/* This file is part of jellything (https://codeberg.org/metamuffin/jellything) which is licensed under the GNU Affero General Public License (version 3); see /COPYING. Copyright (C) 2024 metamuffin */ pub mod session; pub mod settings; use super::{error::MyError, layout::LayoutPage}; use crate::{ database::DataAcid, routes::ui::{ account::session::Session, error::MyResult, home::rocket_uri_macro_r_home, layout::DynLayoutPage, }, uri, }; use anyhow::anyhow; use argon2::{password_hash::Salt, Argon2, PasswordHasher}; use chrono::Duration; use jellybase::{ database::{Ser, TableExt, T_INVITE, T_USER}, CONF, }; use jellycommon::user::{PermissionSet, Theme, User, UserPermission}; use rocket::{ form::{Contextual, Form}, get, http::{Cookie, CookieJar}, post, response::Redirect, FromForm, State, }; use serde::{Deserialize, Serialize}; use std::collections::HashSet; #[derive(FromForm)] pub struct RegisterForm { #[field(validate = len(8..128))] pub invitation: String, #[field(validate = len(4..32))] pub username: String, #[field(validate = len(4..64))] pub password: String, } #[get("/account/register")] pub async fn r_account_register() -> DynLayoutPage<'static> { LayoutPage { title: "Register".to_string(), content: markup::new! { form.account[method="POST", action=""] { h1 { "Register" } label[for="inp-invitation"] { "Invite Code" } input[type="text", id="inp-invitation", name="invitation"]; br; label[for="inp-username"] { "Username" } input[type="text", id="inp-username", name="username"]; br; label[for="inp-password"] { "Password" } input[type="password", id="inp-password", name="password"]; br; input[type="submit", value="Register now!"]; p { "Already have an account? " a[href=uri!(r_account_login())] { "Login here" } } } }, ..Default::default() } } #[derive(FromForm, Serialize, Deserialize)] pub struct LoginForm { #[field(validate = len(4..32))] pub username: String, #[field(validate = len(..64))] pub password: String, #[field(default = 604800)] // one week pub expire: u64, } #[get("/account/login")] pub fn r_account_login(sess: Option) -> DynLayoutPage<'static> { let logged_in = sess.is_some(); let title = if logged_in { "Switch Account" } else { "Login" }; LayoutPage { title: title.to_string(), content: markup::new! { form.account[method="POST", action=""] { h1 { @title } label[for="inp-username"] { "Username" } input[type="text", id="inp-username", name="username"]; br; label[for="inp-password"] { "Password" } input[type="password", id="inp-password", name="password"]; br; input[type="submit", value=title]; @if logged_in { p { "Need another account? " a[href=uri!(r_account_register())] { "Register here" } } } else { p { "While logged in, a cookie will be used to identify you." } p { "Don't have an account yet? " a[href=uri!(r_account_register())] { "Register here" } } } } }, ..Default::default() } } #[get("/account/logout")] pub fn r_account_logout() -> DynLayoutPage<'static> { LayoutPage { title: "Log out".to_string(), content: markup::new! { form.account[method="POST", action=""] { h1 { "Log out" } input[type="submit", value="Log out."]; } }, ..Default::default() } } #[post("/account/register", data = "
")] pub fn r_account_register_post<'a>( database: &'a State, _sess: Option, form: Form>, ) -> MyResult> { let logged_in = _sess.is_some(); let form = match &form.value { Some(v) => v, None => return Err(format_form_error(form)), }; let txn = database.begin_write()?; let mut invites = txn.open_table(T_INVITE)?; let mut users = txn.open_table(T_USER)?; if invites.remove(&*form.invitation)?.is_none() { Err(anyhow!("invitation invalid"))?; } let prev_user = users .insert( &*form.username, Ser(User { display_name: form.username.clone(), name: form.username.clone(), password: hash_password(&form.username, &form.password), admin: false, theme: Theme::Dark, permissions: PermissionSet::default(), }), )? .map(|x| x.value().0); if prev_user.is_some() { Err(anyhow!("username taken"))?; } drop(users); drop(invites); txn.commit()?; Ok(LayoutPage { title: "Registration successful".to_string(), content: markup::new! { h1 { @if logged_in { "Registration successful, you may switch account now." } else { "Registration successful, you may log in now." }} }, ..Default::default() }) } #[post("/account/login", data = "")] pub fn r_account_login_post( database: &State, jar: &CookieJar, form: Form>, ) -> MyResult { let form = match &form.value { Some(v) => v, None => return Err(format_form_error(form)), }; jar.add( Cookie::build(( "session", login_logic(database, &form.username, &form.password, None, None)?, )) .permanent() .build(), ); Ok(Redirect::found(rocket::uri!(r_home()))) } #[post("/account/logout")] pub fn r_account_logout_post(jar: &CookieJar) -> MyResult { jar.remove_private(Cookie::build("session")); Ok(Redirect::found(rocket::uri!(r_home()))) } pub fn login_logic( database: &DataAcid, username: &str, password: &str, expire: Option, drop_permissions: Option>, ) -> MyResult { // hashing the password regardless if the accounts exists to prevent timing attacks let password = hash_password(username, password); let mut user = T_USER .get(database, username)? .ok_or(anyhow!("invalid password"))?; if user.password != password { Err(anyhow!("invalid password"))? } if let Some(ep) = drop_permissions { // remove all grant perms that are in `ep` user.permissions .0 .retain(|p, val| if *val { !ep.contains(p) } else { true }) } Ok(session::token::create( user.name, user.permissions, Duration::days(CONF.login_expire.min(expire.unwrap_or(i64::MAX))), )) } pub fn format_form_error(form: Form>) -> MyError { let mut k = String::from("form validation failed:"); for e in form.context.errors() { k += &format!( "\n\t{}: {e}", e.name .as_ref() .map(|e| e.to_string()) .unwrap_or("".to_string()) ) } MyError(anyhow!(k)) } pub fn hash_password(username: &str, password: &str) -> Vec { Argon2::default() .hash_password( format!("{username}\0{password}").as_bytes(), <&str as TryInto>::try_into("IYMa13osbNeLJKnQ1T8LlA").unwrap(), ) .unwrap() .hash .unwrap() .as_bytes() .to_vec() }