/* This file is part of jellything (https://codeberg.org/metamuffin/jellything) which is licensed under the GNU Affero General Public License (version 3); see /COPYING. Copyright (C) 2023 metamuffin */ pub mod session; pub mod settings; use super::{error::MyError, layout::LayoutPage}; use crate::{ database::Database, routes::ui::{error::MyResult, home::rocket_uri_macro_r_home, layout::DynLayoutPage}, uri, }; use anyhow::anyhow; use argon2::{password_hash::Salt, Argon2, PasswordHasher}; use chrono::Duration; use jellybase::CONF; use jellycommon::user::{PermissionSet, User}; use rocket::{ form::{Contextual, Form}, get, http::{Cookie, CookieJar}, post, response::Redirect, FromForm, State, }; use serde::{Deserialize, Serialize}; #[derive(FromForm)] pub struct RegisterForm { #[field(validate = len(8..128))] pub invitation: String, #[field(validate = len(4..32))] pub username: String, #[field(validate = len(4..64))] pub password: String, } #[get("/account/register")] pub async fn r_account_register() -> DynLayoutPage<'static> { LayoutPage { title: "Register".to_string(), content: markup::new! { form.account[method="POST", action=""] { h1 { "Register" } label[for="inp-invitation"] { "Invite Code" } input[type="text", id="inp-invitation", name="invitation"]; br; label[for="inp-username"] { "Username" } input[type="text", id="inp-username", name="username"]; br; label[for="inp-password"] { "Password" } input[type="password", id="inp-password", name="password"]; br; input[type="submit", value="Register now!"]; p { "Already have an account? " a[href=uri!(r_account_login())] { "Login here" } } } }, ..Default::default() } } #[derive(FromForm, Serialize, Deserialize)] pub struct LoginForm { #[field(validate = len(4..32))] pub username: String, #[field(validate = len(..64))] pub password: String, #[field(default = 604800)] // one week pub expire: u64, } #[get("/account/login")] pub fn r_account_login() -> DynLayoutPage<'static> { LayoutPage { title: "Login".to_string(), content: markup::new! { form.account[method="POST", action=""] { h1 { "Login" } label[for="inp-username"] { "Username" } input[type="text", id="inp-username", name="username"]; br; label[for="inp-password"] { "Password" } input[type="password", id="inp-password", name="password"]; br; input[type="submit", value="Login"]; p { "While logged in, a cookie will be used to identify you." } p { "Don't have an account yet? " a[href=uri!(r_account_register())] { "Register here" } } } }, ..Default::default() } } #[get("/account/logout")] pub fn r_account_logout() -> DynLayoutPage<'static> { LayoutPage { title: "Log out".to_string(), content: markup::new! { form.account[method="POST", action=""] { h1 { "Log out" } input[type="submit", value="Log out."]; } }, ..Default::default() } } #[post("/account/register", data = "
")] pub fn r_account_register_post<'a>( database: &'a State, form: Form>, ) -> MyResult> { let form = match &form.value { Some(v) => v, None => return Err(format_form_error(form)), }; if database.invite.remove(&form.invitation).unwrap().is_none() { return Err(MyError(anyhow!("invitation invalid"))); } match database .user .compare_and_swap( &form.username, None, Some(&User { display_name: form.username.clone(), name: form.username.clone(), password: hash_password(&form.username, &form.password), admin: false, permissions: PermissionSet::default(), }), ) .unwrap() { Ok(_) => Ok(LayoutPage { title: "Registration successful".to_string(), content: markup::new! { h1 { "Registration successful, you may log in now." } }, ..Default::default() }), Err(_) => Err(MyError(anyhow!("username is taken"))), } } #[post("/account/login", data = "")] pub fn r_account_login_post( database: &State, jar: &CookieJar, form: Form>, ) -> MyResult { let form = match &form.value { Some(v) => v, None => return Err(format_form_error(form)), }; jar.add( Cookie::build( "session", login_logic(database, &form.username, &form.password)?, ) .permanent() .finish(), ); Ok(Redirect::found(rocket::uri!(r_home()))) } #[post("/account/logout")] pub fn r_account_logout_post(jar: &CookieJar) -> MyResult { jar.remove_private(Cookie::named("session")); Ok(Redirect::found(rocket::uri!(r_home()))) } pub fn login_logic(database: &Database, username: &str, password: &str) -> MyResult { // hashing the password regardless if the accounts exists to prevent timing attacks let password = hash_password(username, password); let user = database .user .get(&username.to_string())? .ok_or(anyhow!("invalid password"))?; if user.password != password { Err(anyhow!("invalid password"))? } Ok(session::token::create( &user, Duration::days(CONF.login_expire), )) } pub fn format_form_error(form: Form>) -> MyError { let mut k = String::from("form validation failed:"); for e in form.context.errors() { k += &format!( "\n\t{}: {e}", e.name .as_ref() .map(|e| e.to_string()) .unwrap_or("".to_string()) ) } MyError(anyhow!(k)) } pub fn hash_password(username: &str, password: &str) -> Vec { Argon2::default() .hash_password( format!("{username}\0{password}").as_bytes(), <&str as TryInto>::try_into("IYMa13osbNeLJKnQ1T8LlA").unwrap(), ) .unwrap() .hash .unwrap() .as_bytes() .to_vec() }