surrealpatch/core/src/iam/signup.rs

use crate::cnf::{INSECURE_FORWARD_SCOPE_ERRORS, SERVER_NAME};
use crate::dbs::Session;
use crate::err::Error;
use crate::iam::token::{Claims, HEADER};
use crate::iam::Auth;
use crate::iam::{Actor, Level};
use crate::kvs::{Datastore, LockType::*, TransactionType::*};
use crate::sql::Object;
use crate::sql::Value;
use chrono::{Duration, Utc};
use jsonwebtoken::{encode, EncodingKey};
use std::sync::Arc;
use uuid::Uuid;

pub async fn signup(
	kvs: &Datastore,
	session: &mut Session,
	vars: Object,
) -> Result<Option<String>, Error> {
	// Parse the specified variables
	let ns = vars.get("NS").or_else(|| vars.get("ns"));
	let db = vars.get("DB").or_else(|| vars.get("db"));
	let sc = vars.get("SC").or_else(|| vars.get("sc"));
	// Check if the parameters exist
	match (ns, db, sc) {
		(Some(ns), Some(db), Some(sc)) => {
			// Process the provided values
			let ns = ns.to_raw_string();
			let db = db.to_raw_string();
			let sc = sc.to_raw_string();
			// Attempt to signup to specified scope
			super::signup::sc(kvs, session, ns, db, sc, vars).await
		}
		_ => Err(Error::InvalidSignup),
	}
}

pub async fn sc(
	kvs: &Datastore,
	session: &mut Session,
	ns: String,
	db: String,
	sc: String,
	vars: Object,
) -> Result<Option<String>, Error> {
	// Create a new readonly transaction
	let mut tx = kvs.transaction(Read, Optimistic).await?;
	// Fetch the specified scope from storage
	let scope = tx.get_sc(&ns, &db, &sc).await;
	// Ensure that the transaction is cancelled
	tx.cancel().await?;
	// Check if the supplied Scope login exists
	match scope {
		Ok(sv) => {
			match sv.signup {
				// This scope allows signup
				Some(val) => {
					// Setup the query params
					let vars = Some(vars.0);
					// Setup the system session for creating the signup record
					let mut sess = Session::editor().with_ns(&ns).with_db(&db);
					sess.ip = session.ip.clone();
					sess.or = session.or.clone();
					// Compute the value with the params
					match kvs.evaluate(val, &sess, vars).await {
						// The signin value succeeded
						Ok(val) => match val.record() {
							// There is a record returned
							Some(rid) => {
								// Create the authentication key
								let key = EncodingKey::from_secret(sv.code.as_ref());
								// Create the authentication claim
								let exp = Some(
									match sv.session {
										Some(v) => {
											// The defined session duration must be valid
											match Duration::from_std(v.0) {
												// The resulting session expiration must be valid
												Ok(d) => match Utc::now().checked_add_signed(d) {
													Some(exp) => exp,
													None => {
														return Err(Error::InvalidSessionExpiration)
													}
												},
												Err(_) => {
													return Err(Error::InvalidSessionDuration)
												}
											}
										}
										_ => Utc::now() + Duration::hours(1),
									}
									.timestamp(),
								);
								let val = Claims {
									iss: Some(SERVER_NAME.to_owned()),
									iat: Some(Utc::now().timestamp()),
									nbf: Some(Utc::now().timestamp()),
									jti: Some(Uuid::new_v4().to_string()),
									exp,
									ns: Some(ns.to_owned()),
									db: Some(db.to_owned()),
									sc: Some(sc.to_owned()),
									id: Some(rid.to_raw()),
									..Claims::default()
								};
								// Log the authenticated scope info
								trace!("Signing up to scope `{}`", sc);
								// Create the authentication token
								let enc = encode(&HEADER, &val, &key);
								// Set the authentication on the session
								session.tk = Some(val.into());
								session.ns = Some(ns.to_owned());
								session.db = Some(db.to_owned());
								session.sc = Some(sc.to_owned());
								session.sd = Some(Value::from(rid.to_owned()));
								session.exp = exp;
								session.au = Arc::new(Auth::new(Actor::new(
									rid.to_string(),
									Default::default(),
									Level::Scope(ns, db, sc),
								)));
								// Create the authentication token
								match enc {
									// The auth token was created successfully
									Ok(tk) => Ok(Some(tk)),
									_ => Err(Error::TokenMakingFailed),
								}
							}
							_ => Err(Error::NoRecordFound),
						},
						Err(e) => match e {
							Error::Thrown(_) => Err(e),
							e if *INSECURE_FORWARD_SCOPE_ERRORS => Err(e),
							_ => Err(Error::SignupQueryFailed),
						},
					}
				}
				_ => Err(Error::ScopeNoSignup),
			}
		}
		_ => Err(Error::NoScopeFound),
	}
}
Env flag: `SURREAL_INSECURE_FORWARD_SCOPE_ERRORS` (#3003) Co-authored-by: Salvador Girones Gil <salvadorgirones@gmail.com> Co-authored-by: Tobie Morgan Hitchcock <tobie@surrealdb.com> 2023-11-20 14:54:27 +00:00			`use crate::cnf::{INSECURE_FORWARD_SCOPE_ERRORS, SERVER_NAME};`
Add authentication support for local engines (#1908) 2023-06-09 13:45:07 +00:00			`use crate::dbs::Session;`
Move authentication code to separate module 2022-07-04 00:01:24 +00:00			`use crate::err::Error;`
			`use crate::iam::token::{Claims, HEADER};`
[iam] RBAC and multiple root users (#2176) Co-authored-by: Przemyslaw Hugh Kaznowski <hughkaznowski@protonmail.com> Co-authored-by: Tobie Morgan Hitchcock <tobie@surrealdb.com> 2023-07-29 18:47:25 +00:00			`use crate::iam::Auth;`
			`use crate::iam::{Actor, Level};`
Switch transaction to enum from bool (#2743) 2023-09-26 13:02:53 +00:00			`use crate::kvs::{Datastore, LockType::, TransactionType::};`
Add authentication support for local engines (#1908) 2023-06-09 13:45:07 +00:00			`use crate::sql::Object;`
			`use crate::sql::Value;`
Move authentication code to separate module 2022-07-04 00:01:24 +00:00			`use chrono::{Duration, Utc};`
			`use jsonwebtoken::{encode, EncodingKey};`
Allow root authentication over WebSocket connection 2022-08-23 22:44:13 +00:00			`use std::sync::Arc;`
Add JWT ID claim to tokens issued by SurrealDB (#3651) 2024-03-12 11:03:27 +00:00			`use uuid::Uuid;`
Move authentication code to separate module 2022-07-04 00:01:24 +00:00
Add authentication support for local engines (#1908) 2023-06-09 13:45:07 +00:00			`pub async fn signup(`
			`kvs: &Datastore,`
			`session: &mut Session,`
			`vars: Object,`
			`) -> Result<Option<String>, Error> {`
Fix typos (#42) Found via `codespell -L crate,inout,ser,fetchs,te,tre,whats`. 2022-08-21 12:13:38 +00:00			`// Parse the specified variables`
Move authentication code to separate module 2022-07-04 00:01:24 +00:00			`let ns = vars.get("NS").or_else(\|\| vars.get("ns"));`
			`let db = vars.get("DB").or_else(\|\| vars.get("db"));`
			`let sc = vars.get("SC").or_else(\|\| vars.get("sc"));`
Fix typos (#42) Found via `codespell -L crate,inout,ser,fetchs,te,tre,whats`. 2022-08-21 12:13:38 +00:00			`// Check if the parameters exist`
Move authentication code to separate module 2022-07-04 00:01:24 +00:00			`match (ns, db, sc) {`
			`(Some(ns), Some(db), Some(sc)) => {`
			`// Process the provided values`
Add support for stricter typings (#1861) Co-authored-by: Rushmore Mushambi <rushmore@surrealdb.com> 2023-04-25 10:13:04 +00:00			`let ns = ns.to_raw_string();`
			`let db = db.to_raw_string();`
			`let sc = sc.to_raw_string();`
[iam] RBAC and multiple root users (#2176) Co-authored-by: Przemyslaw Hugh Kaznowski <hughkaznowski@protonmail.com> Co-authored-by: Tobie Morgan Hitchcock <tobie@surrealdb.com> 2023-07-29 18:47:25 +00:00			`// Attempt to signup to specified scope`
Improve datastore configuration options (#2227) 2023-07-05 21:26:13 +00:00			`super::signup::sc(kvs, session, ns, db, sc, vars).await`
Move authentication code to separate module 2022-07-04 00:01:24 +00:00			`}`
clear auth failure messages (#2635) 2023-09-08 13:27:38 +00:00			`_ => Err(Error::InvalidSignup),`
Move authentication code to separate module 2022-07-04 00:01:24 +00:00			`}`
			`}`

Allow root authentication over WebSocket connection 2022-08-23 22:44:13 +00:00			`pub async fn sc(`
Add authentication support for local engines (#1908) 2023-06-09 13:45:07 +00:00			`kvs: &Datastore,`
Allow root authentication over WebSocket connection 2022-08-23 22:44:13 +00:00			`session: &mut Session,`
			`ns: String,`
			`db: String,`
			`sc: String,`
			`vars: Object,`
Simplify passing of authentication tokens to client 2023-02-11 15:56:14 +00:00			`) -> Result<Option<String>, Error> {`
Move authentication code to separate module 2022-07-04 00:01:24 +00:00			`// Create a new readonly transaction`
Switch transaction to enum from bool (#2743) 2023-09-26 13:02:53 +00:00			`let mut tx = kvs.transaction(Read, Optimistic).await?;`
Ensure transactions are handled properly (#2585) 2023-09-02 21:22:41 +00:00			`// Fetch the specified scope from storage`
			`let scope = tx.get_sc(&ns, &db, &sc).await;`
			`// Ensure that the transaction is cancelled`
			`tx.cancel().await?;`
[iam] RBAC and multiple root users (#2176) Co-authored-by: Przemyslaw Hugh Kaznowski <hughkaznowski@protonmail.com> Co-authored-by: Tobie Morgan Hitchcock <tobie@surrealdb.com> 2023-07-29 18:47:25 +00:00			`// Check if the supplied Scope login exists`
Ensure transactions are handled properly (#2585) 2023-09-02 21:22:41 +00:00			`match scope {`
Move authentication code to separate module 2022-07-04 00:01:24 +00:00			`Ok(sv) => {`
			`match sv.signup {`
[iam] RBAC and multiple root users (#2176) Co-authored-by: Przemyslaw Hugh Kaznowski <hughkaznowski@protonmail.com> Co-authored-by: Tobie Morgan Hitchcock <tobie@surrealdb.com> 2023-07-29 18:47:25 +00:00			`// This scope allows signup`
Move authentication code to separate module 2022-07-04 00:01:24 +00:00			`Some(val) => {`
			`// Setup the query params`
			`let vars = Some(vars.0);`
[iam] RBAC and multiple root users (#2176) Co-authored-by: Przemyslaw Hugh Kaznowski <hughkaznowski@protonmail.com> Co-authored-by: Tobie Morgan Hitchcock <tobie@surrealdb.com> 2023-07-29 18:47:25 +00:00			`// Setup the system session for creating the signup record`
Pass IP & Origin onto session used by scope queries (#2991) 2023-11-17 21:33:11 +00:00			`let mut sess = Session::editor().with_ns(&ns).with_db(&db);`
			`sess.ip = session.ip.clone();`
			`sess.or = session.or.clone();`
Move authentication code to separate module 2022-07-04 00:01:24 +00:00			`// Compute the value with the params`
Ensure scope `SIGNUP` and `SIGNIN` works with guest access disabled (#2663) 2023-09-10 10:41:28 +00:00			`match kvs.evaluate(val, &sess, vars).await {`
Move authentication code to separate module 2022-07-04 00:01:24 +00:00			`// The signin value succeeded`
Rename function for simplicity 2022-09-19 11:28:41 +00:00			`Ok(val) => match val.record() {`
Move authentication code to separate module 2022-07-04 00:01:24 +00:00			`// There is a record returned`
			`Some(rid) => {`
			`// Create the authentication key`
			`let key = EncodingKey::from_secret(sv.code.as_ref());`
			`// Create the authentication claim`
Fix: Consistently enforce session expiration (#3686) 2024-03-13 09:06:16 +00:00			`let exp = Some(`
			`match sv.session {`
			`Some(v) => {`
			`// The defined session duration must be valid`
			`match Duration::from_std(v.0) {`
			`// The resulting session expiration must be valid`
			`Ok(d) => match Utc::now().checked_add_signed(d) {`
			`Some(exp) => exp,`
			`None => {`
			`return Err(Error::InvalidSessionExpiration)`
			`}`
			`},`
			`Err(_) => {`
			`return Err(Error::InvalidSessionDuration)`
			`}`
			`}`
			`}`
			`_ => Utc::now() + Duration::hours(1),`
			`}`
			`.timestamp(),`
			`);`
Move authentication code to separate module 2022-07-04 00:01:24 +00:00			`let val = Claims {`
Enable more customisable JWT verification Closes #1244 2022-09-27 21:07:41 +00:00			`iss: Some(SERVER_NAME.to_owned()),`
			`iat: Some(Utc::now().timestamp()),`
			`nbf: Some(Utc::now().timestamp()),`
Add JWT ID claim to tokens issued by SurrealDB (#3651) 2024-03-12 11:03:27 +00:00			`jti: Some(Uuid::new_v4().to_string()),`
Fix: Consistently enforce session expiration (#3686) 2024-03-13 09:06:16 +00:00			`exp,`
Allow root authentication over WebSocket connection 2022-08-23 22:44:13 +00:00			`ns: Some(ns.to_owned()),`
			`db: Some(db.to_owned()),`
			`sc: Some(sc.to_owned()),`
Move authentication code to separate module 2022-07-04 00:01:24 +00:00			`id: Some(rid.to_raw()),`
			`..Claims::default()`
			`};`
Fix authentication issues with `LIVE SELECT` statements (#2661) 2023-09-10 10:58:50 +00:00			`// Log the authenticated scope info`
			trace!("Signing up to scope `{}`", sc);
Add authentication token claims data to session object Closes #135 2022-09-17 01:52:07 +00:00			`// Create the authentication token`
Fix clippy lint warnings 2022-11-23 09:09:24 +00:00			`let enc = encode(&HEADER, &val, &key);`
Make readability fixes to Rust code comments (#157) 2022-09-17 01:50:10 +00:00			`// Set the authentication on the session`
Add authentication token claims data to session object Closes #135 2022-09-17 01:52:07 +00:00			`session.tk = Some(val.into());`
Ensure session data is stored on the session after signup/signin 2022-09-04 23:53:35 +00:00			`session.ns = Some(ns.to_owned());`
			`session.db = Some(db.to_owned());`
			`session.sc = Some(sc.to_owned());`
[iam] RBAC and multiple root users (#2176) Co-authored-by: Przemyslaw Hugh Kaznowski <hughkaznowski@protonmail.com> Co-authored-by: Tobie Morgan Hitchcock <tobie@surrealdb.com> 2023-07-29 18:47:25 +00:00			`session.sd = Some(Value::from(rid.to_owned()));`
Fix: Consistently enforce session expiration (#3686) 2024-03-13 09:06:16 +00:00			`session.exp = exp;`
[iam] RBAC and multiple root users (#2176) Co-authored-by: Przemyslaw Hugh Kaznowski <hughkaznowski@protonmail.com> Co-authored-by: Tobie Morgan Hitchcock <tobie@surrealdb.com> 2023-07-29 18:47:25 +00:00			`session.au = Arc::new(Auth::new(Actor::new(`
			`rid.to_string(),`
			`Default::default(),`
			`Level::Scope(ns, db, sc),`
			`)));`
Move authentication code to separate module 2022-07-04 00:01:24 +00:00			`// Create the authentication token`
Add authentication token claims data to session object Closes #135 2022-09-17 01:52:07 +00:00			`match enc {`
Move authentication code to separate module 2022-07-04 00:01:24 +00:00			`// The auth token was created successfully`
Simplify passing of authentication tokens to client 2023-02-11 15:56:14 +00:00			`Ok(tk) => Ok(Some(tk)),`
clear auth failure messages (#2635) 2023-09-08 13:27:38 +00:00			`_ => Err(Error::TokenMakingFailed),`
Move authentication code to separate module 2022-07-04 00:01:24 +00:00			`}`
			`}`
clear auth failure messages (#2635) 2023-09-08 13:27:38 +00:00			`_ => Err(Error::NoRecordFound),`
Move authentication code to separate module 2022-07-04 00:01:24 +00:00			`},`
Forward custom thrown errors in SIGNIN and SIGNUP queries (#2902) 2023-10-28 12:39:46 +00:00			`Err(e) => match e {`
			`Error::Thrown(_) => Err(e),`
Env flag: `SURREAL_INSECURE_FORWARD_SCOPE_ERRORS` (#3003) Co-authored-by: Salvador Girones Gil <salvadorgirones@gmail.com> Co-authored-by: Tobie Morgan Hitchcock <tobie@surrealdb.com> 2023-11-20 14:54:27 +00:00			`e if *INSECURE_FORWARD_SCOPE_ERRORS => Err(e),`
Forward custom thrown errors in SIGNIN and SIGNUP queries (#2902) 2023-10-28 12:39:46 +00:00			`_ => Err(Error::SignupQueryFailed),`
			`},`
Move authentication code to separate module 2022-07-04 00:01:24 +00:00			`}`
			`}`
clear auth failure messages (#2635) 2023-09-08 13:27:38 +00:00			`_ => Err(Error::ScopeNoSignup),`
Move authentication code to separate module 2022-07-04 00:01:24 +00:00			`}`
			`}`
clear auth failure messages (#2635) 2023-09-08 13:27:38 +00:00			`_ => Err(Error::NoScopeFound),`
Move authentication code to separate module 2022-07-04 00:01:24 +00:00			`}`
			`}`