server/src/routes/ui/account/session/guard.rs


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96

/*
    This file is part of jellything (https://codeberg.org/metamuffin/jellything)
    which is licensed under the GNU Affero General Public License (version 3); see /COPYING.
    Copyright (C) 2025 metamuffin <metamuffin.org>
*/
use super::{AdminSession, Session};
use crate::{database::DataAcid, routes::ui::error::MyError};
use anyhow::anyhow;
use jellybase::database::T_USER;
use log::warn;
use rocket::{
    async_trait,
    http::Status,
    outcome::Outcome,
    request::{self, FromRequest},
    Request, State,
};

impl Session {
    pub async fn from_request_ut(req: &Request<'_>) -> Result<Self, MyError> {
        let username;

        #[cfg(not(feature = "bypass-auth"))]
        {
            let token = req
                .query_value("session")
                .map(|e| e.expect("str parse should not fail, right?"))
                .or(req.cookies().get("session").map(|cookie| cookie.value()))
                .ok_or(anyhow!("not logged in"))?;

            username = super::token::validate(token)?;
        };

        #[cfg(feature = "bypass-auth")]
        {
            username = "admin".to_string();
        }

        let db = req.guard::<&State<DataAcid>>().await.unwrap();

        let user = {
            let txn = db.inner.begin_read()?;
            let table = txn.open_table(T_USER)?;
            let user = table
                .get(&*username)?
                .ok_or(anyhow!("user not found"))?
                .value()
                .0;
            drop(table);
            user
        };

        Ok(Session { user })
    }
}

#[async_trait]
impl<'r> FromRequest<'r> for Session {
    type Error = MyError;
    async fn from_request<'life0>(
        request: &'r Request<'life0>,
    ) -> request::Outcome<Self, Self::Error> {
        match Session::from_request_ut(request).await {
            Ok(x) => Outcome::Success(x),
            Err(e) => {
                warn!("authentificated route rejected: {e:?}");
                Outcome::Forward(Status::Unauthorized)
            }
        }
    }
}

#[async_trait]
impl<'r> FromRequest<'r> for AdminSession {
    type Error = MyError;
    async fn from_request<'life0>(
        request: &'r Request<'life0>,
    ) -> request::Outcome<Self, Self::Error> {
        match Session::from_request_ut(request).await {
            Ok(x) => {
                if x.user.admin {
                    Outcome::Success(AdminSession(x))
                } else {
                    Outcome::Error((
                        Status::Unauthorized,
                        MyError(anyhow!("you are not an admin")),
                    ))
                }
            }
            Err(e) => {
                warn!("authentificated route rejected: {e:?}");
                Outcome::Forward(Status::Unauthorized)
            }
        }
    }
}