src/modules/auth/mod.rs


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89

use argon2::PasswordVerifier;
use argon2::{
    password_hash::{Encoding, PasswordHashString},
    Algorithm, Argon2, Params, PasswordHash, Version,
};
use serde::de::MapAccess;
use serde::{
    de::{value, Error, Visitor},
    Deserialize,
};
use std::{collections::HashMap, fmt, fs::read_to_string};

pub mod basic;
pub mod cookie;
pub mod openid;

struct Credentials {
    wrong_user: PasswordHashString,
    hashes: HashMap<String, PasswordHashString>,
}

impl Credentials {
    fn get(&self, username: &str) -> &PasswordHashString {
        self.hashes.get(username).unwrap_or(&self.wrong_user)
    }
    pub fn authentificate(&self, username: &str, password: &str) -> bool {
        let algo = Argon2::new(Algorithm::Argon2id, Version::V0x13, Params::default());
        let hash = self.get(username);
        match hash.algorithm().as_str() {
            "argon2id" => algo
                .verify_password(
                    password.as_bytes(),
                    &PasswordHash::parse(hash.as_str(), hash.encoding()).unwrap(),
                )
                .is_ok(),
            "never" => false,
            _ => false,
        }
    }
}

impl<'de> Deserialize<'de> for Credentials {
    fn deserialize<D>(deserializer: D) -> Result<Self, D::Error>
    where
        D: serde::Deserializer<'de>,
    {
        struct StringOrMap;
        impl<'de> Visitor<'de> for StringOrMap {
            type Value = HashMap<String, String>;
            fn expecting(&self, formatter: &mut fmt::Formatter) -> fmt::Result {
                formatter.write_str("credentials map or file path")
            }
            fn visit_str<E>(self, val: &str) -> Result<Self::Value, E>
            where
                E: Error,
            {
                let path = String::deserialize(value::StrDeserializer::new(val))?;
                let c = serde_yml::from_str(&read_to_string(path).map_err(|io| {
                    serde::de::Error::custom(format!("cannot read creds file: {io:?}"))
                })?)
                .map_err(|e| serde::de::Error::custom(format!("cannot parse creds file: {e:?}")))?;
                Ok(c)
            }
            fn visit_map<A>(self, val: A) -> Result<Self::Value, A::Error>
            where
                A: MapAccess<'de>,
            {
                HashMap::deserialize(value::MapAccessDeserializer::new(val))
            }
        }
        let k = deserializer.deserialize_any(StringOrMap)?;
        Ok(Credentials {
            wrong_user: PasswordHashString::parse("$never", Encoding::B64).unwrap(),
            hashes: k
                .into_iter()
                .map(|(k, v)| {
                    let hash = PasswordHash::parse(&v, Encoding::B64)
                        .map_err(|e| {
                            serde::de::Error::custom(format!(
                                "phc string for user {k:?} is invalid: {e:?}"
                            ))
                        })?
                        .serialize();
                    Ok((k, hash))
                })
                .try_collect()?,
        })
    }
}