atuin/src/remote/auth.rs

use self::diesel::prelude::*;
use rocket::http::Status;
use rocket::request::{self, FromRequest, Outcome, Request};
use rocket_contrib::databases::diesel;
use sodiumoxide::crypto::pwhash::argon2id13;

use rocket_contrib::json::Json;
use uuid::Uuid;

use super::models::{NewSession, NewUser, Session, User};
use super::views::ApiResponse;
use crate::schema::{sessions, users};

use super::database::AtuinDbConn;

#[derive(Debug)]
pub enum KeyError {
    Missing,
    Invalid,
}

pub fn hash_str(secret: &str) -> String {
    sodiumoxide::init().unwrap();
    let hash = argon2id13::pwhash(
        secret.as_bytes(),
        argon2id13::OPSLIMIT_INTERACTIVE,
        argon2id13::MEMLIMIT_INTERACTIVE,
    )
    .unwrap();
    let texthash = std::str::from_utf8(&hash.0).unwrap().to_string();

    // postgres hates null chars. don't do that to postgres
    texthash.trim_end_matches('\u{0}').to_string()
}

pub fn verify_str(secret: &str, verify: &str) -> bool {
    sodiumoxide::init().unwrap();

    let mut padded = [0_u8; 128];
    secret.as_bytes().iter().enumerate().for_each(|(i, val)| {
        padded[i] = *val;
    });

    match argon2id13::HashedPassword::from_slice(&padded) {
        Some(hp) => argon2id13::pwhash_verify(&hp, verify.as_bytes()),
        None => false,
    }
}

impl<'a, 'r> FromRequest<'a, 'r> for User {
    type Error = KeyError;

    fn from_request(request: &'a Request<'r>) -> request::Outcome<User, Self::Error> {
        let session: Vec<_> = request.headers().get("authorization").collect();

        if session.is_empty() {
            return Outcome::Failure((Status::BadRequest, KeyError::Missing));
        } else if session.len() > 1 {
            return Outcome::Failure((Status::BadRequest, KeyError::Invalid));
        }

        let session: Vec<_> = session[0].split(' ').collect();

        if session.len() != 2 {
            return Outcome::Failure((Status::BadRequest, KeyError::Invalid));
        }

        if session[0] != "Token" {
            return Outcome::Failure((Status::BadRequest, KeyError::Invalid));
        }

        let session = session[1];

        let db = request
            .guard::<AtuinDbConn>()
            .succeeded()
            .expect("failed to load database");

        let session = sessions::table
            .filter(sessions::token.eq(session))
            .first::<Session>(&*db);

        if session.is_err() {
            return Outcome::Failure((Status::Unauthorized, KeyError::Invalid));
        }

        let session = session.unwrap();

        let user = users::table.find(session.user_id).first(&*db);

        match user {
            Ok(user) => Outcome::Success(user),
            Err(_) => Outcome::Failure((Status::Unauthorized, KeyError::Invalid)),
        }
    }
}

#[derive(Deserialize)]
pub struct Register {
    email: String,
    password: String,
}

#[post("/register", data = "<register>")]
#[allow(clippy::clippy::needless_pass_by_value)]
pub fn register(conn: AtuinDbConn, register: Json<Register>) -> ApiResponse {
    let hashed = hash_str(register.password.as_str());

    let new_user = NewUser {
        email: register.email.as_str(),
        password: hashed.as_str(),
    };

    let user = diesel::insert_into(users::table)
        .values(&new_user)
        .get_result(&*conn);

    if user.is_err() {
        return ApiResponse {
            status: Status::BadRequest,
            json: json!({
                "status": "error",
                "message": "failed to create user - is the email already in use?",
            }),
        };
    }

    let user: User = user.unwrap();
    let token = Uuid::new_v4().to_simple().to_string();

    let new_session = NewSession {
        user_id: user.id,
        token: token.as_str(),
    };

    match diesel::insert_into(sessions::table)
        .values(&new_session)
        .execute(&*conn)
    {
        Ok(_) => ApiResponse {
            status: Status::Ok,
            json: json!({"status": "ok", "message": "user created!", "session": token}),
        },
        Err(_) => ApiResponse {
            status: Status::BadRequest,
            json: json!({"status": "error", "message": "failed to create user"}),
        },
    }
}

#[derive(Deserialize)]
pub struct Login {
    email: String,
    password: String,
}

#[post("/login", data = "<login>")]
#[allow(clippy::clippy::needless_pass_by_value)]
pub fn login(conn: AtuinDbConn, login: Json<Login>) -> ApiResponse {
    let user = users::table
        .filter(users::email.eq(login.email.as_str()))
        .first(&*conn);

    if user.is_err() {
        return ApiResponse {
            status: Status::NotFound,
            json: json!({"status": "error", "message": "user not found"}),
        };
    }

    let user: User = user.unwrap();

    let session = sessions::table
        .filter(sessions::user_id.eq(user.id))
        .first(&*conn);

    // a session should exist...
    if session.is_err() {
        return ApiResponse {
            status: Status::InternalServerError,
            json: json!({"status": "error", "message": "something went wrong"}),
        };
    }

    let verified = verify_str(user.password.as_str(), login.password.as_str());

    if !verified {
        return ApiResponse {
            status: Status::NotFound,
            json: json!({"status": "error", "message": "user not found"}),
        };
    }

    let session: Session = session.unwrap();

    ApiResponse {
        status: Status::Ok,
        json: json!({"status": "ok", "token": session.token}),
    }
}
Implement server (#23) * Add initial database and server setup * Set up all routes, auth, etc * Implement sessions, password auth, hashing with argon2, and history storage 2021-03-21 14:04:39 -06:00			`use self::diesel::prelude::*;`
			`use rocket::http::Status;`
			`use rocket::request::{self, FromRequest, Outcome, Request};`
			`use rocket_contrib::databases::diesel;`
			`use sodiumoxide::crypto::pwhash::argon2id13;`

			`use rocket_contrib::json::Json;`
			`use uuid::Uuid;`

			`use super::models::{NewSession, NewUser, Session, User};`
			`use super::views::ApiResponse;`
			`use crate::schema::{sessions, users};`

			`use super::database::AtuinDbConn;`

			`#[derive(Debug)]`
			`pub enum KeyError {`
			`Missing,`
			`Invalid,`
			`}`

			`pub fn hash_str(secret: &str) -> String {`
			`sodiumoxide::init().unwrap();`
			`let hash = argon2id13::pwhash(`
			`secret.as_bytes(),`
			`argon2id13::OPSLIMIT_INTERACTIVE,`
			`argon2id13::MEMLIMIT_INTERACTIVE,`
			`)`
			`.unwrap();`
			`let texthash = std::str::from_utf8(&hash.0).unwrap().to_string();`

			`// postgres hates null chars. don't do that to postgres`
			`texthash.trim_end_matches('\u{0}').to_string()`
			`}`

			`pub fn verify_str(secret: &str, verify: &str) -> bool {`
			`sodiumoxide::init().unwrap();`

			`let mut padded = [0_u8; 128];`
			`secret.as_bytes().iter().enumerate().for_each(\|(i, val)\| {`
			`padded[i] = *val;`
			`});`

			`match argon2id13::HashedPassword::from_slice(&padded) {`
			`Some(hp) => argon2id13::pwhash_verify(&hp, verify.as_bytes()),`
			`None => false,`
			`}`
			`}`

			`impl<'a, 'r> FromRequest<'a, 'r> for User {`
			`type Error = KeyError;`

			`fn from_request(request: &'a Request<'r>) -> request::Outcome<User, Self::Error> {`
			`let session: Vec<_> = request.headers().get("authorization").collect();`

			`if session.is_empty() {`
			`return Outcome::Failure((Status::BadRequest, KeyError::Missing));`
			`} else if session.len() > 1 {`
			`return Outcome::Failure((Status::BadRequest, KeyError::Invalid));`
			`}`

			`let session: Vec<_> = session[0].split(' ').collect();`

			`if session.len() != 2 {`
			`return Outcome::Failure((Status::BadRequest, KeyError::Invalid));`
			`}`

			`if session[0] != "Token" {`
			`return Outcome::Failure((Status::BadRequest, KeyError::Invalid));`
			`}`

			`let session = session[1];`

			`let db = request`
			`.guard::<AtuinDbConn>()`
			`.succeeded()`
			`.expect("failed to load database");`

			`let session = sessions::table`
			`.filter(sessions::token.eq(session))`
			`.first::<Session>(&*db);`

			`if session.is_err() {`
			`return Outcome::Failure((Status::Unauthorized, KeyError::Invalid));`
			`}`

			`let session = session.unwrap();`

			`let user = users::table.find(session.user_id).first(&*db);`

			`match user {`
			`Ok(user) => Outcome::Success(user),`
			`Err(_) => Outcome::Failure((Status::Unauthorized, KeyError::Invalid)),`
			`}`
			`}`
			`}`

			`#[derive(Deserialize)]`
			`pub struct Register {`
			`email: String,`
			`password: String,`
			`}`

			`#[post("/register", data = "<register>")]`
			`#[allow(clippy::clippy::needless_pass_by_value)]`
			`pub fn register(conn: AtuinDbConn, register: Json<Register>) -> ApiResponse {`
			`let hashed = hash_str(register.password.as_str());`

			`let new_user = NewUser {`
			`email: register.email.as_str(),`
			`password: hashed.as_str(),`
			`};`

			`let user = diesel::insert_into(users::table)`
			`.values(&new_user)`
			`.get_result(&*conn);`

			`if user.is_err() {`
			`return ApiResponse {`
			`status: Status::BadRequest,`
			`json: json!({`
			`"status": "error",`
			`"message": "failed to create user - is the email already in use?",`
			`}),`
			`};`
			`}`

			`let user: User = user.unwrap();`
			`let token = Uuid::new_v4().to_simple().to_string();`

			`let new_session = NewSession {`
			`user_id: user.id,`
			`token: token.as_str(),`
			`};`

			`match diesel::insert_into(sessions::table)`
			`.values(&new_session)`
			`.execute(&*conn)`
			`{`
			`Ok(_) => ApiResponse {`
			`status: Status::Ok,`
			`json: json!({"status": "ok", "message": "user created!", "session": token}),`
			`},`
			`Err(_) => ApiResponse {`
			`status: Status::BadRequest,`
			`json: json!({"status": "error", "message": "failed to create user"}),`
			`},`
			`}`
			`}`

			`#[derive(Deserialize)]`
			`pub struct Login {`
			`email: String,`
			`password: String,`
			`}`

			`#[post("/login", data = "<login>")]`
			`#[allow(clippy::clippy::needless_pass_by_value)]`
			`pub fn login(conn: AtuinDbConn, login: Json<Login>) -> ApiResponse {`
			`let user = users::table`
			`.filter(users::email.eq(login.email.as_str()))`
			`.first(&*conn);`

			`if user.is_err() {`
			`return ApiResponse {`
			`status: Status::NotFound,`
			`json: json!({"status": "error", "message": "user not found"}),`
			`};`
			`}`

			`let user: User = user.unwrap();`

			`let session = sessions::table`
			`.filter(sessions::user_id.eq(user.id))`
			`.first(&*conn);`

			`// a session should exist...`
			`if session.is_err() {`
			`return ApiResponse {`
			`status: Status::InternalServerError,`
			`json: json!({"status": "error", "message": "something went wrong"}),`
			`};`
			`}`

			`let verified = verify_str(user.password.as_str(), login.password.as_str());`

			`if !verified {`
			`return ApiResponse {`
			`status: Status::NotFound,`
			`json: json!({"status": "error", "message": "user not found"}),`
			`};`
			`}`

			`let session: Session = session.unwrap();`

			`ApiResponse {`
			`status: Status::Ok,`
			`json: json!({"status": "ok", "token": session.token}),`
			`}`
			`}`