};
use argon2::{ use argon2::{
PasswordHasher, PasswordHasher,
password_hash::{SaltString, rand_core::OsRng}, password_hash::{SaltString, rand_core::OsRng},
}; };
use futures::StreamExt;
use log::error; use log::error;
use serde::{Deserialize, Serialize}; use serde::{Deserialize, Serialize};
use uuid::Uuid; use uuid::Uuid;
@ -54,21 +53,8 @@ impl Default for ResponseError {
} }
} }
const MAX_SIZE: usize = 262_144;
#[post("/register")] #[post("/register")]
pub async fn res(mut payload: web::Payload, data: web::Data<Data>) -> Result<HttpResponse, Error> { pub async fn res(account_information: web::Json<AccountInformation>, data: web::Data<Data>) -> Result<HttpResponse, Error> {
let mut body = web::BytesMut::new();
while let Some(chunk) = payload.next().await {
let chunk = chunk?;
// limit max size of in-memory payload
if (body.len() + chunk.len()) > MAX_SIZE {
return Err(error::ErrorBadRequest("overflow"));
}
body.extend_from_slice(&chunk);
}
let account_information = serde_json::from_slice::<AccountInformation>(&body)?;
let uuid = Uuid::now_v7(); let uuid = Uuid::now_v7();
if !EMAIL_REGEX.is_match(&account_information.email) { if !EMAIL_REGEX.is_match(&account_information.email) {
@ -107,10 +93,9 @@ pub async fn res(mut payload: web::Payload, data: web::Data<Data>) -> Result<Htt
"INSERT INTO users (uuid, username, password, email) VALUES ( '{}', $1, $2, $3 )", "INSERT INTO users (uuid, username, password, email) VALUES ( '{}', $1, $2, $3 )",
uuid uuid
)) ))
.bind(account_information.identifier) .bind(&account_information.identifier)
// FIXME: Password has no security currently, either from a client or server perspective
.bind(hashed_password.to_string()) .bind(hashed_password.to_string())
.bind(account_information.email) .bind(&account_information.email)
.execute(&data.pool) .execute(&data.pool)
.await .await
{ {
@ -140,7 +125,7 @@ pub async fn res(mut payload: web::Payload, data: web::Data<Data>) -> Result<Htt
if let Err(error) = sqlx::query(&format!("INSERT INTO refresh_tokens (token, uuid, created_at, device_name) VALUES ($1, '{}', $2, $3 )", uuid)) if let Err(error) = sqlx::query(&format!("INSERT INTO refresh_tokens (token, uuid, created_at, device_name) VALUES ($1, '{}', $2, $3 )", uuid))
.bind(&refresh_token) .bind(&refresh_token)
.bind(current_time) .bind(current_time)
.bind(account_information.device_name) .bind(&account_information.device_name)
.execute(&data.pool) .execute(&data.pool)
.await { .await {
error!("{}", error); error!("{}", error);

23
src/api/v1/auth/revoke.rs
View file

@ -1,6 +1,6 @@
use actix_web::{Error, HttpRequest, HttpResponse, error, post, web}; use actix_web::{Error, HttpRequest, HttpResponse, post, web};
use argon2::{PasswordHash, PasswordVerifier}; use argon2::{PasswordHash, PasswordVerifier};
use futures::{StreamExt, future}; use futures::{future};
use log::error; use log::error;
use serde::{Deserialize, Serialize}; use serde::{Deserialize, Serialize};
@ -23,12 +23,11 @@ impl Response {
} }
} }
const MAX_SIZE: usize = 262_144; // TODO: Should maybe be a delete request?
#[post("/revoke")] #[post("/revoke")]
pub async fn res( pub async fn res(
req: HttpRequest, req: HttpRequest,
mut payload: web::Payload, revoke_request: web::Json<RevokeRequest>,
data: web::Data<Data>, data: web::Data<Data>,
) -> Result<HttpResponse, Error> { ) -> Result<HttpResponse, Error> {
let headers = req.headers(); let headers = req.headers();
@ -39,18 +38,6 @@ pub async fn res(
return Ok(error); return Ok(error);
} }
let mut body = web::BytesMut::new();
while let Some(chunk) = payload.next().await {
let chunk = chunk?;
// limit max size of in-memory payload
if (body.len() + chunk.len()) > MAX_SIZE {
return Err(error::ErrorBadRequest("overflow"));
}
body.extend_from_slice(&chunk);
}
let revoke_request = serde_json::from_slice::<RevokeRequest>(&body)?;
let authorized = check_access_token(auth_header.unwrap(), &data.pool).await; let authorized = check_access_token(auth_header.unwrap(), &data.pool).await;
if let Err(error) = authorized { if let Err(error) = authorized {
@ -94,7 +81,7 @@ pub async fn res(
"SELECT token FROM refresh_tokens WHERE uuid = '{}' AND device_name = $1", "SELECT token FROM refresh_tokens WHERE uuid = '{}' AND device_name = $1",
uuid uuid
)) ))
.bind(revoke_request.device_name) .bind(&revoke_request.device_name)
.fetch_all(&data.pool) .fetch_all(&data.pool)
.await; .await;