bsherriff/siren
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Working with httpauth, trying to use extractors

Browse Source
This commit is contained in:
Benjamin Sherriff
2023-10-18 10:24:43 -04:00
parent d3965efd28
commit d245e41978
9 changed files with 199 additions and 209 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
service/.env.TEMPLATE
View File

@@ -6,6 +6,8 @@ DATABASE_NAME=siren
DATABASE_HOST=localhost DATABASE_HOST=localhost
DATABASE_PORT=5432 DATABASE_PORT=5432
JWT_SECRET=
REDIS_HOST=localhost REDIS_HOST=localhost
REDIS_PORT=6379 REDIS_PORT=6379

2
service/Cargo.toml
View File

@@ -16,8 +16,6 @@ actix-web = "4.4.0"
actix-rt = "2.9.0" actix-rt = "2.9.0"
actix-cors = "0.6.4" actix-cors = "0.6.4"
actix-web-httpauth = "0.8.1" actix-web-httpauth = "0.8.1"
actix-identity = "0.6.0"
actix-session = { version = "0.8.0", features = ["redis-actor-session", "cookie-session"] }
chrono = { version = "0.4.31", features = ["serde"] } chrono = { version = "0.4.31", features = ["serde"] }
dotenv = "0.15.0" dotenv = "0.15.0"
serde_json = "1.0.107" serde_json = "1.0.107"

79
service/src/auth/mod.rs Normal file
View File

@@ -0,0 +1,79 @@
use std::env;
use actix_web::{dev::ServiceRequest, Error as ActixError};
use actix_web_httpauth::extractors::bearer::BearerAuth;
use argon2::{password_hash::{rand_core::OsRng, PasswordHasher, PasswordVerifier, SaltString, Error as HashError}, Argon2, PasswordHash};
use jsonwebtoken::{DecodingKey, EncodingKey, Header, encode, decode, Validation, Algorithm};
use serde::{Deserialize, Serialize};
use siren::ServiceError;
mod model;
mod routes;
pub use model::*;
pub use routes::init_routes;
#[derive(Debug, Serialize, Deserialize)]
struct Claims {
sub: String,
exp: usize,
}
// https://github.com/Sirneij/rust-auth/blob/main/backend/src/routes/users/login.rs
// https://dev.to/sirneij/authentication-system-using-rust-actix-web-and-sveltekit-user-registration-580h
// https://github.com/actix/actix-extras/blob/master/actix-session/examples/basic.rs
// maybe https://github.com/actix/actix-extras/blob/master/actix-identity/examples/identity.rs
// https://www.lpalmieri.com/posts/session-based-authentication-in-rust/#3-3-1-postgres
pub async fn validator(req: ServiceRequest, credentials: BearerAuth) -> Result<ServiceRequest, (ActixError, ServiceRequest)> {
let token = credentials.token();
match validate_token(token) {
Ok(_) => Ok(req),
Err(err) => {
Err((ActixError::from(actix_web::error::ErrorUnauthorized(err)), req))
}
}
}
fn validate_token(token: &str) -> Result<(), ServiceError> {
let jwt_secret = env::var("JWT_SECRET").expect("JWT_SECRET must be set");
match decode::<Claims>(token, &DecodingKey::from_secret(jwt_secret.as_ref()), &Validation::new(Algorithm::HS256)) {
Ok(token_data) => {
println!("{:?}", token_data.claims);
if token_data.claims.exp < chrono::Utc::now().timestamp() as usize {
return Err(ServiceError {
status: 401,
message: "Token expired".to_string()
});
}
Ok(())
},
Err(err) => {
Err(ServiceError {
status: 401,
message: err.to_string()
})
}
}
}
pub fn create_token(email: &str) -> String {
let jwt_secret = env::var("JWT_SECRET").expect("JWT_SECRET must be set");
let exp = chrono::Utc::now().checked_add_signed(chrono::Duration::seconds(3600)).expect("valid timestamp").timestamp();
let claims = Claims {
sub: email.to_owned(),
exp: exp as usize,
};
let token = encode(&Header::default(), &claims, &EncodingKey::from_secret(jwt_secret.as_ref())).unwrap();
token
}
pub fn hash_password(password: &[u8]) -> Result<String, HashError> {
let salt = SaltString::generate(&mut OsRng);
Ok(Argon2::default().hash_password(password, &salt)?.to_string())
}
pub fn verify_password(hash: &str, password: &[u8]) -> Result<(), HashError> {
let parsed_hash = PasswordHash::new(hash)?;
Ok(Argon2::default().verify_password(password, &parsed_hash)?)
}

81
service/src/auth/model.rs Normal file
View File

@@ -0,0 +1,81 @@
use diesel::prelude::*;
use serde::{Serialize, Deserialize};
use siren::ServiceError;
use crate::db::schema::users;
use super::hash_password;
#[derive(Debug, Serialize, Deserialize)]
pub struct RegisterUser {
pub email: String,
pub password: String,
pub first_name: String,
pub last_name: String,
}
impl RegisterUser {
pub fn convert_to_insert(self) -> Result<InsertUser, ServiceError> {
let hash = hash_password(self.password.as_bytes())?;
Ok(InsertUser {
email: self.email.to_lowercase(),
hash,
role: "user".to_string(),
first_name: self.first_name,
last_name: self.last_name,
})
}
}
#[derive(Debug, Serialize, Deserialize)]
pub struct LoginRequest {
pub email: String,
pub password: String,
}
#[derive(Debug, Serialize, Deserialize)]
pub struct LoginResponse {
pub token: String,
}
#[derive(Debug, Queryable, QueryableByName, Serialize, Deserialize)]
#[diesel(table_name = users)]
pub struct QueryUser {
pub email: String,
pub hash: String,
pub role: String,
pub first_name: String,
pub last_name: String,
}
impl QueryUser {
pub fn get_by_email(email: &str) -> Result<QueryUser, ServiceError> {
let mut conn = crate::db::connection()?;
// Check if the user exists by email, case insensitive
let user = users::table
.filter(users::email.eq(email.to_lowercase()))
.first(&mut conn)?;
Ok(user)
}
}
#[derive(Debug, Insertable, AsChangeset, Serialize, Deserialize)]
#[diesel(table_name = users)]
pub struct InsertUser {
pub email: String,
pub hash: String,
pub role: String,
pub first_name: String,
pub last_name: String,
}
impl InsertUser {
pub fn insert(user: Self) -> Result<QueryUser, ServiceError> {
let mut conn = crate::db::connection()?;
let user = diesel::insert_into(users::table)
.values(user)
.get_result(&mut conn)?;
Ok(user)
}
}

41
service/src/db/users/routes.rs → service/src/auth/routes.rs
View File

@@ -1,8 +1,10 @@
use actix_identity::Identity; use actix_web::{get, post, web, HttpResponse, ResponseError};
use actix_web::{get, post, web, HttpResponse, HttpRequest, ResponseError, HttpMessage}; use actix_web_httpauth::middleware::HttpAuthentication;
use siren::ServiceError; use siren::ServiceError;
use crate::db::users::{LoginAuth, RegisterUser, InsertUser, QueryUser, verify, LoggedUser}; use crate::auth::{LoginRequest, RegisterUser, InsertUser, QueryUser, verify_password, create_token, LoginResponse};
use super::validator;
#[post("/register")] #[post("/register")]
async fn register(user: web::Json<RegisterUser>) -> HttpResponse { async fn register(user: web::Json<RegisterUser>) -> HttpResponse {
@@ -27,25 +29,19 @@ async fn register(user: web::Json<RegisterUser>) -> HttpResponse {
} }
#[post("/login")] #[post("/login")]
async fn login(req: HttpRequest, auth: web::Json<LoginAuth>) -> HttpResponse { async fn login(request: web::Json<LoginRequest>) -> HttpResponse {
let email = auth.email.clone(); let email = request.email.clone();
let query_user = match QueryUser::get_by_email(&email) { let query_user = match QueryUser::get_by_email(&email) {
Ok(query_user) => query_user, Ok(query_user) => query_user,
Err(err) => return ResponseError::error_response(&err) Err(err) => return ResponseError::error_response(&err)
}; };
let hash = query_user.hash; let hash = query_user.hash;
let password = auth.password.as_bytes(); let password = request.password.as_bytes();
match verify(&hash, password) { match verify_password(&hash, password) {
Ok(_) => { Ok(_) => {
let user = LoggedUser { let token = create_token(&email);
email: email.clone() HttpResponse::Ok().json(LoginResponse { token })
};
let user_string = serde_json::to_string(&user).unwrap();
match Identity::login(&req.extensions(), user_string) {
Ok(_) => HttpResponse::Ok().finish(),
Err(err) => return ResponseError::error_response(&err)
}
}, },
Err(err) => ResponseError::error_response(&ServiceError { Err(err) => ResponseError::error_response(&ServiceError {
status: 401, status: 401,
@@ -55,20 +51,23 @@ async fn login(req: HttpRequest, auth: web::Json<LoginAuth>) -> HttpResponse {
} }
#[post("/logout")] #[post("/logout")]
async fn logout(identity: Identity) -> HttpResponse { async fn logout() -> HttpResponse {
identity.logout();
HttpResponse::Ok().finish() HttpResponse::Ok().finish()
} }
#[get("/ping")] #[get("/ping")]
async fn ping(user: LoggedUser) -> HttpResponse { async fn ping() -> HttpResponse {
HttpResponse::Ok().json(user) HttpResponse::Ok().finish()
} }
pub fn init_routes(config: &mut web::ServiceConfig) { pub fn init_routes(config: &mut web::ServiceConfig) {
config.service(web::scope("users") let auth = HttpAuthentication::bearer(validator);
config.service(web::scope("auth")
.service(register) .service(register)
.service(login) .service(login)
.service(web::scope("")
.wrap(auth)
.service(logout) .service(logout)
.service(ping)); .service(ping)
));
} }

1
service/src/db/mod.rs
View File

@@ -17,7 +17,6 @@ pub mod messages;
pub mod options; pub mod options;
pub mod races; pub mod races;
pub mod spells; pub mod spells;
pub mod users;
pub mod schema; pub mod schema;
type Pool = r2d2::Pool<ConnectionManager<PgConnection>>; type Pool = r2d2::Pool<ConnectionManager<PgConnection>>;

5
service/src/db/users/mod.rs
View File

@@ -1,5 +0,0 @@
mod model;
mod routes;
pub use model::*;
pub use routes::init_routes;

162
service/src/db/users/model.rs
View File

@@ -1,162 +0,0 @@
use std::{future::{ready, Ready, Future}, pin::Pin};
use actix_identity::Identity;
use actix_web::{FromRequest, Error as ActixError, HttpRequest, dev::Payload, error::{ErrorUnauthorized, ErrorInternalServerError}};
use argon2::{password_hash::{rand_core::OsRng, PasswordHasher, PasswordVerifier, SaltString, Error as HashError}, Argon2, PasswordHash};
use diesel::prelude::*;
use serde::{Serialize, Deserialize};
use siren::ServiceError;
use crate::db::schema::users;
#[derive(Debug, Serialize, Deserialize)]
pub struct RegisterUser {
pub email: String,
pub password: String,
pub first_name: String,
pub last_name: String,
}
impl RegisterUser {
pub fn convert_to_insert(self) -> Result<InsertUser, ServiceError> {
let hash = hash(self.password.as_bytes())?;
Ok(InsertUser {
email: self.email,
hash,
role: "user".to_string(),
first_name: self.first_name,
last_name: self.last_name,
})
}
}
#[derive(Debug, Serialize, Deserialize)]
pub struct LoginAuth {
pub email: String,
pub password: String,
}
#[derive(Debug, Serialize, Deserialize)]
pub struct LoggedUser {
pub email: String
}
impl FromRequest for LoggedUser {
type Error = ActixError;
// type Future = Ready<Result<LoggedUser, ActixError>>;
// type Future = std::pin::Pin<Box<dyn std::future::Future<Output = Result<LoggedUser, ActixError>>>>;
type Future = Pin<Box<dyn Future<Output = Result<Self, Self::Error>>>>;
fn from_request(req: &HttpRequest, pl: &mut Payload) -> Self::Future {
// if let Ok(identity) = Identity::from_request(req, pl).into_inner() {
// if let Ok(user_json) = identity.id() {
// if let Ok(user) = serde_json::from_str(&user_json) {
// return ready(Ok(user));
// }
// }
// }
// std::future::ready(Err(
// ActixError::from(ServiceError {
// status: 401,
// message: "Unauthorized".to_string(),
// })
// ))
let identity = Identity::extract(req).into_inner();
Box::pin(async move {
process_req_auth_data(identity).await
})
}
}
async fn process_req_auth_data(identity: Result<Identity, ActixError>) -> Result<LoggedUser, ActixError> {
let id = identity
.map_err(|_| ErrorUnauthorized("You are not logged in; 1"))?
.id()
.map_err(|_| ErrorUnauthorized("You are not logged in; 3"))?;
let logged_user = match serde_json::from_str::<LoggedUser>(&id) {
Ok(user) => user,
Err(err) => return Err(ErrorInternalServerError(err))
};
let user = QueryUser::get_by_email(&logged_user.email)
.map_err(|_| ErrorUnauthorized("You are not logged in; 3"))?;
Ok(LoggedUser { email: user.email })
}
#[derive(Debug, Queryable, QueryableByName, Serialize, Deserialize)]
#[diesel(table_name = users)]
pub struct QueryUser {
pub email: String,
pub hash: String,
pub role: String,
pub first_name: String,
pub last_name: String,
}
impl QueryUser {
pub fn get_by_email(email: &str) -> Result<QueryUser, ServiceError> {
let mut conn = crate::db::connection()?;
let user = users::table
.filter(users::email.eq(email))
.first(&mut conn)?;
Ok(user)
}
}
#[derive(Debug, Insertable, AsChangeset, Serialize, Deserialize)]
#[diesel(table_name = users)]
pub struct InsertUser {
pub email: String,
pub hash: String,
pub role: String,
pub first_name: String,
pub last_name: String,
}
impl InsertUser {
pub fn insert(user: Self) -> Result<QueryUser, ServiceError> {
let mut conn = crate::db::connection()?;
let user = diesel::insert_into(users::table)
.values(user)
.get_result(&mut conn)?;
Ok(user)
}
}
// https://github.com/Sirneij/rust-auth/blob/main/backend/src/routes/users/login.rs
// https://dev.to/sirneij/authentication-system-using-rust-actix-web-and-sveltekit-user-registration-580h
// https://github.com/actix/actix-extras/blob/master/actix-session/examples/basic.rs
// maybe https://github.com/actix/actix-extras/blob/master/actix-identity/examples/identity.rs
// https://www.lpalmieri.com/posts/session-based-authentication-in-rust/#3-3-1-postgres
// pub async fn validator(req: ServiceRequest, credentials: BearerAuth) -> Result<ServiceRequest, (ActixError, ServiceRequest)> {
// let token = credentials.token();
// println!("{:?}", req);
// match validate_token(token) {
// Ok(res) => {
// if res {
// Ok(req)
// } else {
// Err((ActixError::from(actix_web::error::ErrorUnauthorized("Invalid token")), req))
// }
// },
// Err(err) => {
// Err((ActixError::from(actix_web::error::ErrorUnauthorized(err)), req))
// }
// }
// }
// fn validate_token(token: &str) -> Result<bool, ServiceError> {
// println!("Validating token: {}", token);
// Ok(true)
// }
pub fn hash(password: &[u8]) -> Result<String, HashError> {
let salt = SaltString::generate(&mut OsRng);
Ok(Argon2::default().hash_password(password, &salt)?.to_string())
}
pub fn verify(hash: &str, password: &[u8]) -> Result<(), HashError> {
let parsed_hash = PasswordHash::new(hash)?;
Ok(Argon2::default().verify_password(password, &parsed_hash)?)
}

33
service/src/main.rs
View File

@@ -5,8 +5,6 @@ extern crate diesel_migrations;
use std::env; use std::env;
use std::collections::HashSet; use std::collections::HashSet;
use std::sync::Arc; use std::sync::Arc;
use actix_identity::IdentityMiddleware;
use actix_session::{SessionMiddleware, storage::{RedisActorSessionStore, CookieSessionStore}, config::BrowserSession};
use log::{error, warn, info}; use log::{error, warn, info};
use serenity::client::Cache; use serenity::client::Cache;
use serenity::framework::StandardFramework; use serenity::framework::StandardFramework;
@@ -20,6 +18,7 @@ use crate::bot::{commands::oai::GPTModel, handler::Handler};
use dotenv::dotenv; use dotenv::dotenv;
mod auth;
mod dnd; mod dnd;
mod bot; mod bot;
mod db; mod db;
@@ -113,21 +112,21 @@ async fn main() -> std::io::Result<()> {
let port = env::var("SERVICE_PORT").unwrap_or("5000".to_string()); let port = env::var("SERVICE_PORT").unwrap_or("5000".to_string());
let server = match HttpServer::new(move || { let server = match HttpServer::new(move || {
let private_key = actix_web::cookie::Key::generate(); // let private_key = actix_web::cookie::Key::generate();
// let redis_host = env::var("REDIS_HOST").unwrap_or("localhost".to_string()); // let redis_host = env::var("REDIS_HOST").unwrap_or("localhost".to_string());
// let redis_port = env::var("REDIS_PORT").unwrap_or("6379".to_string()); // let redis_port = env::var("REDIS_PORT").unwrap_or("6379".to_string());
let session = SessionMiddleware::builder( // let session = SessionMiddleware::builder(
// RedisActorSessionStore::new(format!("{}:{}", redis_host, redis_port)), // RedisActorSessionStore::new(format!("{}:{}", redis_host, redis_port)),
CookieSessionStore::default(), // CookieSessionStore::default(),
private_key // private_key
) // )
.session_lifecycle(BrowserSession::default()) // .session_lifecycle(BrowserSession::default())
.cookie_name("auth".to_owned()) // .cookie_name("auth".to_owned())
.cookie_secure(false) // .cookie_secure(false)
.cookie_http_only(false) // .cookie_http_only(false)
.cookie_domain(Some("localhost".to_owned())) // .cookie_domain(Some("localhost".to_owned()))
.cookie_path("/".to_owned()) // .cookie_path("/".to_owned())
.build(); // .build();
let cors = Cors::default() let cors = Cors::default()
.allow_any_origin() .allow_any_origin()
.allow_any_method() .allow_any_method()
@@ -135,13 +134,13 @@ async fn main() -> std::io::Result<()> {
.supports_credentials() .supports_credentials()
.max_age(3600); .max_age(3600);
App::new() App::new()
.wrap(IdentityMiddleware::default()) // .wrap(IdentityMiddleware::default())
.wrap(session) // .wrap(session)
.wrap(cors) .wrap(cors)
.app_data(web::Data::new(Arc::clone(&app_data))) .app_data(web::Data::new(Arc::clone(&app_data)))
.configure(crate::db::messages::init_routes) .configure(crate::db::messages::init_routes)
.configure(crate::db::spells::init_routes) .configure(crate::db::spells::init_routes)
.configure(crate::db::users::init_routes) .configure(crate::auth::init_routes)
.configure(crate::bot::api::init_routes) .configure(crate::bot::api::init_routes)
}) })
.bind(format!("{}:{}", host, port)) { .bind(format!("{}:{}", host, port)) {