bsherriff/siren
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Updating ui

Browse Source
This commit is contained in:
Benjamin Sherriff
2024-01-30 20:09:51 -05:00
parent ca9270f3a7
commit 57286bb0e7
32 changed files with 420 additions and 425 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
service/src/auth/mod.rs
View File

@@ -1,7 +1,7 @@
mod model;
mod routes;
mod tokens;
mod session;
pub use model::*;
pub use tokens::*;
pub use session::*;
pub use routes::init_routes;

64
service/src/auth/model.rs
View File

@@ -1,14 +1,12 @@
use std::{future::{ready, Ready}, env};
use std::future::{ready, Ready};
use actix_web::{FromRequest, Error as ActixError, HttpRequest, dev::Payload, http};
use diesel::prelude::*;
use log::error;
use redis::Commands;
use serde::{Serialize, Deserialize};
use siren::ServiceError;
use crate::storage::{schema::users, connection};
use super::{hash, AccessToken};
use super::{hash, Session, SESSION_COOKIE_NAME};
#[derive(Debug, Serialize, Deserialize)]
pub struct RegisterUser {
@@ -58,7 +56,6 @@ impl QueryUser {
pub fn get_by_email(email: &str) -> Result<QueryUser, ServiceError> {
let mut conn = connection()?;
// Check if the user exists by email, case insensitive
let user = users::table
.filter(users::email.eq(email.to_lowercase()))
.first(&mut conn)?;
@@ -121,17 +118,17 @@ impl From<QueryUser> for ResponseUser {
}
#[derive(Debug, Serialize, Deserialize)]
pub struct JwtAuth {
pub struct Auth {
pub id: String,
pub user: ResponseUser
}
impl FromRequest for JwtAuth {
impl FromRequest for Auth {
type Error = ActixError;
type Future = Ready<Result<Self, Self::Error>>;
fn from_request(req: &HttpRequest, _: &mut Payload) -> Self::Future {
let access_token_string = match req
.cookie("access_token")
let session_id = match req
.cookie(SESSION_COOKIE_NAME)
.map(|c| c.value().to_string())
.or_else(|| {
req.headers().get(http::header::AUTHORIZATION)
@@ -143,54 +140,17 @@ impl FromRequest for JwtAuth {
message: "Unauthorized".to_string()
})))
};
let keys_dir = env::var("KEYS_DIR_PATH").expect("KEYS_DIR_PATH must be set");
let public_key = std::fs::read_to_string(format!("{}/public_key.pem", keys_dir)).expect("Failed to read access public key");
let access_token = match AccessToken::decode(&access_token_string, &public_key) {
Ok(token_details) => token_details,
Err(err) => {
error!("Failed to verify access token: {}", err);
return ready(Err(ActixError::from(ServiceError {
status: 401,
message: format!("Access token is invaid: {}", err)
})))
}
};
let mut conn = match crate::storage::redis_connection() {
Ok(conn) => conn,
Err(err) => {
error!("Failed to get redis connection: {}", err);
return ready(Err(ActixError::from(ServiceError {
status: 500,
message: format!("Failed to get redis connection: {}", err)
})))
}
};
let user_email = match conn.get::<_, String>(access_token.id.clone().to_string()) {
Ok(result) => serde_json::from_str::<AccessToken>(&result).unwrap().email,
Err(_) => {
return ready(Err(ActixError::from(ServiceError {
status: 401,
message: format!("Access token is invalid")
})))
}
};
match QueryUser::get_by_email(&user_email) {
Ok(user) => {
ready(Ok(JwtAuth { id: access_token.id, user: user.into() }))
}
Err(_) => return ready(Err(ActixError::from(ServiceError {
status: 401,
message: format!("User does not exist")
})))
let ip_address = req.peer_addr().unwrap().ip().to_string();
match Session::verify(&session_id, &ip_address) {
Ok(v) => return ready(Ok(Auth { id: v.0.id, user: v.1.into() })),
Err(err) => return ready(Err(ActixError::from(err)))
}
}
}
pub fn verify_role(auth: &JwtAuth, role: &str) -> Result<(), ServiceError> {
pub fn verify_role(auth: &Auth, role: &str) -> Result<(), ServiceError> {
if auth.user.role == role {
Ok(())
} else {

250
service/src/auth/routes.rs
View File

@@ -3,10 +3,9 @@ use std::env;
use actix_web::{get, post, web, HttpResponse, ResponseError, cookie::{Cookie, time::Duration}, HttpRequest};
use log::error;
use redis::AsyncCommands;
use serde::{Serialize, Deserialize};
use siren::ServiceError;
use crate::{auth::{InsertUser, JwtAuth, LoginRequest, QueryUser, RefreshToken, RegisterUser}, storage};
use crate::{auth::{InsertUser, Auth, LoginRequest, QueryUser, RegisterUser, Session, SESSION_COOKIE_NAME}, storage::{self}};
use super::verify_hash;
@@ -47,14 +46,7 @@ async fn login(request: HttpRequest, login_request: web::Json<LoginRequest>) ->
};
// Verify password
if verify_hash(&login_request.password, &query_user.hash) {
let mut refresh_token = RefreshToken::new(&email, &ip_address);
let access_token = match refresh_token.create_access_token() {
Ok(token) => token,
Err(err) => {
error!("Failed to generate access token: {}", err);
return ResponseError::error_response(&err)
}
};
let session = Session::new(&email, &ip_address);
let mut conn = match storage::redis_async_connection().await {
Ok(conn) => conn,
@@ -64,51 +56,33 @@ async fn login(request: HttpRequest, login_request: web::Json<LoginRequest>) ->
}
};
let access_token_max_age = env::var("ACCESS_TOKEN_MAXAGE")
.expect("ACCESS_TOKEN_MAXAGE must be set")
let session_ttl = env::var("SESSION_TTL")
.expect("SESSION_TTL must be set")
.parse::<i64>()
.expect("ACCESS_TOKEN_MAXAGE must be an integer");
.expect("SESSION_TTL must be an integer");
let refresh_token_max_age = env::var("REFRESH_TOKEN_MAXAGE")
.expect("REFRESH_TOKEN_MAXAGE must be set")
.parse::<i64>()
.expect("REFRESH_TOKEN_MAXAGE must be an integer");
let access_result: redis::RedisResult<()> = conn.set_ex(access_token.id.to_string(), &serde_json::to_string(&access_token).unwrap(), (access_token_max_age * 60) as usize).await;
if let Err(err) = access_result {
let session_result: redis::RedisResult<()> = conn.set_ex(session.id.to_string(), &serde_json::to_string(&session).unwrap(), (session_ttl * 60) as usize).await;
if let Err(err) = session_result {
error!("Failed to set access token in redis: {}", err);
return ResponseError::error_response(&ServiceError::from(err))
};
let refresh_result: redis::RedisResult<()> = conn.set_ex(refresh_token.id.to_string(), &serde_json::to_string(&refresh_token).unwrap(), (refresh_token_max_age * 60) as usize).await;
if let Err(err) = refresh_result {
error!("Failed to set refresh token in redis: {}", err);
return ResponseError::error_response(&ServiceError::from(err))
};
let access_cookie = Cookie::build("access_token", access_token.token.clone().unwrap())
let session_cookie = Cookie::build(SESSION_COOKIE_NAME, session.id.clone())
.path("/")
.max_age(Duration::new(access_token_max_age * 60, 0))
.max_age(Duration::new(session_ttl * 60, 0))
.http_only(true)
.secure(true)
.finish();
let refresh_cookie = Cookie::build("refresh_token", refresh_token.id.clone())
let user_id_cookie = Cookie::build("user_id", session.user_id.clone())
.path("/")
.max_age(Duration::new(refresh_token_max_age * 60, 0))
.http_only(true)
.secure(true)
.finish();
let logged_in_cookie = Cookie::build("logged_in", "true")
.path("/")
.max_age(Duration::new(access_token_max_age * 60, 0))
.max_age(Duration::new(session_ttl * 60, 0))
.http_only(false)
.finish();
HttpResponse::Ok()
.cookie(access_cookie)
.cookie(refresh_cookie)
.cookie(logged_in_cookie)
.json(JwtAuth { id: access_token.id, user: query_user.into() })
.cookie(session_cookie)
.cookie(user_id_cookie)
.json(Auth { id: session.id, user: query_user.into() })
} else {
return ResponseError::error_response(&ServiceError {
status: 401,
@@ -117,29 +91,9 @@ async fn login(request: HttpRequest, login_request: web::Json<LoginRequest>) ->
}
}
#[derive(Serialize, Deserialize)]
struct RefreshParams {
refresh_token_rotation: Option<bool>
}
#[get("/refresh")]
async fn refresh(req: HttpRequest) -> HttpResponse {
async fn refresh(req: HttpRequest, auth: Auth) -> HttpResponse {
let ip_address = req.peer_addr().unwrap().ip().to_string();
let params = match web::Query::<RefreshParams>::from_query(req.query_string()) {
Ok(params) => params,
Err(err) => return ResponseError::error_response(&ServiceError {
status: 422,
message: err.to_string()
})
};
let refresh_token_string = match req.cookie("refresh_token") {
Some(cookie) => cookie.value().to_string(),
None => return ResponseError::error_response(&ServiceError {
status: 401,
message: "Refresh token not found".to_string()
})
};
let mut conn = match storage::redis_async_connection().await {
Ok(conn) => conn,
@@ -149,129 +103,38 @@ async fn refresh(req: HttpRequest) -> HttpResponse {
}
};
let mut refresh_token: RefreshToken = match conn.get::<_, String>(refresh_token_string.clone()).await {
Ok(result) => match serde_json::from_str::<RefreshToken>(&result) {
Ok(result) => {
if verify_hash(&ip_address, &result.ip_address) {
result
} else {
return ResponseError::error_response(&ServiceError {
status: 401,
message: "Refresh token is invalid".to_string()
})
}
},
Err(err) => {
error!("Failed to deserialize refresh token: {}", err);
return ResponseError::error_response(&ServiceError::from(err))
}
},
Err(err) => {
error!("Failed to get refresh token from redis: {}", err);
return ResponseError::error_response(&ServiceError::from(err))
}
let session_ttl = env::var("SESSION_TTL")
.expect("SESSION_TTL must be set")
.parse::<i64>()
.expect("SESSION_TTL must be an integer");
// Delete old session
let _: redis::RedisResult<()> = conn.del(auth.id).await;
// Create new session
let session = Session::new(&auth.user.email, &ip_address);
let session_result: redis::RedisResult<()> = conn.set_ex(session.id.to_string(), &serde_json::to_string(&session).unwrap(), (session_ttl * 60) as usize).await;
if let Err(err) = session_result {
error!("Failed to set session id in redis: {}", err);
return ResponseError::error_response(&ServiceError::from(err))
};
let email = refresh_token.email.clone();
// Create cookies
let session_cookie = session.create_cookie();
let user_id_cookie = Cookie::build("user_id", session.user_id.clone())
.path("/")
.max_age(Duration::new(session_ttl * 60, 0))
.http_only(false)
.finish();
match QueryUser::get_by_email(&email) {
Ok(query_user) => {
// Revoke all old access tokens
for id in refresh_token.tokens {
let _: redis::RedisResult<()> = conn.del(id).await;
}
refresh_token.tokens = vec![];
// Create new access token
let access_token = match refresh_token.create_access_token() {
Ok(token) => token,
Err(err) => {
error!("Failed to generate access token: {}", err);
return ResponseError::error_response(&err)
}
};
let access_token_max_age = env::var("ACCESS_TOKEN_MAXAGE")
.expect("ACCESS_TOKEN_MAXAGE must be set")
.parse::<i64>()
.expect("ACCESS_TOKEN_MAXAGE must be an integer");
let access_result: redis::RedisResult<()> = conn.set_ex(access_token.id.to_string(), &serde_json::to_string(&access_token).unwrap(), (access_token_max_age * 60) as usize).await;
if let Err(err) = access_result {
error!("Failed to set access token in redis: {}", err);
return ResponseError::error_response(&ServiceError::from(err))
};
let access_cookie = Cookie::build("access_token", access_token.id.clone())
.path("/")
.max_age(Duration::new(access_token_max_age * 60, 0))
.http_only(true)
.secure(true)
.finish();
let logged_in_cookie = Cookie::build("logged_in", "true")
.path("/")
.max_age(Duration::new(access_token_max_age * 60, 0))
.http_only(false)
.finish();
// Refresh the refresh token if requested
let refresh_token_rotation = match params.refresh_token_rotation {
Some(refresh_token_rotation) => refresh_token_rotation,
None => false
};
if refresh_token_rotation {
// Delete the old refresh token from redis
let _: redis::RedisResult<()> = conn.del(refresh_token.id.to_string()).await;
let refresh_token = RefreshToken::new(&refresh_token.email, &ip_address);
let refresh_token_max_age = env::var("REFRESH_TOKEN_MAXAGE")
.expect("REFRESH_TOKEN_MAXAGE must be set")
.parse::<i64>()
.expect("REFRESH_TOKEN_MAXAGE must be an integer");
// Add the new refresh token to redis
let refresh_result: redis::RedisResult<()> = conn.set_ex(refresh_token.id.to_string(), &serde_json::to_string(&refresh_token).unwrap(), (refresh_token_max_age * 60) as usize).await;
if let Err(err) = refresh_result {
error!("Failed to set refresh token in redis: {}", err);
return ResponseError::error_response(&ServiceError {
status: 500,
message: format!("Failed to set refresh token in redis: {}", err)
})
};
let refresh_cookie = Cookie::build("refresh_token", refresh_token.id.clone())
.path("/")
.max_age(Duration::new(refresh_token_max_age * 60, 0))
.http_only(true)
.secure(true)
.finish();
HttpResponse::Ok()
.cookie(refresh_cookie)
.cookie(access_cookie)
.cookie(logged_in_cookie)
.json(JwtAuth { id: access_token.id, user: query_user.into() })
} else {
HttpResponse::Ok()
.cookie(access_cookie)
.cookie(logged_in_cookie)
.json(JwtAuth { id: access_token.id, user: query_user.into() })
}
},
Err(err) => return ResponseError::error_response(&err)
}
HttpResponse::Ok()
.cookie(session_cookie)
.cookie(user_id_cookie)
.json(Auth { id: session.id, user: auth.user })
}
#[post("/logout")]
async fn logout(req: HttpRequest, auth: JwtAuth) -> HttpResponse {
let refresh_token = match req.cookie("refresh_token") {
Some(cookie) => cookie.value().to_string(),
None => return ResponseError::error_response(&ServiceError {
status: 401,
message: "Refresh token not found".to_string()
})
};
async fn logout(auth: Auth) -> HttpResponse {
let mut conn = match storage::redis_async_connection().await {
Ok(conn) => conn,
Err(err) => {
@@ -280,45 +143,32 @@ async fn logout(req: HttpRequest, auth: JwtAuth) -> HttpResponse {
}
};
let access_result: redis::RedisResult<()> = conn.del(&[
refresh_token.to_string(),
auth.id.to_string()
]).await;
if let Err(err) = access_result {
error!("Failed to set access token in redis: {}", err);
return ResponseError::error_response(&ServiceError {
status: 500,
message: format!("Failed to set access token in redis: {}", err)
})
let session_result: redis::RedisResult<()> = conn.del(&auth.id.to_string()).await;
if let Err(err) = session_result {
error!("Failed to remove session id in redis: {}", err);
return ResponseError::error_response(&ServiceError::from(err))
};
let access_cookie = Cookie::build("access_token", "")
let session_cookie = Cookie::build(SESSION_COOKIE_NAME, "")
.path("/")
.max_age(Duration::new(-1, 0))
.secure(true)
.http_only(true)
.finish();
let refresh_cookie = Cookie::build("refresh_token", "")
.path("/")
.max_age(Duration::new(-1, 0))
.secure(true)
.http_only(true)
.finish();
let logged_in_cookie = Cookie::build("logged_in", "")
let user_id_cookie = Cookie::build("user_id", "")
.path("/")
.max_age(Duration::new(-1, 0))
.http_only(true)
.finish();
HttpResponse::Ok()
.cookie(access_cookie)
.cookie(refresh_cookie)
.cookie(logged_in_cookie)
.cookie(session_cookie)
.cookie(user_id_cookie)
.finish()
}
#[get("/me")]
async fn me(auth: JwtAuth) -> HttpResponse {
async fn me(auth: Auth) -> HttpResponse {
HttpResponse::Ok().json(auth)
}

102
service/src/auth/session.rs Normal file
View File

@@ -0,0 +1,102 @@
use std::env;
use actix_web::cookie::{time::Duration, Cookie};
use argon2::{password_hash::{rand_core::OsRng, SaltString}, Argon2, PasswordHash, PasswordHasher, PasswordVerifier};
use rand::prelude::*;
use rand_chacha::ChaCha20Rng;
use redis::Commands;
use serde::{Deserialize, Serialize};
use siren::ServiceError;
use super::QueryUser;
pub const SESSION_COOKIE_NAME: &str = "session";
#[derive(Debug, Serialize, Deserialize)]
pub struct Session {
pub id: String,
pub user_id: String,
pub ip_address: String,
pub expiration: i64,
}
impl Session {
pub fn new(user_id: &str, ip_address: &str) -> Self {
let ttl = env::var("SESSION_TTL")
.expect("SESSION_TTL must be set")
.parse::<i64>()
.expect("SESSION_TTL must be an integer");
let now = chrono::Utc::now();
Self {
id: csprng_128bit(),
user_id: user_id.to_string(),
ip_address: hash(&ip_address).unwrap(),
expiration: (now + chrono::Duration::minutes(ttl)).timestamp()
}
}
pub fn verify(session_id: &str, ip_address: &str) -> Result<(Self, QueryUser), ServiceError> {
let mut conn = crate::storage::redis_connection()?;
// Check if the session exists
let session = match conn.get::<_, String>(session_id) {
Ok(session) => session,
Err(_) => return Err(ServiceError::new(401, "Unauthorized".to_string()))
};
let session: Self = serde_json::from_str(&session)?;
// Check if the IP address matches
let session_ip_address = session.ip_address.clone();
let session_user_id = session.user_id.clone();
if verify_hash(ip_address, &session_ip_address) {
let email = session_user_id;
// Check if the user exists
let user = match crate::auth::model::QueryUser::get_by_email(&email) {
Ok(user) => user,
Err(_) => return Err(ServiceError::new(401, "Unauthorized".to_string()))
};
// Check if the session has expired
let now = chrono::Utc::now().timestamp();
if now < session.expiration {
return Ok((session, user))
}
}
Err(ServiceError::new(401, "Unauthorized".to_string()))
}
pub fn create_cookie(&self) -> Cookie {
let ttl = env::var("SESSION_TTL")
.expect("SESSION_TTL must be set")
.parse::<i64>()
.expect("SESSION_TTL must be an integer");
Cookie::build(SESSION_COOKIE_NAME, self.id.clone())
.path("/")
.max_age(Duration::new(ttl * 60, 0))
.secure(true)
.http_only(true)
.finish()
}
}
fn csprng_128bit() -> String {
// Generate a CSPRNG 128-bit (16 byte) ID using alphanumeric characters (a-z, A-Z, 0-9)
let rng = ChaCha20Rng::from_entropy();
rng.sample_iter(rand::distributions::Alphanumeric).take(16).map(char::from).collect()
}
pub fn hash(str: &str) -> Result<String, ServiceError> {
let salt = SaltString::generate(&mut OsRng);
let bytes = str.as_bytes();
let hash = Argon2::default().hash_password(bytes, &salt)?.to_string();
Ok(hash)
}
pub fn verify_hash(str: &str, hash: &str) -> bool {
let bytes = str.as_bytes();
let parsed_hash = match PasswordHash::new(hash) {
Ok(h) => h,
Err(_) => return false
};
match Argon2::default().verify_password(bytes, &parsed_hash) {
Ok(_) => true,
Err(_) => false
}
}

0
service/src/auth/tokens.rs → service/src/auth/token.rs
View File