Implement web authentication session validation

This commit is contained in:
Tobie Morgan Hitchcock 2022-05-10 08:29:25 +01:00
parent d761a6df47
commit 3498e57e04
11 changed files with 491 additions and 109 deletions

77
Cargo.lock generated
View file

@ -309,7 +309,7 @@ dependencies = [
"num-integer",
"num-traits",
"serde",
"time",
"time 0.1.44",
"winapi",
]
@ -1126,6 +1126,20 @@ dependencies = [
"wasm-bindgen",
]
[[package]]
name = "jsonwebtoken"
version = "8.1.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "cc9051c17f81bae79440afa041b3a278e1de71bfb96d32454b477fd4703ccb6f"
dependencies = [
"base64",
"pem",
"ring",
"serde",
"serde_json",
"simple_asn1",
]
[[package]]
name = "lazy_static"
version = "1.4.0"
@ -1389,6 +1403,15 @@ dependencies = [
"libc",
]
[[package]]
name = "num_threads"
version = "0.1.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "2819ce041d2ee131036f4fc9d6ae7ae125a3a40e97ba64d04fe799ad9dabbb44"
dependencies = [
"libc",
]
[[package]]
name = "once_cell"
version = "1.10.0"
@ -1528,6 +1551,15 @@ version = "0.1.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "19b17cddbe7ec3f8bc800887bab5e717348c95ea2ca0b1bf0837fb964dc67099"
[[package]]
name = "pem"
version = "1.0.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e9a3b09a20e374558580a4914d3b7d89bd61b954a5a5e1dcbea98753addb1947"
dependencies = [
"base64",
]
[[package]]
name = "percent-encoding"
version = "2.1.0"
@ -1769,6 +1801,15 @@ version = "1.2.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a1d01941d82fa2ab50be1e79e6714289dd7cde78eba4c074bc5a4374f650dfe0"
[[package]]
name = "quickcheck"
version = "1.0.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "588f6378e4dd99458b60ec275b4477add41ce4fa9f64dcba6f15adccb19b50d6"
dependencies = [
"rand 0.8.5",
]
[[package]]
name = "quote"
version = "1.0.18"
@ -2210,6 +2251,18 @@ version = "0.1.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7fdf1b9db47230893d76faad238fd6097fd6d6a9245cd7a4d90dbd639536bbd2"
[[package]]
name = "simple_asn1"
version = "0.6.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "4a762b1c38b9b990c694b9c2f8abe3372ce6a9ceaae6bca39cfc46e054f45745"
dependencies = [
"num-bigint",
"num-traits",
"thiserror",
"time 0.3.9",
]
[[package]]
name = "sized-chunks"
version = "0.6.5"
@ -2290,6 +2343,8 @@ checksum = "6bdef32e8150c2a081110b42772ffe7d7c9032b606bc226c8260fd97e0976601"
name = "surreal"
version = "0.0.0"
dependencies = [
"argon2",
"base64",
"bytes",
"chrono",
"clap",
@ -2297,6 +2352,7 @@ dependencies = [
"futures 0.3.21",
"http",
"hyper",
"jsonwebtoken",
"log",
"once_cell",
"rand 0.8.5",
@ -2527,6 +2583,25 @@ dependencies = [
"winapi",
]
[[package]]
name = "time"
version = "0.3.9"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c2702e08a7a860f005826c6815dcac101b19b5eb330c27fe4a5928fec1d20ddd"
dependencies = [
"itoa",
"libc",
"num_threads",
"quickcheck",
"time-macros",
]
[[package]]
name = "time-macros"
version = "0.2.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "42657b1a6f4d817cda8e7a0ace261fe0cc946cf3a80314390b22cc61ae080792"
[[package]]
name = "tinyvec"
version = "1.6.0"

View file

@ -16,6 +16,8 @@ panic = 'abort'
codegen-units = 1
[dependencies]
argon2 = "0.4.0"
base64 = "0.13.0"
bytes = "1.1.0"
chrono = { version = "0.4.19", features = ["serde"] }
clap = "3.1.17"
@ -23,6 +25,7 @@ fern = { version = "0.6.1", features = ["colored"] }
futures = "0.3.21"
http = "0.2.7"
hyper = "0.14.18"
jsonwebtoken = "8.1.0"
log = "0.4.17"
once_cell = "1.10.0"
rand = "0.8.5"

View file

@ -7,6 +7,7 @@ use std::fmt;
#[derive(Clone, Debug, Eq, PartialEq, Serialize, Deserialize)]
pub enum Algorithm {
EdDSA,
Es256,
Es384,
Es512,
@ -30,6 +31,7 @@ impl Default for Algorithm {
impl fmt::Display for Algorithm {
fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
match self {
Algorithm::EdDSA => write!(f, "EDDSA"),
Algorithm::Es256 => write!(f, "ES256"),
Algorithm::Es384 => write!(f, "ES384"),
Algorithm::Es512 => write!(f, "ES512"),
@ -48,6 +50,7 @@ impl fmt::Display for Algorithm {
pub fn algorithm(i: &str) -> IResult<&str, Algorithm> {
alt((
map(tag("EDDSA"), |_| Algorithm::EdDSA),
map(tag("ES256"), |_| Algorithm::Es256),
map(tag("ES384"), |_| Algorithm::Es384),
map(tag("ES512"), |_| Algorithm::Es512),

View file

@ -1,10 +1,11 @@
use http::Error as HttpError;
use hyper::Error as HyperError;
use base64::DecodeError as Base64Error;
use jsonwebtoken::errors::Error as JWTError;
use reqwest::Error as ReqwestError;
use serde_cbor::error::Error as CborError;
use serde_json::error::Error as JsonError;
use serde_pack::encode::Error as PackError;
use std::io::Error as IoError;
use std::string::FromUtf8Error as Utf8Error;
use surrealdb::Error as DbError;
use thiserror::Error;
@ -13,29 +14,44 @@ pub enum Error {
#[error("The request body contains invalid data")]
Request,
#[error("{0}")]
#[error("There was a problem with authentication")]
InvalidAuth,
#[error("There was a problem with the database: {0}")]
Db(#[from] DbError),
#[error("IO error: {0}")]
#[error("Couldn't open the specified file: {0}")]
Io(#[from] IoError),
#[error("HTTP Error: {0}")]
Hyper(#[from] HyperError),
#[error("HTTP Error: {0}")]
Http(#[from] HttpError),
#[error("JSON Error: {0}")]
#[error("There was an error serializing to JSON: {0}")]
Json(#[from] JsonError),
#[error("CBOR Error: {0}")]
#[error("There was an error serializing to CBOR: {0}")]
Cbor(#[from] CborError),
#[error("PACK Error: {0}")]
#[error("There was an error serializing to MessagePack: {0}")]
Pack(#[from] PackError),
#[error("Reqwest Error: {0}")]
Reqwest(#[from] ReqwestError),
#[error("There was an error with the remote request: {0}")]
Remote(#[from] ReqwestError),
}
impl warp::reject::Reject for Error {}
impl From<Base64Error> for Error {
fn from(_: Base64Error) -> Error {
Error::InvalidAuth
}
}
impl From<Utf8Error> for Error {
fn from(_: Utf8Error) -> Error {
Error::InvalidAuth
}
}
impl From<JWTError> for Error {
fn from(_: JWTError) -> Error {
Error::InvalidAuth
}
}

View file

@ -1,59 +0,0 @@
use std::net::SocketAddr;
use std::sync::Arc;
use surrealdb::Auth;
use surrealdb::Session;
use warp::Filter;
pub fn build() -> impl Filter<Extract = (Session,), Error = warp::Rejection> + Copy {
// Enable on any path
let conf = warp::any();
// Add remote ip address
let conf = conf.and(warp::filters::addr::remote());
// Add authorization header
let conf = conf.and(warp::header::optional::<String>("authorization"));
// Add http origin header
let conf = conf.and(warp::header::optional::<String>("origin"));
// Add session id header
let conf = conf.and(warp::header::optional::<String>("id"));
// Add namespace header
let conf = conf.and(warp::header::optional::<String>("ns"));
// Add database header
let conf = conf.and(warp::header::optional::<String>("db"));
// Process all headers
conf.map(process)
}
fn process(
ip: Option<SocketAddr>,
au: Option<String>,
or: Option<String>,
id: Option<String>,
ns: Option<String>,
db: Option<String>,
) -> Session {
// Create session
let conf = Session {
au: Arc::new(Auth::default()),
ip: ip.map(|v| v.to_string()),
or,
id,
ns,
db,
sc: None,
sd: None,
};
// Parse authentication
match au {
Some(auth) if auth.starts_with("Basic") => basic(auth, conf),
Some(auth) if auth.starts_with("Bearer") => token(auth, conf),
_ => conf,
}
}
fn basic(_auth: String, conf: Session) -> Session {
conf
}
fn token(_auth: String, conf: Session) -> Session {
conf
}

View file

@ -1,7 +1,7 @@
use crate::net::conf;
// use crate::net::DB;
// use hyper::body::Body;
// use surrealdb::dbs::export;
use crate::net::session;
use surrealdb::Session;
use warp::Filter;

View file

@ -14,7 +14,28 @@ struct Message {
}
pub async fn recover(err: warp::Rejection) -> Result<impl warp::Reply, warp::Rejection> {
if err.is_not_found() {
if let Some(err) = err.find::<Error>() {
match err {
Error::InvalidAuth => Ok(warp::reply::with_status(
warp::reply::json(&Message {
code: 403,
details: Some("Authentication failed".to_string()),
description: Some("Your authentication details are invalid. Reauthenticate using valid authentication parameters.".to_string()),
information: Some(err.to_string()),
}),
StatusCode::FORBIDDEN,
)),
_ => Ok(warp::reply::with_status(
warp::reply::json(&Message {
code: 400,
details: Some("Request problems detected".to_string()),
description: Some("There is a problem with your request. Refer to the documentation for further information.".to_string()),
information: Some(err.to_string()),
}),
StatusCode::BAD_REQUEST,
))
}
} else if err.is_not_found() {
Ok(warp::reply::with_status(
warp::reply::json(&Message {
code: 404,
@ -24,16 +45,6 @@ pub async fn recover(err: warp::Rejection) -> Result<impl warp::Reply, warp::Rej
}),
StatusCode::NOT_FOUND,
))
} else if let Some(err) = err.find::<Error>() {
Ok(warp::reply::with_status(
warp::reply::json(&Message {
code: 400,
details: Some("Request problems detected".to_string()),
description: Some("There is a problem with your request. Refer to the documentation for further information.".to_string()),
information: Some(err.to_string()),
}),
StatusCode::BAD_REQUEST,
))
} else if err.find::<warp::reject::MethodNotAllowed>().is_some() {
Ok(warp::reply::with_status(
warp::reply::json(&Message {
@ -44,6 +55,16 @@ pub async fn recover(err: warp::Rejection) -> Result<impl warp::Reply, warp::Rej
}),
StatusCode::METHOD_NOT_ALLOWED,
))
} else if err.find::<warp::reject::MissingHeader>().is_some() {
Ok(warp::reply::with_status(
warp::reply::json(&Message {
code: 412,
details: Some("Request problems detected".to_string()),
description: Some("The request appears to be missing a required header. Refer to the documentation for request requirements.".to_string()),
information: None,
}),
StatusCode::PRECONDITION_FAILED,
))
} else if err.find::<warp::reject::PayloadTooLarge>().is_some() {
Ok(warp::reply::with_status(
warp::reply::json(&Message {
@ -64,16 +85,6 @@ pub async fn recover(err: warp::Rejection) -> Result<impl warp::Reply, warp::Rej
}),
StatusCode::UNSUPPORTED_MEDIA_TYPE,
))
} else if err.find::<warp::reject::MissingHeader>().is_some() {
Ok(warp::reply::with_status(
warp::reply::json(&Message {
code: 412,
details: Some("Request problems detected".to_string()),
description: Some("The request appears to be missing a required header. Refer to the documentation for request requirements.".to_string()),
information: None,
}),
StatusCode::PRECONDITION_FAILED,
))
} else if err.find::<warp::reject::InvalidQuery>().is_some() {
Ok(warp::reply::with_status(
warp::reply::json(&Message {

View file

@ -1,7 +1,7 @@
use crate::err::Error;
use crate::net::conf;
use crate::net::head;
use crate::net::output;
use crate::net::session;
use crate::net::DB;
use bytes::Bytes;
use serde::Deserialize;
@ -35,7 +35,7 @@ pub fn config() -> impl Filter<Extract = impl warp::Reply, Error = warp::Rejecti
// Set select method
let select = warp::any()
.and(warp::get())
.and(conf::build())
.and(session::build())
.and(warp::header::<String>(http::header::CONTENT_TYPE.as_str()))
.and(path!("key" / String).and(warp::path::end()))
.and(warp::query())
@ -43,7 +43,7 @@ pub fn config() -> impl Filter<Extract = impl warp::Reply, Error = warp::Rejecti
// Set create method
let create = warp::any()
.and(warp::post())
.and(conf::build())
.and(session::build())
.and(warp::header::<String>(http::header::CONTENT_TYPE.as_str()))
.and(path!("key" / String).and(warp::path::end()))
.and(warp::body::content_length_limit(MAX))
@ -52,7 +52,7 @@ pub fn config() -> impl Filter<Extract = impl warp::Reply, Error = warp::Rejecti
// Set delete method
let delete = warp::any()
.and(warp::delete())
.and(conf::build())
.and(session::build())
.and(warp::header::<String>(http::header::CONTENT_TYPE.as_str()))
.and(path!("key" / String).and(warp::path::end()))
.and_then(delete_all);
@ -66,14 +66,14 @@ pub fn config() -> impl Filter<Extract = impl warp::Reply, Error = warp::Rejecti
// Set select method
let select = warp::any()
.and(warp::get())
.and(conf::build())
.and(session::build())
.and(warp::header::<String>(http::header::CONTENT_TYPE.as_str()))
.and(path!("key" / String / String).and(warp::path::end()))
.and_then(select_one);
// Set create method
let create = warp::any()
.and(warp::post())
.and(conf::build())
.and(session::build())
.and(warp::header::<String>(http::header::CONTENT_TYPE.as_str()))
.and(path!("key" / String / String).and(warp::path::end()))
.and(warp::body::content_length_limit(MAX))
@ -82,7 +82,7 @@ pub fn config() -> impl Filter<Extract = impl warp::Reply, Error = warp::Rejecti
// Set update method
let update = warp::any()
.and(warp::put())
.and(conf::build())
.and(session::build())
.and(warp::header::<String>(http::header::CONTENT_TYPE.as_str()))
.and(path!("key" / String / String).and(warp::path::end()))
.and(warp::body::content_length_limit(MAX))
@ -91,7 +91,7 @@ pub fn config() -> impl Filter<Extract = impl warp::Reply, Error = warp::Rejecti
// Set modify method
let modify = warp::any()
.and(warp::patch())
.and(conf::build())
.and(session::build())
.and(warp::header::<String>(http::header::CONTENT_TYPE.as_str()))
.and(path!("key" / String / String).and(warp::path::end()))
.and(warp::body::content_length_limit(MAX))
@ -100,7 +100,7 @@ pub fn config() -> impl Filter<Extract = impl warp::Reply, Error = warp::Rejecti
// Set delete method
let delete = warp::any()
.and(warp::delete())
.and(conf::build())
.and(session::build())
.and(warp::header::<String>(http::header::CONTENT_TYPE.as_str()))
.and(path!("key" / String / String).and(warp::path::end()))
.and_then(delete_one);

View file

@ -1,4 +1,3 @@
mod conf;
mod config;
mod export;
mod fail;
@ -8,6 +7,7 @@ mod index;
mod key;
mod log;
mod output;
mod session;
mod signin;
mod signup;
mod sql;

333
src/net/session.rs Normal file
View file

@ -0,0 +1,333 @@
use crate::err::Error;
use crate::net::CF;
use crate::net::DB;
use argon2::password_hash::{PasswordHash, PasswordVerifier};
use argon2::Argon2;
use jsonwebtoken::{decode, DecodingKey, Validation};
use once_cell::sync::Lazy;
use serde::{Deserialize, Serialize};
use std::net::SocketAddr;
use std::sync::Arc;
use surrealdb::sql::Algorithm;
use surrealdb::sql::Thing;
use surrealdb::sql::Value;
use surrealdb::Auth;
use surrealdb::Session;
use warp::Filter;
const BASIC: &str = "Basic ";
const TOKEN: &str = "Bearer ";
fn config(algo: Algorithm, code: String) -> Result<(DecodingKey, Validation), Error> {
match algo {
Algorithm::Hs256 => Ok((
DecodingKey::from_secret(code.as_ref()),
Validation::new(jsonwebtoken::Algorithm::HS256),
)),
Algorithm::Hs384 => Ok((
DecodingKey::from_secret(code.as_ref()),
Validation::new(jsonwebtoken::Algorithm::HS384),
)),
Algorithm::Hs512 => Ok((
DecodingKey::from_secret(code.as_ref()),
Validation::new(jsonwebtoken::Algorithm::HS512),
)),
Algorithm::EdDSA => Ok((
DecodingKey::from_ed_pem(code.as_ref())?,
Validation::new(jsonwebtoken::Algorithm::EdDSA),
)),
Algorithm::Es256 => Ok((
DecodingKey::from_ec_pem(code.as_ref())?,
Validation::new(jsonwebtoken::Algorithm::ES256),
)),
Algorithm::Es384 => Ok((
DecodingKey::from_ec_pem(code.as_ref())?,
Validation::new(jsonwebtoken::Algorithm::ES384),
)),
Algorithm::Es512 => Ok((
DecodingKey::from_ec_pem(code.as_ref())?,
Validation::new(jsonwebtoken::Algorithm::ES384),
)),
Algorithm::Ps256 => Ok((
DecodingKey::from_rsa_pem(code.as_ref())?,
Validation::new(jsonwebtoken::Algorithm::PS256),
)),
Algorithm::Ps384 => Ok((
DecodingKey::from_rsa_pem(code.as_ref())?,
Validation::new(jsonwebtoken::Algorithm::PS384),
)),
Algorithm::Ps512 => Ok((
DecodingKey::from_rsa_pem(code.as_ref())?,
Validation::new(jsonwebtoken::Algorithm::PS512),
)),
Algorithm::Rs256 => Ok((
DecodingKey::from_rsa_pem(code.as_ref())?,
Validation::new(jsonwebtoken::Algorithm::RS256),
)),
Algorithm::Rs384 => Ok((
DecodingKey::from_rsa_pem(code.as_ref())?,
Validation::new(jsonwebtoken::Algorithm::RS384),
)),
Algorithm::Rs512 => Ok((
DecodingKey::from_rsa_pem(code.as_ref())?,
Validation::new(jsonwebtoken::Algorithm::RS512),
)),
}
}
#[derive(Debug, Serialize, Deserialize)]
pub struct Claims {
iss: String,
iat: usize,
nbf: usize,
exp: usize,
ns: Option<String>,
db: Option<String>,
sc: Option<String>,
tk: Option<String>,
tb: Option<String>,
id: Option<String>,
}
static KEY: Lazy<DecodingKey> = Lazy::new(|| DecodingKey::from_secret(&[]));
static DUD: Lazy<Validation> = Lazy::new(|| {
let mut validation = Validation::new(jsonwebtoken::Algorithm::HS256);
validation.insecure_disable_signature_validation();
validation.validate_nbf = true;
validation.validate_exp = true;
validation
});
pub fn build() -> impl Filter<Extract = (Session,), Error = warp::Rejection> + Clone {
// Enable on any path
let conf = warp::any();
// Add remote ip address
let conf = conf.and(warp::filters::addr::remote());
// Add remote ip address
let conf = conf.map(|addr: Option<SocketAddr>| addr.map(|v| v.to_string()));
// Add authorization header
let conf = conf.and(warp::header::optional::<String>("authorization"));
// Add http origin header
let conf = conf.and(warp::header::optional::<String>("origin"));
// Add session id header
let conf = conf.and(warp::header::optional::<String>("id"));
// Add namespace header
let conf = conf.and(warp::header::optional::<String>("ns"));
// Add database header
let conf = conf.and(warp::header::optional::<String>("db"));
// Process all headers
conf.and_then(process)
}
async fn process(
ip: Option<String>,
au: Option<String>,
or: Option<String>,
id: Option<String>,
ns: Option<String>,
db: Option<String>,
) -> Result<Session, warp::Rejection> {
// Create session
#[rustfmt::skip]
let session = Session { ip, or, id, ns, db, ..Default::default() };
// Parse the authentication header
let session = match au {
// Basic authentication data was supplied
Some(auth) if auth.starts_with(BASIC) => basic(auth, session).await,
// Token authentication data was supplied
Some(auth) if auth.starts_with(TOKEN) => token(auth, session).await,
// Wrong authentication data was supplied
Some(_) => Err(Error::InvalidAuth),
// No authentication data was supplied
None => Ok(session),
}?;
// Pass the authenticated session through
Ok(session)
}
async fn basic(auth: String, mut session: Session) -> Result<Session, Error> {
// Get the config options
let opts = CF.get().unwrap();
// Retrieve just the auth data
if let Some((_, auth)) = auth.split_once(' ') {
// Get a database reference
let db = DB.get().unwrap();
// Decode the encoded auth data
let auth = base64::decode(auth)?;
// Convert the auth data to String
let auth = String::from_utf8(auth)?;
// Create a new readonly transaction
let mut tx = db.transaction(false, false).await?;
// Split the auth data into user and pass
if let Some((user, pass)) = auth.split_once(':') {
// Check that the details are not empty
if user.is_empty() || pass.is_empty() {
return Err(Error::InvalidAuth);
}
// Check if this is root authentication
if user == opts.user && pass == opts.pass {
session.au = Arc::new(Auth::Kv);
return Ok(session);
}
// Check if this is NS authentication
if let Some(ns) = &session.ns {
// Check if the supplied NS Login exists
if let Ok(nl) = tx.get_nl(ns, user).await {
// Compute the hash and verify the password
let hash = PasswordHash::new(&nl.hash).unwrap();
if Argon2::default().verify_password(pass.as_ref(), &hash).is_ok() {
session.au = Arc::new(Auth::Ns(ns.to_owned()));
return Ok(session);
}
};
// Check if this is DB authentication
if let Some(db) = &session.db {
// Check if the supplied DB Login exists
if let Ok(dl) = tx.get_dl(ns, db, user).await {
// Compute the hash and verify the password
let hash = PasswordHash::new(&dl.hash).unwrap();
if Argon2::default().verify_password(pass.as_ref(), &hash).is_ok() {
session.au = Arc::new(Auth::Db(ns.to_owned(), db.to_owned()));
return Ok(session);
}
};
}
}
}
}
// There was an auth error
Err(Error::InvalidAuth)
}
async fn token(auth: String, mut session: Session) -> Result<Session, Error> {
// Retrieve just the auth data
if let Some((_, auth)) = auth.split_once(' ') {
// Get a database reference
let db = DB.get().unwrap();
// Create a new readonly transaction
let mut tx = db.transaction(false, false).await?;
// Decode the token without verifying
let token = decode::<Claims>(auth, &KEY, &DUD)?;
// Check the token authentication claims
match token.claims {
// Check if this is scope token authentication
Claims {
ns: Some(ns),
db: Some(db),
sc: Some(sc),
tk: Some(tk),
tb: Some(tb),
id: Some(id),
..
} => {
// Get the scope token
let de = tx.get_st(&ns, &db, &sc, &tk).await?;
let cf = config(de.kind, de.code)?;
// Verify the token
decode::<Claims>(auth, &cf.0, &cf.1)?;
// Set the session
session.ns = Some(ns.to_owned());
session.db = Some(db.to_owned());
session.sc = Some(sc.to_owned());
session.sd = Some(Value::from(Thing::from((tb, id))));
session.au = Arc::new(Auth::Sc(ns, db, sc));
return Ok(session);
}
// Check if this is scope authentication
Claims {
ns: Some(ns),
db: Some(db),
sc: Some(sc),
tb: Some(tb),
id: Some(id),
..
} => {
// Get the scope
let de = tx.get_sc(&ns, &db, &sc).await?;
let cf = config(Algorithm::Hs512, de.code)?;
// Verify the token
decode::<Claims>(auth, &cf.0, &cf.1)?;
// Set the session
session.ns = Some(ns.to_owned());
session.db = Some(db.to_owned());
session.sc = Some(sc.to_owned());
session.sd = Some(Value::from(Thing::from((tb, id))));
session.au = Arc::new(Auth::Sc(ns, db, sc));
return Ok(session);
}
// Check if this is database token authentication
Claims {
ns: Some(ns),
db: Some(db),
tk: Some(tk),
..
} => {
// Get the database token
let de = tx.get_dt(&ns, &db, &tk).await?;
let cf = config(de.kind, de.code)?;
// Verify the token
decode::<Claims>(auth, &cf.0, &cf.1)?;
// Set the session
session.ns = Some(ns.to_owned());
session.db = Some(db.to_owned());
session.au = Arc::new(Auth::Db(ns, db));
return Ok(session);
}
// Check if this is database authentication
Claims {
ns: Some(ns),
db: Some(db),
id: Some(id),
..
} => {
// Get the database login
let de = tx.get_dl(&ns, &db, &id).await?;
let cf = config(Algorithm::Hs512, de.code)?;
// Verify the token
decode::<Claims>(auth, &cf.0, &cf.1)?;
// Set the session
session.ns = Some(ns.to_owned());
session.db = Some(db.to_owned());
session.au = Arc::new(Auth::Db(ns, db));
return Ok(session);
}
// Check if this is namespace token authentication
Claims {
ns: Some(ns),
tk: Some(tk),
..
} => {
// Get the namespace token
let de = tx.get_nt(&ns, &tk).await?;
let cf = config(de.kind, de.code)?;
// Verify the token
decode::<Claims>(auth, &cf.0, &cf.1)?;
// Set the session
session.ns = Some(ns.to_owned());
session.au = Arc::new(Auth::Ns(ns));
return Ok(session);
}
// Check if this is namespace authentication
Claims {
ns: Some(ns),
id: Some(id),
..
} => {
// Get the namespace login
let de = tx.get_nl(&ns, &id).await?;
let cf = config(Algorithm::Hs512, de.code)?;
// Verify the token
decode::<Claims>(auth, &cf.0, &cf.1)?;
// Set the session
session.ns = Some(ns.to_owned());
session.au = Arc::new(Auth::Ns(ns));
return Ok(session);
}
// There was an auth error
_ => return Err(Error::InvalidAuth),
};
}
// There was an auth error
Err(Error::InvalidAuth)
}

View file

@ -1,7 +1,7 @@
use crate::err::Error;
use crate::net::conf;
use crate::net::head;
use crate::net::output;
use crate::net::session;
use crate::net::DB;
use bytes::Bytes;
use futures::{FutureExt, StreamExt};
@ -18,7 +18,7 @@ pub fn config() -> impl Filter<Extract = impl warp::Reply, Error = warp::Rejecti
// Set post method
let post = base
.and(warp::post())
.and(conf::build())
.and(session::build())
.and(warp::header::<String>(http::header::CONTENT_TYPE.as_str()))
.and(warp::body::content_length_limit(MAX))
.and(warp::body::bytes())