BasicOIDC/src/middlewares/auth_middleware.rs

//! # Authentication middleware

use std::future::{Future, ready, Ready};
use std::pin::Pin;
use std::rc::Rc;

use actix_identity::RequestIdentity;
use actix_web::{dev::{forward_ready, Service, ServiceRequest, ServiceResponse, Transform}, Error, HttpResponse};
use actix_web::body::EitherBody;
use askama::Template;

use crate::constants::{ADMIN_ROUTES, AUTHENTICATED_ROUTES};
use crate::controllers::base_controller::redirect_user_for_login;
use crate::data::session_identity::{SessionIdentity, SessionIdentityData};

// There are two steps in middleware processing.
// 1. Middleware initialization, middleware factory gets called with
//    next service in chain as parameter.
// 2. Middleware's call method gets called with normal request.
pub struct AuthMiddleware;

// Middleware factory is `Transform` trait
// `S` - type of the next service
// `B` - type of response's body
impl<S, B> Transform<S, ServiceRequest> for AuthMiddleware
    where
        S: Service<ServiceRequest, Response=ServiceResponse<B>, Error=Error> + 'static,
        S::Future: 'static,
        B: 'static,
{
    type Response = ServiceResponse<EitherBody<B>>;
    type Error = Error;
    type Transform = AuthInnerMiddleware<S>;
    type InitError = ();
    type Future = Ready<Result<Self::Transform, Self::InitError>>;

    fn new_transform(&self, service: S) -> Self::Future {
        ready(Ok(AuthInnerMiddleware { service: Rc::new(service) }))
    }
}

#[derive(Debug)]
enum SessionStatus {
    SignedOut,
    RegularUser,
    Admin,
}

impl SessionStatus {
    pub fn is_auth(&self) -> bool {
        !matches!(self, SessionStatus::SignedOut)
    }

    pub fn is_admin(&self) -> bool {
        matches!(self, SessionStatus::Admin)
    }
}

#[derive(Template)]
#[template(path = "access_denied.html")]
struct AccessDeniedTemplate {}

pub struct AuthInnerMiddleware<S> {
    service: Rc<S>,
}

impl<S, B> Service<ServiceRequest> for AuthInnerMiddleware<S>
    where
        S: Service<ServiceRequest, Response=ServiceResponse<B>, Error=Error> + 'static,
        S::Future: 'static,
        B: 'static,
{
    type Response = ServiceResponse<EitherBody<B>>;
    type Error = Error;

    #[allow(clippy::type_complexity)]
    type Future = Pin<Box<dyn Future<Output=Result<Self::Response, Self::Error>>>>;

    forward_ready!(service);

    fn call(&self, req: ServiceRequest) -> Self::Future {
        let service = Rc::clone(&self.service);

        // Forward request
        Box::pin(async move {
            if req.path().starts_with("/.git") {
                return Ok(req.into_response(
                    HttpResponse::Unauthorized()
                        .body("Hey don't touch this!")
                        .map_into_right_body()
                ));
            }

            let identity = match SessionIdentity::deserialize_session_data(req.get_identity()) {
                None => SessionStatus::SignedOut,
                Some(SessionIdentityData { is_admin: true, .. }) => SessionStatus::Admin,
                _ => SessionStatus::RegularUser,
            };

            // Redirect user to login page
            if !identity.is_auth() && (req.path().starts_with(ADMIN_ROUTES) ||
                req.path().starts_with(AUTHENTICATED_ROUTES)) {
                let path = req.path().to_string();
                return Ok(req.into_response(redirect_user_for_login(path))
                    .map_into_right_body());
            }

            // Restrict access to admin pages
            if !identity.is_admin() && req.path().starts_with(ADMIN_ROUTES) {
                return Ok(req.into_response(HttpResponse::Unauthorized()
                    .body(AccessDeniedTemplate {}.render().unwrap()))
                    .map_into_right_body());
            }

            service
                .call(req)
                .await
                .map(ServiceResponse::map_into_left_body)
        })
    }
}