basic support for user authentication (currently does nothing)

2025-02-01 19:42:25 +01:00 · 2025-02-01 19:42:25 +01:00 · 56064c6259
commit 56064c6259
parent 812eee1a5f
9 changed files with 279 additions and 8 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@ -241,6 +241,17 @@ version = "1.0.95"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "34ac096ce696dc2fcabef30516bb13c0a68a11d30131d3df6f04711467681b04"

+[[package]]
+name = "async-trait"
+version = "0.1.86"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "644dd749086bf3771a2fbc5f256fdb982d53f011c7d5d560304eafeecebce79d"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
 [[package]]
 name = "atomic-waker"
 version = "1.1.2"
@ -634,6 +645,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "6d6fd624c75e18b3b4c6b9caf42b1afe24437daaee904069137d8bab077be8b8"
 dependencies = [
 "axum-core",
+ "axum-macros",
 "bytes",
 "form_urlencoded",
 "futures-util",
@ -681,6 +693,17 @@ dependencies = [
 "tracing",
 ]

+[[package]]
+name = "axum-macros"
+version = "0.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "604fde5e028fea851ce1d8570bbdc034bec850d157f7569d10f347d06808c05c"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
 [[package]]
 name = "backtrace"
 version = "0.3.74"
@ -869,6 +892,17 @@ version = "0.4.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "6245d59a3e82a7fc217c5828a6692dbc6dfb63a0c8c90495621f7b9d79704a0e"

+[[package]]
+name = "cookie"
+version = "0.18.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4ddef33a339a91ea89fb53151bd0a4689cfce27055c291dfa69945475d22c747"
+dependencies = [
+ "percent-encoding",
+ "time",
+ "version_check",
+]
+
 [[package]]
 name = "core-foundation"
 version = "0.9.4"
@ -1191,6 +1225,7 @@ dependencies = [
 "serde_json",
 "tera",
 "tokio",
+ "tower-sessions",
 "unicode-segmentation",
 "url",
 ]
@ -1204,6 +1239,20 @@ dependencies = [
 "percent-encoding",
 ]

+[[package]]
+name = "futures"
+version = "0.3.31"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "65bc07b1a8bc7c85c5f2e110c476c7389b4554ba72af57d8445ea63a576b0876"
+dependencies = [
+ "futures-channel",
+ "futures-core",
+ "futures-io",
+ "futures-sink",
+ "futures-task",
+ "futures-util",
+]
+
 [[package]]
 name = "futures-channel"
 version = "0.3.31"
@ -1211,6 +1260,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "2dff15bf788c671c1934e366d07e30c1814a8ef514e1af724a602e8a2fbe1b10"
 dependencies = [
 "futures-core",
+ "futures-sink",
 ]

 [[package]]
@ -1219,6 +1269,23 @@ version = "0.3.31"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "05f29059c0c2090612e8d742178b0580d2dc940c837851ad723096f87af6663e"

+[[package]]
+name = "futures-io"
+version = "0.3.31"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9e5c1b78ca4aae1ac06c48a526a655760685149f0d465d21f37abfe57ce075c6"
+
+[[package]]
+name = "futures-macro"
+version = "0.3.31"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "162ee34ebcb7c64a8abebc059ce0fee27c2262618d7b60ed8faf72fef13c3650"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
 [[package]]
 name = "futures-sink"
 version = "0.3.31"
@ -1238,9 +1305,12 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9fa08315bb612088cc391249efdc3bc77536f16c91f6cf495e6fbe85b20a4a81"
 dependencies = [
 "futures-core",
+ "futures-macro",
+ "futures-sink",
 "futures-task",
 "pin-project-lite",
 "pin-utils",
+ "slab",
 ]

 [[package]]
@ -1910,6 +1980,7 @@ checksum = "07af8b9cdd281b7915f413fa73f29ebd5d55d0d3f0155584dade1ff18cea1b17"
 dependencies = [
 "autocfg",
 "scopeguard",
+ "serde",
 ]

 [[package]]
@ -3189,6 +3260,22 @@ dependencies = [
 "tracing",
 ]

+[[package]]
+name = "tower-cookies"
+version = "0.11.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "151b5a3e3c45df17466454bb74e9ecedecc955269bdedbf4d150dfa393b55a36"
+dependencies = [
+ "axum-core",
+ "cookie",
+ "futures-util",
+ "http 1.2.0",
+ "parking_lot",
+ "pin-project-lite",
+ "tower-layer",
+ "tower-service",
+]
+
 [[package]]
 name = "tower-layer"
 version = "0.3.3"
@ -3201,6 +3288,57 @@ version = "0.3.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8df9b6e13f2d32c91b9bd719c00d1958837bc7dec474d94952798cc8e69eeec3"

+[[package]]
+name = "tower-sessions"
+version = "0.14.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "43a05911f23e8fae446005fe9b7b97e66d95b6db589dc1c4d59f6a2d4d4927d3"
+dependencies = [
+ "async-trait",
+ "http 1.2.0",
+ "time",
+ "tokio",
+ "tower-cookies",
+ "tower-layer",
+ "tower-service",
+ "tower-sessions-core",
+ "tower-sessions-memory-store",
+ "tracing",
+]
+
+[[package]]
+name = "tower-sessions-core"
+version = "0.14.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ce8cce604865576b7751b7a6bc3058f754569a60d689328bb74c52b1d87e355b"
+dependencies = [
+ "async-trait",
+ "axum-core",
+ "base64 0.22.1",
+ "futures",
+ "http 1.2.0",
+ "parking_lot",
+ "rand",
+ "serde",
+ "serde_json",
+ "thiserror 2.0.9",
+ "time",
+ "tokio",
+ "tracing",
+]
+
+[[package]]
+name = "tower-sessions-memory-store"
+version = "0.14.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fb05909f2e1420135a831dd5df9f5596d69196d0a64c3499ca474c4bd3d33242"
+dependencies = [
+ "async-trait",
+ "time",
+ "tokio",
+ "tower-sessions-core",
+]
+
 [[package]]
 name = "tracing"
 version = "0.1.41"
--- a/Cargo.toml
+++ b/Cargo.toml
@ -14,7 +14,7 @@ url = "2"
 anyhow = "1"
 serde_json = "1"
 rand = "0.8"
-axum = { version = "0.8", features = ["form"] }
+axum = { version = "0.8", features = ["form", "macros"] }
 tera = "1"
 lazy_static = "1"
 actix-files = "0.6"
@ -24,6 +24,7 @@ include_dir = "0.7"
 aws-config = { version = "1.1.7", features = ["behavior-version-latest"] }
 aws-sdk-s3 = "1.66.0"
 new_mime_guess = "4"
+tower-sessions = "0.14"

 [profile.profiling]
 inherits = "dev"
--- a/README.md
+++ b/README.md
@ -60,3 +60,4 @@ Environment variables read when `STORAGE_BACKEND=s3`:
 - auth: add support for connecting to the forge using oauth?
 - improve error handling? currently the app will panic if writing to the storage
  backend fails. Can we do better?
+- error reporting when the auth token is not working/outdated and background jobs fail 
--- a/model.json
+++ b/model.json
--- a/src/main.rs
+++ b/src/main.rs
@ -3,7 +3,7 @@ use axum::{
    extract::{OriginalUri, Path, Query, State},
    http::{header, StatusCode},
    response::{Html, IntoResponse},
-    routing::get,
+    routing::{get, post},
    Form, Router,
 };
 use forgejo_api::{Auth, Forgejo};
@ -14,6 +14,7 @@ use std::collections::HashMap;
 use std::sync::Arc;
 use std::time::Duration;
 use tera::Tera;
+use tower_sessions::{MemoryStore, Session, SessionManagerLayer};
 use url::Url;

 mod classifier;
@ -21,6 +22,7 @@ mod data;
 mod db;
 mod email;
 mod scrape;
+mod session;
 mod storage;
 mod userdb;
 mod util;
@ -29,6 +31,7 @@ mod workers;
 use data::*;
 use db::Db;
 use email::SmtpConfig;
+use session::AuthenticatedUser;
 use storage::Storage;
 use userdb::{IsSpam, UserDb};
 use util::env_var;
@ -280,9 +283,11 @@ fn approx_score(score: f32) -> ApproxScore {
    }
 }

+#[axum::debug_handler]
 async fn get_index(
    State(data): State<Arc<AppState>>,
    Query(q): Query<SortSetting>,
+    _user: AuthenticatedUser,
    OriginalUri(uri): OriginalUri,
 ) -> Result<Html<String>, AppError> {
    eprintln!("GET {}", uri);
@ -347,8 +352,9 @@ async fn get_index(

 async fn post_classified(
    State(data): State<Arc<AppState>>,
-    Form(form): Form<HashMap<i64, String>>,
+    _user: AuthenticatedUser,
    OriginalUri(uri): OriginalUri,
+    Form(form): Form<HashMap<i64, String>>,
    overwrite: bool,
 ) -> Result<impl IntoResponse, AppError> {
    eprintln!("POST {}", uri);
@ -381,22 +387,25 @@ async fn post_classified(

 async fn post_classified_index(
    data: State<Arc<AppState>>,
+    user: AuthenticatedUser,
    uri: OriginalUri,
    form: Form<HashMap<i64, String>>,
 ) -> impl IntoResponse {
-    post_classified(data, form, uri, false).await
+    post_classified(data, user, uri, form, false).await
 }

 async fn post_classified_edit(
    data: State<Arc<AppState>>,
+    user: AuthenticatedUser,
    uri: OriginalUri,
    form: Form<HashMap<i64, String>>,
 ) -> impl IntoResponse {
-    post_classified(data, form, uri, true).await
+    post_classified(data, user, uri, form, true).await
 }

 async fn get_classified(
    State(data): State<Arc<AppState>>,
+    _user: AuthenticatedUser,
    OriginalUri(uri): OriginalUri,
 ) -> Result<Html<String>, AppError> {
    eprintln!("GET {}", uri);
@ -442,6 +451,41 @@ async fn get_static_(
    }
 }

+async fn get_auth(
+    State(data): State<Arc<AppState>>,
+    OriginalUri(uri): OriginalUri,
+) -> Result<Html<String>, AppError> {
+    eprintln!("GET {}", uri);
+    let mut context = tera::Context::new();
+    context.insert("forge_url", &data.config.forge_url.to_string());
+    let page = TEMPLATES.render("auth.html", &context)?;
+    Ok(Html::from(page))
+}
+
+#[derive(Deserialize)]
+struct AuthForm {
+    token: String,
+}
+
+async fn post_auth(
+    OriginalUri(uri): OriginalUri,
+    session: Session,
+    Form(form): Form<AuthForm>,
+) -> impl IntoResponse {
+    eprintln!("POST {}", uri);
+    session
+        .insert(session::TOKEN_KEY, &form.token)
+        .await
+        .unwrap();
+    (StatusCode::SEE_OTHER, [(header::LOCATION, "/")])
+}
+
+async fn post_logout(OriginalUri(uri): OriginalUri, session: Session) -> impl IntoResponse {
+    eprintln!("POST {}", uri);
+    session.flush().await.unwrap();
+    (StatusCode::SEE_OTHER, [(header::LOCATION, "/auth")])
+}
+
 #[tokio::main]
 async fn main() -> anyhow::Result<()> {
    let config = Arc::new(Config::from_env().await?);
@ -491,6 +535,8 @@ async fn main() -> anyhow::Result<()> {

    println!("Listening on http://{}", &config.bind_addr);

+    let session_store = MemoryStore::default();
+    let session_layer = SessionManagerLayer::new(session_store);
    let app = Router::new()
        .route("/", get(get_index).post(post_classified_index))
        .route(
@ -498,7 +544,10 @@ async fn main() -> anyhow::Result<()> {
            get(get_classified).post(post_classified_edit),
        )
        .route("/static/{*filename}", get(get_static_))
-        .with_state(shared_state);
+        .route("/auth", get(get_auth).post(post_auth))
+        .route("/logout", post(post_logout))
+        .with_state(shared_state)
+        .layer(session_layer);

    let webserver = {
        let listener = tokio::net::TcpListener::bind(&config.bind_addr)
--- a/src/session.rs
+++ b/src/session.rs
@ -0,0 +1,46 @@
+use axum::extract::FromRequestParts;
+use axum::http::{header, request::Parts, HeaderMap, HeaderValue, StatusCode};
+use tower_sessions::Session;
+
+#[allow(dead_code)] // TODO: WIP
+pub struct AuthenticatedUser {
+    session: Session,
+    api_token: String,
+}
+
+pub const TOKEN_KEY: &str = "API_TOKEN";
+
+impl<S> FromRequestParts<S> for AuthenticatedUser
+where
+    S: Send + Sync,
+{
+    type Rejection = (StatusCode, HeaderMap, String);
+
+    async fn from_request_parts(req: &mut Parts, state: &S) -> Result<Self, Self::Rejection> {
+        let session = match Session::from_request_parts(req, state).await {
+            Ok(session) => session,
+            Err((status, body)) => return Err((status, HeaderMap::new(), body.to_string())),
+        };
+
+        let api_token: Option<String> = session.get(TOKEN_KEY).await.unwrap(); // TODO: is it safe to [unwrap] here?
+
+        match api_token {
+            Some(api_token) => Ok(Self { session, api_token }),
+            None => {
+                // Unclear that this case can actually happen, but in doubt,
+                // clear the session and force to re-auth.
+                // It is safe to [unwrap] the result here because we use
+                // [MemoryStore] as the underlying store, on which [delete]
+                // never fails.
+                session.flush().await.unwrap();
+                Err((
+                    StatusCode::SEE_OTHER,
+                    HeaderMap::from_iter(
+                        [(header::LOCATION, HeaderValue::from_static("/auth"))].into_iter(),
+                    ),
+                    "client is not authenticated, redirecting to /auth".to_string(),
+                ))
+            }
+        }
+    }
+}
--- a/static/style.css
+++ b/static/style.css
@ -83,3 +83,14 @@ input.radio-legit:checked + label {
 .score-Low {
    background: #5fd770;
 }
+
+.aslink {
+    display: inline;
+    padding: 0;
+    border: 0;
+    font: inherit;
+    text-decoration: underline;
+    cursor: pointer;
+    background: transparent;
+    color: currentColor;
+}
--- a/templates/auth.html
+++ b/templates/auth.html
@ -0,0 +1,22 @@
+{% extends "base.html" %}
+{% block title %}Authentication{% endblock title %}
+
+{% block content %}
+  <h1>Authentication required</h1>
+
+  <p>
+    To obtain a suitable API token, you must login to Forgejo using an
+    administrator account and go to <a href="{{forge_url}}user/settings/applications">{{forge_url}}user/settings/applications</a>.
+    Then, create an API token with access to all organizations and repos, allowing
+    read and writet access to: "admin", "misc", "organization", "issue", "repository" and "user". Store
+    the resulting token safely (e.g. in your password manager).
+  </p>
+
+  <form method="post">
+  <label for="token">Forgejo API token:</label>
+  <input id="token" name="token" type="password" required/>
+
+  <input type="submit" value="Submit" class="button"/>
+  </form>
+
+{% endblock content %}
--- a/templates/index.html
+++ b/templates/index.html
@ -8,7 +8,10 @@
  </div>

  <div>
-    <a href="/classified">Edit classified users</a>
+    <a href="/classified">Edit classified users</a> |
+    <form action="/logout" method="post" style="display: inline">
+      <button name="logout" value="logout" class="aslink">Log out</button>
+    </form>
  </div>

  <div class="sort-options">