From f06288f156ccb8f9ebf35782a179bf57e6bc8fc2 Mon Sep 17 00:00:00 2001 From: rtkay123 Date: Fri, 10 Apr 2026 23:48:24 +0200 Subject: feat(auth): get user --- crates/api-auth/Cargo.toml | 1 + crates/api-auth/src/client.rs | 58 ++++++++++++++++ crates/api-auth/src/discord/mod.rs | 77 ++++++++++++++++++++-- crates/api-auth/src/error.rs | 7 ++ crates/api-auth/src/lib.rs | 10 ++- crates/api-core/src/models/user.rs | 3 + crates/sellershut/Cargo.toml | 4 +- crates/sellershut/src/config/auth/discord.rs | 15 +++-- crates/sellershut/src/main.rs | 1 + .../src/server/api/routes/auth/authorised.rs | 64 ++++++++++++++++++ .../sellershut/src/server/api/routes/auth/mod.rs | 6 +- crates/sellershut/src/state/mod.rs | 3 +- 12 files changed, 230 insertions(+), 19 deletions(-) create mode 100644 crates/api-auth/src/client.rs (limited to 'crates') diff --git a/crates/api-auth/Cargo.toml b/crates/api-auth/Cargo.toml index 5ce0647..518762b 100644 --- a/crates/api-auth/Cargo.toml +++ b/crates/api-auth/Cargo.toml @@ -12,6 +12,7 @@ api-core = { workspace = true, features = ["auth", "users"] } async-trait.workspace = true oauth2 = "5.0.0" redis.workspace = true +reqwest = { workspace = true, features = ["json"] } secrecy.workspace = true serde.workspace = true sh-util = { workspace = true, optional = true } diff --git a/crates/api-auth/src/client.rs b/crates/api-auth/src/client.rs new file mode 100644 index 0000000..d696162 --- /dev/null +++ b/crates/api-auth/src/client.rs @@ -0,0 +1,58 @@ +use std::pin::Pin; +use std::{future::Future, ops::Deref}; + +#[cfg(not(target_arch = "wasm32"))] +use oauth2::HttpResponse; +use oauth2::{AsyncHttpClient, HttpClientError, HttpRequest, http}; + +#[derive(Clone)] +pub struct AuthHttpClient(reqwest::Client); + +impl Deref for AuthHttpClient { + type Target = reqwest::Client; + + fn deref(&self) -> &Self::Target { + &self.0 + } +} + +impl From for AuthHttpClient { + fn from(value: reqwest::Client) -> Self { + Self(value) + } +} + +impl<'c> AsyncHttpClient<'c> for AuthHttpClient { + type Error = HttpClientError; + + #[cfg(target_arch = "wasm32")] + type Future = Pin> + 'c>>; + #[cfg(not(target_arch = "wasm32"))] + type Future = + Pin> + Send + Sync + 'c>>; + + fn call(&'c self, request: HttpRequest) -> Self::Future { + Box::pin(async move { + let response = self + .0 + .execute(request.try_into().map_err(Box::new)?) + .await + .map_err(Box::new)?; + + let mut builder = http::Response::builder().status(response.status()); + + #[cfg(not(target_arch = "wasm32"))] + { + builder = builder.version(response.version()); + } + + for (name, value) in response.headers().iter() { + builder = builder.header(name, value); + } + + builder + .body(response.bytes().await.map_err(Box::new)?.to_vec()) + .map_err(HttpClientError::Http) + }) + } +} diff --git a/crates/api-auth/src/discord/mod.rs b/crates/api-auth/src/discord/mod.rs index 1a7d47d..0844f58 100644 --- a/crates/api-auth/src/discord/mod.rs +++ b/crates/api-auth/src/discord/mod.rs @@ -1,12 +1,31 @@ use api_core::models::user::User; use async_session::{Session, serde_json}; use async_trait::async_trait; -use oauth2::{CsrfToken, Scope}; +use oauth2::{AuthorizationCode, CsrfToken, Scope, TokenResponse}; use redis::AsyncCommands; +use serde::{Deserialize, Serialize}; use sh_util::cache::{CacheKey, RedisManager}; use sqlx::PgPool; -use crate::{BasicClient, CSRF_TOKEN, OauthDriver, SessionResponse, error::AuthError}; +use crate::{ + BasicClient, CSRF_TOKEN, OauthDriver, SessionResponse, client::AuthHttpClient, error::AuthError, +}; + +// The user data we'll get back from Discord. +// https://discord.com/developers/docs/resources/user#user-object-user-structure +#[derive(Debug, Serialize, Deserialize)] +struct DiscordUser { + id: String, + avatar: Option, + username: String, + discriminator: String, +} + +impl From for User { + fn from(value: DiscordUser) -> Self { + todo!() + } +} #[derive(Clone)] pub struct AuthServiceDiscord { @@ -27,11 +46,57 @@ impl AuthServiceDiscord { #[async_trait] impl OauthDriver for AuthServiceDiscord { - async fn get_auth_token(&self) -> Result { - todo!() + async fn get_user(&self, client: &AuthHttpClient, code: &str) -> Result { + // Get an auth token + let token = self + .client + .exchange_code(AuthorizationCode::new(code.to_owned())) + .request_async(client) + .await + .unwrap(); + // Fetch user data from discord + let user_data: DiscordUser = client + // https://discord.com/developers/docs/resources/user#get-current-user + .get("https://discordapp.com/api/users/@me") + .bearer_auth(token.access_token().secret()) + .send() + .await + .unwrap() + .json::() + .await + .unwrap(); + + Ok(user_data.into()) } - async fn get_user(&self) -> Result { - todo!() + async fn validate_session(&self, cookie: &str, state: &str) -> Result<(), AuthError> { + let id = Session::id_from_cookie_value(cookie)?; + let cache_key = CacheKey::Session(&id); + let mut cache = self.cache.get().await.unwrap(); + let session = cache.get::<_, String>(&cache_key).await?; + let session: Session = + serde_json::from_str(&session).map_err(|_e| AuthError::InvalidSession)?; + + match session.validate() { + Some(session) => { + // Extract the CSRF token from the session + let stored_csrf_token = session.get::(CSRF_TOKEN); + + if let Some(stored) = stored_csrf_token { + // Cleanup the CSRF token session + cache.del::<_, ()>(cache_key).await?; + + // Validate CSRF token is the same as the one in the auth request + if *stored.secret() != state { + return Err(AuthError::TokenMismatch); + } else { + return Ok(()); + } + } else { + return Err(AuthError::NoCSRFToken); + } + } + None => return Err(AuthError::MissingSession), + } } async fn create_oauth_session(&self) -> Result { let (auth_url, csrf_token) = self diff --git a/crates/api-auth/src/error.rs b/crates/api-auth/src/error.rs index 72a7fba..2db3281 100644 --- a/crates/api-auth/src/error.rs +++ b/crates/api-auth/src/error.rs @@ -1,3 +1,4 @@ +use async_session::base64; use thiserror::Error; #[derive(Debug, Error)] @@ -28,4 +29,10 @@ pub enum AuthError { MissingSession, #[error("invalid session")] InvalidSession, + #[error("invalid session")] + CorruptedCookie(#[from] base64::DecodeError), + #[error("CSRF token mismatch")] + TokenMismatch, + #[error("CSRF token missing")] + NoCSRFToken, } diff --git a/crates/api-auth/src/lib.rs b/crates/api-auth/src/lib.rs index 85fdb01..815b170 100644 --- a/crates/api-auth/src/lib.rs +++ b/crates/api-auth/src/lib.rs @@ -1,6 +1,8 @@ #[cfg(feature = "discord")] pub mod discord; +pub mod client; + mod error; use api_core::auth::AuthClientConfig; use api_core::models::user::User; @@ -21,8 +23,12 @@ pub struct BasicClient(C); #[async_trait::async_trait] pub trait OauthDriver: Send + Sync { - async fn get_auth_token(&self) -> Result; - async fn get_user(&self) -> Result; + async fn get_user( + &self, + client: &client::AuthHttpClient, + code: &str, + ) -> Result; + async fn validate_session(&self, cookie: &str, state: &str) -> Result<(), AuthError>; async fn create_oauth_session(&self) -> Result; async fn save_session(&self, user: &User) -> Result<(), AuthError>; } diff --git a/crates/api-core/src/models/user.rs b/crates/api-core/src/models/user.rs index e6ad9f0..7b70234 100644 --- a/crates/api-core/src/models/user.rs +++ b/crates/api-core/src/models/user.rs @@ -1 +1,4 @@ +use serde::Deserialize; + +#[derive(Deserialize)] pub struct User {} diff --git a/crates/sellershut/Cargo.toml b/crates/sellershut/Cargo.toml index df619f8..1151373 100644 --- a/crates/sellershut/Cargo.toml +++ b/crates/sellershut/Cargo.toml @@ -13,8 +13,10 @@ anyhow = "1.0.102" api-auth = { path = "../api-auth", features = ["discord", "utoipa"] } api-core = { workspace = true, features = ["auth-discord", "utoipa"] } axum = { version = "0.8.8", features = ["macros"] } +axum-extra = { version = "0.12.5", features = ["typed-header"] } bon = "3.9.1" clap = { version = "4.6.0", features = ["derive", "env"] } +reqwest.workspace = true secrecy = { workspace = true, features = ["serde"] } serde = { workspace = true, features = ["derive"] } serde_json.workspace = true @@ -37,7 +39,7 @@ utoipa-swagger-ui = { version = "9.0.2", features = ["axum"], optional = true } tower = { workspace = true, features = ["util"] } [features] -default = ["auth-discord"] +default = ["auth-discord", "scalar"] auth-discord = [] swagger = ["dep:utoipa-swagger-ui"] redoc = ["dep:utoipa-redoc"] diff --git a/crates/sellershut/src/config/auth/discord.rs b/crates/sellershut/src/config/auth/discord.rs index 24ad711..cfbca91 100644 --- a/crates/sellershut/src/config/auth/discord.rs +++ b/crates/sellershut/src/config/auth/discord.rs @@ -15,11 +15,11 @@ pub struct DiscordClientConfig { pub discord_client_secret: Option, /// Redirect URI registered with Discord OAuth. - #[arg(long, env = "HUT_DISCORD_REDIRECT_URI")] + #[arg(long, env = "HUT_DISCORD_REDIRECT_URL")] pub discord_redirect_uri: Option, /// Discord token endpoint URI. - #[arg(long, env = "HUT_DISCORD_TOKEN_URI")] + #[arg(long, env = "HUT_DISCORD_TOKEN_URL")] pub discord_token_uri: Option, /// Discord authorization URL. @@ -42,10 +42,9 @@ impl DiscordClientConfig { Self { discord_client_id: self.discord_client_id, discord_client_secret: self.discord_client_secret, - discord_redirect_uri: Some( - self.discord_redirect_uri - .unwrap_or_else(|| "http://localhost:2210/auth/discord/callback".to_string()), - ), + discord_redirect_uri: Some(self.discord_redirect_uri.unwrap_or_else(|| { + "http://localhost:2210/api/auth/discord/authorised".to_string() + })), discord_token_uri: Some( self.discord_token_uri .unwrap_or_else(|| "https://discord.com/api/oauth2/token".to_string()), @@ -61,7 +60,9 @@ impl DiscordClientConfig { Self { discord_client_id: None, discord_client_secret: None, - discord_redirect_uri: Some("http://localhost:2210/auth/discord/callback".to_string()), + discord_redirect_uri: Some( + "http://localhost:2210/api/auth/discord/authorised".to_string(), + ), discord_token_uri: Some("https://discord.com/api/oauth2/token".to_string()), discord_auth_url: Some("https://discord.com/api/oauth2/authorize".to_string()), } diff --git a/crates/sellershut/src/main.rs b/crates/sellershut/src/main.rs index a46cf3e..25ee315 100644 --- a/crates/sellershut/src/main.rs +++ b/crates/sellershut/src/main.rs @@ -50,6 +50,7 @@ async fn main() -> Result<()> { .log_handle(log_handle) .base_service(Arc::new(BaseService)) .auth_clients(auth_clients) + .http_client(reqwest::Client::new().into()) .build(); let addr = SocketAddr::from(( diff --git a/crates/sellershut/src/server/api/routes/auth/authorised.rs b/crates/sellershut/src/server/api/routes/auth/authorised.rs index 8b13789..94eaeca 100644 --- a/crates/sellershut/src/server/api/routes/auth/authorised.rs +++ b/crates/sellershut/src/server/api/routes/auth/authorised.rs @@ -1 +1,65 @@ +use anyhow::Context; +use api_core::auth::provider::OauthProvider; +use axum::{ + extract::{Path, Query, State}, + response::IntoResponse, +}; +use axum_extra::{TypedHeader, headers}; +use serde::Deserialize; +use utoipa::{IntoParams, ToSchema}; +use crate::{server::api::error::AppError, state::AppState}; + +#[derive(Debug, Deserialize, IntoParams, ToSchema)] +#[allow(dead_code)] +pub struct AuthRequest { + pub code: String, + pub state: String, +} + +#[derive(Debug, Deserialize, IntoParams, ToSchema)] +#[allow(dead_code)] +pub struct Params { + provider: OauthProvider, +} + +/// Authorised callback +#[utoipa::path( + get, + responses( + ( + status = 200, + description = "Application authorised", + headers( + ("x-request-id", description = "Request identifier"), + ("set-cookie", description = "Oauth session cookie") + ) + ), + ), + operation_id = "authorised", // https://github.com/juhaku/utoipa/issues/1170 + path = "/auth/{provider}/authorised", + tag = super::AUTH, + params(AuthRequest, Params) +)] +pub async fn authorised( + Query(params): Query, + State(state): State, + Path(provider): Path, + TypedHeader(cookies): TypedHeader, +) -> Result { + let cookie = cookies + .get(super::COOKIE_NAME) + .context("unexpected error getting cookie name")? + .to_string(); + + let client = state + .auth_clients + .get(&provider) + .context("missing oauth driver")?; + + client.validate_session(&cookie, ¶ms.state).await?; + + let user = client.get_user(&state.http_client, ¶ms.code).await?; + + Ok(String::default()) +} diff --git a/crates/sellershut/src/server/api/routes/auth/mod.rs b/crates/sellershut/src/server/api/routes/auth/mod.rs index 7414b77..340525e 100644 --- a/crates/sellershut/src/server/api/routes/auth/mod.rs +++ b/crates/sellershut/src/server/api/routes/auth/mod.rs @@ -17,7 +17,7 @@ const AUTH: &str = "Authentication"; static COOKIE_NAME: &str = "SESSION"; #[derive(OpenApi)] -#[openapi(tags((name = AUTH, description = "Transaction monitoring endpoints")),components(schemas(OauthProvider))) ] +#[openapi(tags((name = AUTH, description = "Auth endpoints")),components(schemas(OauthProvider))) ] pub struct AuthDoc; /// Oauth provider @@ -30,7 +30,9 @@ pub fn router(store: AppState) -> OpenApiRouter { let router = OpenApiRouter::new(); #[cfg(feature = "auth-discord")] - let router = router.routes(utoipa_axum::routes!(auth)); + let router = router + .routes(utoipa_axum::routes!(auth)) + .routes(utoipa_axum::routes!(authorised::authorised)); router.with_state(store) } diff --git a/crates/sellershut/src/state/mod.rs b/crates/sellershut/src/state/mod.rs index 821d4eb..1febc6a 100644 --- a/crates/sellershut/src/state/mod.rs +++ b/crates/sellershut/src/state/mod.rs @@ -1,6 +1,6 @@ use std::{collections::HashMap, sync::Arc}; -use api_auth::OauthDriver; +use api_auth::{OauthDriver, client::AuthHttpClient}; use api_core::{auth::provider::OauthProvider, health::HealthDriver}; use bon::Builder; use sqlx::PgPool; @@ -12,6 +12,7 @@ pub struct AppState { pub base_service: Arc, pub log_handle: LogHandle, pub auth_clients: HashMap>, + pub http_client: AuthHttpClient, } pub async fn postgres(config: &str, pool_size: u32) -> anyhow::Result { -- cgit v1.2.3