From dbb8c1c2f0035ea41224dec319a996b89e13ec84 Mon Sep 17 00:00:00 2001 From: metamuffin Date: Tue, 1 Aug 2023 14:46:14 +0200 Subject: new session based login --- server/src/main.rs | 2 + server/src/routes/ui/account/mod.rs | 10 +-- server/src/routes/ui/account/session.rs | 92 --------------------------- server/src/routes/ui/account/session/guard.rs | 70 ++++++++++++++++++++ server/src/routes/ui/account/session/mod.rs | 17 +++++ server/src/routes/ui/account/session/token.rs | 72 +++++++++++++++++++++ server/src/routes/ui/style/transition.js | 1 + 7 files changed, 167 insertions(+), 97 deletions(-) delete mode 100644 server/src/routes/ui/account/session.rs create mode 100644 server/src/routes/ui/account/session/guard.rs create mode 100644 server/src/routes/ui/account/session/mod.rs create mode 100644 server/src/routes/ui/account/session/token.rs (limited to 'server/src') diff --git a/server/src/main.rs b/server/src/main.rs index a9a22cf..eba9532 100644 --- a/server/src/main.rs +++ b/server/src/main.rs @@ -3,6 +3,8 @@ which is licensed under the GNU Affero General Public License (version 3); see /COPYING. Copyright (C) 2023 metamuffin */ +#![feature(lazy_cell)] + use config::{load_global_config, GlobalConfig}; use database::Database; use jellyremuxer::RemuxerContext; diff --git a/server/src/routes/ui/account/mod.rs b/server/src/routes/ui/account/mod.rs index 0e4e0cc..79fa652 100644 --- a/server/src/routes/ui/account/mod.rs +++ b/server/src/routes/ui/account/mod.rs @@ -7,7 +7,6 @@ pub mod admin; pub mod session; pub mod settings; -use self::session::SessionCookie; use super::{error::MyError, layout::LayoutPage}; use crate::{ database::{Database, User}, @@ -16,6 +15,7 @@ use crate::{ }; use anyhow::anyhow; use argon2::{password_hash::Salt, Argon2, PasswordHasher}; +use chrono::Duration; use rocket::{ form::{Contextual, Form}, get, @@ -159,7 +159,7 @@ pub fn r_account_login_post( #[post("/account/logout")] pub fn r_account_logout_post(jar: &CookieJar) -> MyResult { - jar.remove_private(Cookie::named("user")); + jar.remove_private(Cookie::named("session")); Ok(Redirect::found(uri!(r_home()))) } @@ -181,10 +181,10 @@ pub fn login_logic( Err(anyhow!("invalid password"))? } - jar.add_private( + jar.add( Cookie::build( - "user", - serde_json::to_string(&SessionCookie::new(user.name)).unwrap(), + "session", + session::token::create(user.name, Duration::days(CONF.login_expire)), ) .permanent() .finish(), diff --git a/server/src/routes/ui/account/session.rs b/server/src/routes/ui/account/session.rs deleted file mode 100644 index c41c968..0000000 --- a/server/src/routes/ui/account/session.rs +++ /dev/null @@ -1,92 +0,0 @@ -/* - This file is part of jellything (https://codeberg.org/metamuffin/jellything) - which is licensed under the GNU Affero General Public License (version 3); see /COPYING. - Copyright (C) 2023 metamuffin -*/ -use crate::{ - database::{Database, User}, - routes::ui::error::MyError, - CONF, -}; -use anyhow::anyhow; -use chrono::{DateTime, Duration, Utc}; -use rocket::{ - outcome::Outcome, - request::{self, FromRequest}, - Request, State, -}; -use serde::{Deserialize, Serialize}; - -pub struct Session { - pub user: User, -} - -#[derive(Debug, Clone, Serialize, Deserialize)] -pub struct SessionCookie { - name: String, - expire: DateTime, -} - -impl SessionCookie { - pub fn new(name: String) -> Self { - Self { - name, - expire: Utc::now() + Duration::days(CONF.login_expire), - } - } -} - -impl Session { - pub async fn from_request_ut(req: &Request<'_>) -> Result { - #[cfg(not(feature = "bypass-auth"))] - let cookie = req - .cookies() - .get_private("user") - .ok_or(anyhow!("login required"))?; - #[cfg(not(feature = "bypass-auth"))] - let cookie = serde_json::from_str::(cookie.value())?; - #[cfg(feature = "bypass-auth")] - let cookie = SessionCookie { - name: crate::CONF.admin_username.to_string(), - expire: Utc::now() + Duration::days(CONF.login_expire), - }; - - if cookie.expire < Utc::now() { - Err(anyhow!("cookie expired"))?; - } - - let db = req.guard::<&State>().await.unwrap(); - let user = db - .users - .get(&cookie.name.to_string())? - .ok_or(anyhow!("user not found"))?; - - Ok(Session { user }) - } -} - -impl<'r> FromRequest<'r> for Session { - type Error = MyError; - - fn from_request<'life0, 'async_trait>( - request: &'r Request<'life0>, - ) -> core::pin::Pin< - Box< - dyn core::future::Future> - + core::marker::Send - + 'async_trait, - >, - > - where - 'r: 'async_trait, - 'life0: 'async_trait, - Self: 'async_trait, - { - Box::pin(async move { - match Self::from_request_ut(request).await { - Ok(x) => Outcome::Success(x), - Err(_) => Outcome::Forward(()), - } - }) - } -} diff --git a/server/src/routes/ui/account/session/guard.rs b/server/src/routes/ui/account/session/guard.rs new file mode 100644 index 0000000..58dfe01 --- /dev/null +++ b/server/src/routes/ui/account/session/guard.rs @@ -0,0 +1,70 @@ +/* + This file is part of jellything (https://codeberg.org/metamuffin/jellything) + which is licensed under the GNU Affero General Public License (version 3); see /COPYING. + Copyright (C) 2023 metamuffin +*/ +use super::{token, Session}; +use crate::{database::Database, routes::ui::error::MyError}; +use anyhow::anyhow; +use log::warn; +use rocket::{ + outcome::Outcome, + request::{self, FromRequest}, + Request, State, +}; + +impl Session { + pub async fn from_request_ut(req: &Request<'_>) -> Result { + let username; + + #[cfg(not(feature = "bypass-auth"))] + { + let token = req + .query_value("session") + .map(|e| e.expect("str parse should not fail, right?")) + .or(req.cookies().get("session").map(|cookie| cookie.value())) + .ok_or(anyhow!("not logged in"))?; + + username = token::validate(token)?; + }; + + #[cfg(feature = "bypass-auth")] + { + username = "admin".to_string(); + } + + let db = req.guard::<&State>().await.unwrap(); + let user = db.users.get(&username)?.ok_or(anyhow!("user not found"))?; + + Ok(Session { user }) + } +} + +impl<'r> FromRequest<'r> for Session { + type Error = MyError; + + fn from_request<'life0, 'async_trait>( + request: &'r Request<'life0>, + ) -> core::pin::Pin< + Box< + dyn core::future::Future> + + core::marker::Send + + 'async_trait, + >, + > + where + 'r: 'async_trait, + 'life0: 'async_trait, + Self: 'async_trait, + { + Box::pin(async move { + match Self::from_request_ut(request).await { + Ok(x) => Outcome::Success(x), + Err(e) => { + warn!("authentificated route rejected: {e:?}"); + Outcome::Forward(()) + } + } + }) + } +} diff --git a/server/src/routes/ui/account/session/mod.rs b/server/src/routes/ui/account/session/mod.rs new file mode 100644 index 0000000..1546ee7 --- /dev/null +++ b/server/src/routes/ui/account/session/mod.rs @@ -0,0 +1,17 @@ +use chrono::{DateTime, Utc}; +use serde::{Deserialize, Serialize}; + +use crate::database::User; + +pub mod guard; +pub mod token; + +pub struct Session { + pub user: User, +} + +#[derive(Debug, Clone, Serialize, Deserialize)] +pub struct SessionData { + username: String, + expire: DateTime, +} diff --git a/server/src/routes/ui/account/session/token.rs b/server/src/routes/ui/account/session/token.rs new file mode 100644 index 0000000..d4546aa --- /dev/null +++ b/server/src/routes/ui/account/session/token.rs @@ -0,0 +1,72 @@ +use super::SessionData; +use aes_gcm_siv::{ + aead::{generic_array::GenericArray, Aead}, + KeyInit, +}; +use anyhow::anyhow; +use base64::Engine; +use chrono::{Duration, Utc}; +use std::sync::LazyLock; + +static SESSION_KEY: LazyLock<[u8; 32]> = LazyLock::new(|| [(); 32].map(|_| rand::random())); + +pub fn create(username: String, expire: Duration) -> String { + let session_data = SessionData { + expire: Utc::now() + expire, + username, + }; + let mut plaintext = + bincode::serde::encode_to_vec(&session_data, bincode::config::standard()).unwrap(); + + while plaintext.len() % 16 == 0 { + plaintext.push(0); + } + + let cipher = aes_gcm_siv::Aes256GcmSiv::new_from_slice(&*SESSION_KEY).unwrap(); + let nonce = [(); 12].map(|_| rand::random()); + eprintln!("SESSION_KEY={SESSION_KEY:?}"); + let mut ciphertext = cipher + .encrypt(&GenericArray::from(nonce), plaintext.as_slice()) + .unwrap(); + ciphertext.extend(nonce); + + base64::engine::general_purpose::STANDARD.encode(&ciphertext) +} + +pub fn validate(token: &str) -> anyhow::Result { + let ciphertext = base64::engine::general_purpose::STANDARD.decode(token)?; + let cipher = aes_gcm_siv::Aes256GcmSiv::new_from_slice(&*SESSION_KEY).unwrap(); + let (ciphertext, nonce) = ciphertext.split_at(ciphertext.len() - 12); + let plaintext = cipher + .decrypt(nonce.into(), ciphertext) + .map_err(|e| anyhow!("decryption failed: {e:?}"))?; + + let (session_data, _): (SessionData, _) = + bincode::serde::decode_from_slice(&plaintext, bincode::config::standard())?; + + if session_data.expire < Utc::now() { + Err(anyhow!("session expired"))? + } + + Ok(session_data.username) +} + +#[test] +fn test() { + let tok = create("blub".to_string(), Duration::days(1)); + validate(&tok).unwrap(); +} + +#[test] +fn test_crypto() { + let nonce = [(); 12].map(|_| rand::random()); + let cipher = aes_gcm_siv::Aes256GcmSiv::new_from_slice(&*SESSION_KEY).unwrap(); + let plaintext = b"testing stuff---"; + let ciphertext = cipher + .encrypt(&GenericArray::from(nonce), plaintext.as_slice()) + .unwrap(); + let plaintext2 = cipher + .decrypt((&nonce).into(), ciphertext.as_slice()) + .unwrap(); + assert_eq!(plaintext, plaintext2.as_slice()); +} diff --git a/server/src/routes/ui/style/transition.js b/server/src/routes/ui/style/transition.js index c125c42..7d39176 100644 --- a/server/src/routes/ui/style/transition.js +++ b/server/src/routes/ui/style/transition.js @@ -36,6 +36,7 @@ function prepare_load(href, back) { let rt = "" try { const r = await r_promise + if (!r.ok) return document.body.innerHTML = "

error

" rt = await r.text() } catch (e) { console.error(e) -- cgit v1.2.3-70-g09d2