102 lines
3 KiB
Rust
102 lines
3 KiB
Rust
use super::{
|
|
db::{self, UserId},
|
|
errors::TideResultExt,
|
|
};
|
|
use crate::Request;
|
|
use anyhow::{anyhow, Context};
|
|
use rand::thread_rng;
|
|
use rpc::auth as zed_auth;
|
|
use scrypt::{
|
|
password_hash::{PasswordHash, PasswordHasher, PasswordVerifier, SaltString},
|
|
Scrypt,
|
|
};
|
|
use std::convert::TryFrom;
|
|
use surf::StatusCode;
|
|
use tide::Error;
|
|
|
|
pub async fn process_auth_header(request: &Request) -> tide::Result<UserId> {
|
|
let mut auth_header = request
|
|
.header("Authorization")
|
|
.ok_or_else(|| {
|
|
Error::new(
|
|
StatusCode::BadRequest,
|
|
anyhow!("missing authorization header"),
|
|
)
|
|
})?
|
|
.last()
|
|
.as_str()
|
|
.split_whitespace();
|
|
let user_id = UserId(auth_header.next().unwrap_or("").parse().map_err(|_| {
|
|
Error::new(
|
|
StatusCode::BadRequest,
|
|
anyhow!("missing user id in authorization header"),
|
|
)
|
|
})?);
|
|
let access_token = auth_header.next().ok_or_else(|| {
|
|
Error::new(
|
|
StatusCode::BadRequest,
|
|
anyhow!("missing access token in authorization header"),
|
|
)
|
|
})?;
|
|
|
|
let state = request.state().clone();
|
|
let mut credentials_valid = false;
|
|
for password_hash in state.db.get_access_token_hashes(user_id).await? {
|
|
if verify_access_token(&access_token, &password_hash)? {
|
|
credentials_valid = true;
|
|
break;
|
|
}
|
|
}
|
|
|
|
if !credentials_valid {
|
|
Err(Error::new(
|
|
StatusCode::Unauthorized,
|
|
anyhow!("invalid credentials"),
|
|
))?;
|
|
}
|
|
|
|
Ok(user_id)
|
|
}
|
|
|
|
const MAX_ACCESS_TOKENS_TO_STORE: usize = 8;
|
|
|
|
pub async fn create_access_token(db: &dyn db::Db, user_id: UserId) -> tide::Result<String> {
|
|
let access_token = zed_auth::random_token();
|
|
let access_token_hash =
|
|
hash_access_token(&access_token).context("failed to hash access token")?;
|
|
db.create_access_token_hash(user_id, &access_token_hash, MAX_ACCESS_TOKENS_TO_STORE)
|
|
.await?;
|
|
Ok(access_token)
|
|
}
|
|
|
|
fn hash_access_token(token: &str) -> tide::Result<String> {
|
|
// Avoid slow hashing in debug mode.
|
|
let params = if cfg!(debug_assertions) {
|
|
scrypt::Params::new(1, 1, 1).unwrap()
|
|
} else {
|
|
scrypt::Params::recommended()
|
|
};
|
|
|
|
Ok(Scrypt
|
|
.hash_password(
|
|
token.as_bytes(),
|
|
None,
|
|
params,
|
|
&SaltString::generate(thread_rng()),
|
|
)?
|
|
.to_string())
|
|
}
|
|
|
|
pub fn encrypt_access_token(access_token: &str, public_key: String) -> tide::Result<String> {
|
|
let native_app_public_key =
|
|
zed_auth::PublicKey::try_from(public_key).context("failed to parse app public key")?;
|
|
let encrypted_access_token = native_app_public_key
|
|
.encrypt_string(&access_token)
|
|
.context("failed to encrypt access token with public key")?;
|
|
Ok(encrypted_access_token)
|
|
}
|
|
|
|
pub fn verify_access_token(token: &str, hash: &str) -> tide::Result<bool> {
|
|
let hash = PasswordHash::new(hash)?;
|
|
Ok(Scrypt.verify_password(token.as_bytes(), &hash).is_ok())
|
|
}
|