xeovalyte/wrbapp-next
1
0
Fork 0
Code Issues 4 Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: xeovalyte:07493b83a5aa883b28463016688d3c3391f8e800
Branches Tags
xeovalyte:main
...
compare: xeovalyte:29bfa8c60e7d79c05380701d0a38ecefde67284f
Branches Tags
xeovalyte:main

2 Commits
07493b83a5 ... 29bfa8c60e

Author SHA1 Message Date
xeovalyte
29bfa8c60e
Added function to get all roles of members 2025-02-07 17:03:27 +01:00
xeovalyte
31aa9dc066
Revamed auth system 2025-02-07 15:59:50 +01:00
15 changed files with 127 additions and 128 deletions
Show Stats Expand all files Collapse all files

1
server/Cargo.lock generated
View File

@ -2203,6 +2203,7 @@ checksum = "744018581f9a3454a9e15beb8a33b017183f1e7c0cd170232a2d1453b23a51c4"
dependencies = [
"getrandom 0.2.15",
"rand 0.8.5",
"serde",
]
[[package]]

2
server/Cargo.toml
View File

@ -23,7 +23,7 @@ bitflags = { version = "2.8", features = [ "serde" ] }
tracing = "0.1"
tracing-subscriber = "0.3"
chrono = "0.4"
uuid = { version = "1.12", features = ["v4", "fast-rng"] }
uuid = { version = "1.12", features = ["v4", "fast-rng", "serde"] }
serde_json = "1.0.137"
rand = "0.9"
rand_chacha = "0.9"

4
server/migrations/001_create_members.sql
View File

@ -4,7 +4,7 @@ CREATE TABLE "members" (
full_name text NOT NULL,
registration_token text NOT NULL UNIQUE,
diploma text,
swim_groups bigint NOT NULL,
groups bigint NOT NULL
groups bigint NOT NULL,
roles bigint NOT NULL
);

91
server/src/auth.rs
View File

@ -1,75 +1,60 @@
use std::collections::HashSet;
use argon2::{
password_hash::{rand_core::OsRng, PasswordHasher, SaltString},
Argon2, PasswordHash, PasswordVerifier,
};
use axum::{
extract::FromRequestParts,
http::{request::Parts, StatusCode},
RequestPartsExt,
};
use axum_extra::{
extract::cookie::{Cookie, CookieJar},
headers::{authorization::Bearer, Authorization},
typed_header::TypedHeaderRejectionReason,
TypedHeader,
};
use bearer::verify_bearer;
use axum::http::{header, HeaderMap};
use chrono::Utc;
pub use error::AuthError;
use rand::distr::Alphanumeric;
use rand::prelude::*;
use rand_chacha::ChaCha20Rng;
use sqlx::PgPool;
use tokio::task;
use crate::database::model::User;
use crate::{
database::model::{Session, UserMember},
model::{member::Roles, User},
};
mod bearer;
mod error;
mod scopes;
#[derive(Debug)]
pub struct Permissions<'a>(pub HashSet<&'a str>);
pub async fn get_user_from_header(
pool: &PgPool,
headers: &HeaderMap,
) -> Result<(Roles, User), AuthError> {
let bearer_value = headers.get(header::AUTHORIZATION);
let bearer_value = bearer_value
.ok_or_else(|| AuthError::InvalidToken)?
.to_str()
.map_err(|_| AuthError::InvalidToken)?;
// Middleware for getting permissions
impl<S> FromRequestParts<S> for Permissions<'_>
where
S: Send + Sync,
{
type Rejection = crate::Error;
let token = get_token_from_bearer(bearer_value)?;
async fn from_request_parts(parts: &mut Parts, _state: &S) -> Result<Self, Self::Rejection> {
// First check if the request has a beaerer token to authenticate
match parts.extract::<TypedHeader<Authorization<Bearer>>>().await {
Ok(bearer) => {
verify_bearer(bearer.token().to_string()).map_err(|_| AuthError::InvalidToken)?;
let session = match Session::from_token(&pool, &token).await {
Ok(s) => s,
Err(_) => return Err(AuthError::InvalidToken),
};
let permissions = Permissions {
0: HashSet::from(["root"]),
};
if session.expires_at < Utc::now() {
return Err(AuthError::InvalidToken);
}
return Ok(permissions);
}
Err(err) => match err.reason() {
TypedHeaderRejectionReason::Missing => (),
TypedHeaderRejectionReason::Error(_err) => {
return Err(AuthError::InvalidToken.into())
}
_ => return Err(AuthError::Unexpected.into()),
},
};
let db_user = match crate::database::model::User::get(&pool, session.user_id).await {
Ok(u) => u,
Err(_) => return Err(AuthError::InvalidToken),
};
match parts.extract::<CookieJar>().await {
Ok(jar) => {
if let Some(session_token) = jar.get("session_token") {
// TODO: Implement function to retrieve user permissions
tracing::info!("{session_token:?}")
}
}
Err(_) => (),
}
let roles = UserMember::get_roles(&pool, &db_user.user_id)
.await
.unwrap_or(Roles::MEMBER);
Err(AuthError::Unauthorized.into())
Ok((roles, db_user.into()))
}
pub fn get_token_from_bearer(bearer: &str) -> Result<String, AuthError> {
match bearer.strip_prefix("Bearer ") {
Some(token) => Ok(token.to_string()),
None => return Err(AuthError::InvalidToken),
}
}

8
server/src/auth/bearer.rs
View File

@ -1,8 +0,0 @@
pub fn verify_bearer(token: String) -> Result<(), ()> {
let env_api_token = dotenvy::var("API_TOKEN").map_err(|_| ())?;
match env_api_token == token {
true => Ok(()),
false => Err(()),
}
}

19
server/src/auth/scopes.rs
View File

@ -1,19 +0,0 @@
use crate::bitflags_serde_impl;
use bitflags::bitflags;
use serde::Deserialize;
bitflags! {
#[derive(Clone, Copy, Debug)]
pub struct Scopes: u64 {
const USER_READ = 1 << 0;
const USER_WRITE = 1 << 1;
const USER_DELETE = 1 << 2;
const MEMBER_CREATE = 1 << 3;
const MEMBER_READ = 1 << 4;
const MEMBER_WRITE = 1 << 5;
const MEMBER_DELETE = 1 << 6;
}
}
bitflags_serde_impl!(Scopes, u64);

12
server/src/database/model/member.rs
View File

@ -2,7 +2,7 @@ use rand::distr::{Alphanumeric, SampleString};
use sqlx::{PgPool, Postgres, QueryBuilder};
use validator::Validate;
use crate::model::member::{Groups, SwimGroups};
use crate::model::member::{Groups, Roles};
#[derive(Debug, Validate, sqlx::FromRow)]
pub struct Member {
@ -12,8 +12,8 @@ pub struct Member {
pub full_name: String,
pub registration_token: Option<String>,
pub diploma: Option<String>,
pub swim_groups: SwimGroups,
pub groups: Groups,
pub roles: Roles,
}
impl Member {
@ -53,7 +53,7 @@ impl Member {
}
let mut query_builder = QueryBuilder::new(
"INSERT INTO members(member_id, first_name, full_name, registration_token, diploma, swim_groups, groups) "
"INSERT INTO members(member_id, first_name, full_name, registration_token, diploma, groups, roles) "
);
query_builder.push_values(members.into_iter(), |mut b, member| {
@ -64,8 +64,8 @@ impl Member {
b.push_bind(member.full_name);
b.push_bind(registration_token);
b.push_bind(member.diploma);
b.push_bind(member.swim_groups.bits() as i64);
b.push_bind(member.groups.bits() as i64);
b.push_bind(member.roles.bits() as i64);
});
let query = query_builder.build();
@ -86,14 +86,14 @@ impl Member {
sqlx::query!(
"
UPDATE ONLY members
SET first_name = $1, full_name = $2, diploma = $3, swim_groups = $4, groups = $5
SET first_name = $1, full_name = $2, diploma = $3, groups = $4, roles = $5
WHERE member_id = $6
",
member.first_name,
member.full_name,
member.diploma,
member.swim_groups.bits() as i64,
member.groups.bits() as i64,
member.roles.bits() as i64,
member.member_id
)
.execute(&mut **transaction)

1
server/src/database/model/session.rs
View File

@ -1,6 +1,7 @@
use chrono::{DateTime, Utc};
use sqlx::{PgPool, Postgres};
#[derive(Debug)]
pub struct Session {
pub session_id: uuid::Uuid,
pub user_id: uuid::Uuid,

26
server/src/database/model/user.rs
View File

@ -1,5 +1,7 @@
use sqlx::{PgPool, Postgres};
use crate::model::member::Roles;
#[derive(validator::Validate)]
pub struct User {
pub user_id: uuid::Uuid,
@ -44,6 +46,14 @@ impl User {
Ok(user)
}
pub async fn get(transaction: &PgPool, user_id: uuid::Uuid) -> Result<Self, sqlx::Error> {
let user = sqlx::query_as!(Self, "SELECT * FROM users WHERE user_id = $1", user_id)
.fetch_one(transaction)
.await?;
Ok(user)
}
}
#[derive(Debug)]
@ -73,4 +83,20 @@ impl UserMember {
Ok(())
}
pub async fn get_roles(pool: &PgPool, user_id: &uuid::Uuid) -> Result<Roles, sqlx::Error> {
let roles = sqlx::query_scalar!(
"
SELECT roles FROM users_members INNER JOIN members ON users_members.member_id = members.member_id AND users_members.user_id = $1;
",
user_id
).fetch_all(pool).await?;
let roles: Vec<Roles> = roles.into_iter().map(|r| r.into()).collect();
let roles = roles
.into_iter()
.fold(Roles::empty(), |acc, flag| acc | flag);
Ok(roles)
}
}

21
server/src/model/member.rs
View File

@ -13,21 +13,22 @@ pub struct Member {
pub name: Name,
pub registration_token: Option<String>,
pub diploma: Option<String>,
pub swim_groups: SwimGroups,
pub groups: Groups,
pub roles: Roles,
}
bitflags! {
#[derive(Clone, Copy, Debug, Serialize, Deserialize)]
pub struct Groups: u64 {
const NONE = 1 << 0;
pub struct Roles: u64 {
const MEMBER = 1 << 0;
const KADER = 1 << 1;
const ZWEMZAKEN = 1 << 2;
const WEDSTRIJDEN = 1 << 3;
const ADMIN = 1 << 4;
}
#[derive(Clone, Copy, Debug, Serialize, Deserialize)]
pub struct SwimGroups: u64 {
pub struct Groups: u64 {
const NONE = 1 << 0;
const A1 = 1 << 1;
@ -76,15 +77,15 @@ bitflags! {
}
}
impl From<i64> for SwimGroups {
impl From<i64> for Groups {
fn from(value: i64) -> Self {
Self::from_bits(value as u64).unwrap_or(SwimGroups::NONE)
Self::from_bits(value as u64).unwrap_or(Groups::empty())
}
}
impl From<i64> for Groups {
impl From<i64> for Roles {
fn from(value: i64) -> Self {
Self::from_bits(value as u64).unwrap_or(Groups::NONE)
Self::from_bits(value as u64).unwrap_or(Roles::MEMBER)
}
}
@ -99,8 +100,8 @@ impl From<DbMember> for Member {
},
registration_token: value.registration_token,
diploma: value.diploma,
swim_groups: value.swim_groups,
groups: value.groups,
roles: value.roles,
}
}
}
@ -113,8 +114,8 @@ impl From<Member> for DbMember {
full_name: value.name.full,
registration_token: None,
diploma: value.diploma,
swim_groups: value.swim_groups,
groups: value.groups,
roles: value.roles,
}
}
}

1
server/src/model/session.rs
View File

@ -2,6 +2,7 @@ use chrono::{DateTime, Duration, Utc};
use crate::auth::generate_session_token;
#[derive(Debug)]
pub struct Session {
pub session_id: uuid::Uuid,
pub user_id: uuid::Uuid,

14
server/src/model/user.rs
View File

@ -1,5 +1,19 @@
use serde::Serialize;
#[derive(Serialize)]
pub struct User {
pub id: uuid::Uuid,
pub email: String,
pub admin: bool,
}
use crate::database::model::User as DbUser;
impl From<DbUser> for User {
fn from(db_user: DbUser) -> Self {
Self {
id: db_user.user_id,
email: db_user.email,
admin: db_user.admin,
}
}
}

14
server/src/routes.rs
View File

@ -1,5 +1,5 @@
use crate::{auth::Permissions, AppState};
use axum::{extract::State, http::StatusCode, routing::get, Router};
use crate::{auth::get_user_from_header, model::User, AppState};
use axum::{extract::State, http::HeaderMap, routing::get, Json, Router};
pub mod auth;
pub mod member;
@ -14,10 +14,10 @@ pub fn routes() -> Router<AppState> {
}
async fn root(
State(_state): State<AppState>,
permissions: Permissions<'_>,
) -> Result<String, (StatusCode, String)> {
tracing::info!("{:?}", permissions);
State(state): State<AppState>,
headers: HeaderMap,
) -> Result<Json<User>, crate::Error> {
let (_roles, user) = get_user_from_header(&state.pool, &headers).await?;
Ok("Hello world".to_string())
Ok(Json(user))
}

3
server/src/routes/member.rs
View File

@ -1,6 +1,6 @@
use axum::{extract::State, routing::post, Router};
use crate::{auth::Permissions, AppState};
use crate::AppState;
pub mod migrate;
@ -12,7 +12,6 @@ pub fn routes() -> Router<AppState> {
pub async fn get_members<'a>(
State(state): State<AppState>,
permissions: Permissions<'a>,
body: String,
) -> Result<(), crate::Error> {
Ok(())

38
server/src/routes/member/migrate.rs
View File

@ -2,16 +2,17 @@ use std::collections::HashMap;
use axum::{
extract::{FromRef, State},
http::HeaderMap,
Json,
};
use itertools::Itertools;
use sqlx::PgPool;
use crate::{
auth::{AuthError, Permissions},
auth::{get_user_from_header, AuthError},
database::model::Member as DbMember,
model::{
member::{Groups, Name, SwimGroups},
member::{Groups, Name, Roles},
Member,
},
util::convert_vec,
@ -20,10 +21,12 @@ use crate::{
pub async fn migrate_request<'a>(
State(state): State<AppState>,
permissions: Permissions<'a>,
headers: HeaderMap,
body: String,
) -> Result<Json<MigrationResponse>, crate::Error> {
if !permissions.0.contains("root") {
let (roles, _user) = get_user_from_header(&state.pool, &headers).await?;
if !roles.contains(Roles::ADMIN) {
return Err(AuthError::NoPermssions.into());
}
@ -50,13 +53,8 @@ pub async fn migrate_request<'a>(
pub async fn migrate_confirm<'a>(
State(state): State<AppState>,
permissions: Permissions<'a>,
body: String,
) -> Result<(), crate::Error> {
if !permissions.0.contains("root") {
return Err(AuthError::NoPermssions.into());
}
tracing::info!("Migration is confirmed");
let count = match body.trim().parse::<u32>() {
@ -119,7 +117,7 @@ struct Row {
#[serde(rename = "E-mail")]
email: String,
#[serde(rename = "Verenigingssporten")]
swim_groups: String,
groups: String,
#[serde(rename = "Diploma dropdown 1")]
diploma: Option<String>,
}
@ -164,22 +162,22 @@ impl Row {
members
}
fn swim_groups_parsed(&self) -> SwimGroups {
let mut swim_groups: Vec<String> = Vec::new();
fn groups_parsed(&self) -> Groups {
let mut groups: Vec<String> = Vec::new();
let group_parts: Vec<&str> = self.swim_groups.split(", ").collect();
let group_parts: Vec<&str> = self.groups.split(", ").collect();
for group in group_parts {
let hour_parts: Vec<&str> = group.split(" - ").collect();
if let Some(group) = hour_parts.get(1) {
swim_groups.push(group.to_uppercase())
groups.push(group.to_uppercase())
}
}
let swim_groups_string = swim_groups.join("|");
let groups_string = groups.join("|");
bitflags::parser::from_str(&swim_groups_string).unwrap_or(SwimGroups::empty())
bitflags::parser::from_str(&groups_string).unwrap_or(Groups::empty())
}
}
@ -201,8 +199,8 @@ impl Into<Member> for Row {
name,
registration_token: None,
diploma: self.diploma.clone(),
swim_groups: self.swim_groups_parsed(),
groups: Groups::empty(),
groups: self.groups_parsed(),
roles: Roles::MEMBER,
}
}
}
@ -264,8 +262,8 @@ fn generate_diff(members_new: Vec<Member>, members_old: Vec<Member>) -> MembersD
name: new_member.name.clone(),
registration_token: old_member.registration_token,
diploma: new_member.diploma.clone(),
swim_groups: new_member.swim_groups.clone(),
groups: old_member.groups,
groups: new_member.groups,
roles: old_member.roles,
})
} else {
members_remove.push(old_member);