Refactor users management
All checks were successful
continuous-integration/drone/push Build is passing
All checks were successful
continuous-integration/drone/push Build is passing
* Shard `src/data/user.rs` into two different files * One for user data structure (same file) * One for user manipulation (new file: `user_file_entity.rs`) * Isolate password hashing and verification
This commit is contained in:
parent
75d894d648
commit
65d334b947
@ -26,6 +26,10 @@ pub struct GetUserRequest(pub UserID);
|
|||||||
#[derive(Debug)]
|
#[derive(Debug)]
|
||||||
pub struct GetUserResult(pub Option<User>);
|
pub struct GetUserResult(pub Option<User>);
|
||||||
|
|
||||||
|
#[derive(Message)]
|
||||||
|
#[rtype(result = "bool")]
|
||||||
|
pub struct VerifyUserPasswordRequest(pub UserID, pub String);
|
||||||
|
|
||||||
#[derive(Message)]
|
#[derive(Message)]
|
||||||
#[rtype(FindUserByUsernameResult)]
|
#[rtype(FindUserByUsernameResult)]
|
||||||
pub struct FindUserByUsername(pub String);
|
pub struct FindUserByUsername(pub String);
|
||||||
@ -85,7 +89,7 @@ impl Handler<LoginRequest> for UsersActor {
|
|||||||
match self.manager.find_by_username_or_email(&msg.login) {
|
match self.manager.find_by_username_or_email(&msg.login) {
|
||||||
None => MessageResult(LoginResult::AccountNotFound),
|
None => MessageResult(LoginResult::AccountNotFound),
|
||||||
Some(user) => {
|
Some(user) => {
|
||||||
if !user.verify_password(&msg.password) {
|
if !self.manager.verify_user_password(&user.uid, &msg.password) {
|
||||||
return MessageResult(LoginResult::InvalidPassword);
|
return MessageResult(LoginResult::InvalidPassword);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -132,6 +136,14 @@ impl Handler<GetUserRequest> for UsersActor {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
impl Handler<VerifyUserPasswordRequest> for UsersActor {
|
||||||
|
type Result = <VerifyUserPasswordRequest as actix::Message>::Result;
|
||||||
|
|
||||||
|
fn handle(&mut self, msg: VerifyUserPasswordRequest, _ctx: &mut Self::Context) -> Self::Result {
|
||||||
|
self.manager.verify_user_password(&msg.0, &msg.1)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
impl Handler<FindUserByUsername> for UsersActor {
|
impl Handler<FindUserByUsername> for UsersActor {
|
||||||
type Result = MessageResult<FindUserByUsername>;
|
type Result = MessageResult<FindUserByUsername>;
|
||||||
|
|
||||||
|
@ -11,7 +11,7 @@ use crate::controllers::settings_controller::BaseSettingsPage;
|
|||||||
use crate::data::action_logger::{Action, ActionLogger};
|
use crate::data::action_logger::{Action, ActionLogger};
|
||||||
use crate::data::client::{Client, ClientID, ClientManager};
|
use crate::data::client::{Client, ClientID, ClientManager};
|
||||||
use crate::data::current_user::CurrentUser;
|
use crate::data::current_user::CurrentUser;
|
||||||
use crate::data::user::{hash_password, User, UserID};
|
use crate::data::user::{User, UserID};
|
||||||
use crate::utils::string_utils::rand_str;
|
use crate::utils::string_utils::rand_str;
|
||||||
|
|
||||||
#[derive(Template)]
|
#[derive(Template)]
|
||||||
@ -111,19 +111,6 @@ pub async fn users_route(
|
|||||||
_ => Some(Vec::new()),
|
_ => Some(Vec::new()),
|
||||||
};
|
};
|
||||||
|
|
||||||
let new_password = match update.0.gen_new_password.is_some() {
|
|
||||||
false => None,
|
|
||||||
true => {
|
|
||||||
logger.log(Action::AdminResetUserPassword(&user));
|
|
||||||
|
|
||||||
let temp_pass = rand_str(TEMPORARY_PASSWORDS_LEN);
|
|
||||||
user.password = hash_password(&temp_pass).expect("Failed to hash password");
|
|
||||||
user.need_reset_password = true;
|
|
||||||
user.last_successful_2fa = Default::default();
|
|
||||||
Some(temp_pass)
|
|
||||||
}
|
|
||||||
};
|
|
||||||
|
|
||||||
if update.0.clear_2fa_history.is_some() {
|
if update.0.clear_2fa_history.is_some() {
|
||||||
logger.log(Action::AdminClear2FAHistory(&user));
|
logger.log(Action::AdminClear2FAHistory(&user));
|
||||||
user.last_successful_2fa = Default::default();
|
user.last_successful_2fa = Default::default();
|
||||||
@ -134,6 +121,25 @@ pub async fn users_route(
|
|||||||
.await
|
.await
|
||||||
.unwrap();
|
.unwrap();
|
||||||
|
|
||||||
|
let new_password = match update.0.gen_new_password.is_some() {
|
||||||
|
false => None,
|
||||||
|
true => {
|
||||||
|
logger.log(Action::AdminResetUserPassword(&user));
|
||||||
|
|
||||||
|
let temp_pass = rand_str(TEMPORARY_PASSWORDS_LEN);
|
||||||
|
users
|
||||||
|
.send(users_actor::ChangePasswordRequest {
|
||||||
|
user_id: user.uid.clone(),
|
||||||
|
new_password: temp_pass.clone(),
|
||||||
|
temporary: true,
|
||||||
|
})
|
||||||
|
.await
|
||||||
|
.unwrap();
|
||||||
|
|
||||||
|
Some(temp_pass)
|
||||||
|
}
|
||||||
|
};
|
||||||
|
|
||||||
if !res {
|
if !res {
|
||||||
danger = Some(
|
danger = Some(
|
||||||
match is_creating {
|
match is_creating {
|
||||||
|
@ -103,7 +103,14 @@ pub async fn change_password_route(
|
|||||||
);
|
);
|
||||||
} else if let Some(req) = req {
|
} else if let Some(req) = req {
|
||||||
// Invalid password
|
// Invalid password
|
||||||
if !user.verify_password(&req.old_pass) {
|
if !users
|
||||||
|
.send(users_actor::VerifyUserPasswordRequest(
|
||||||
|
user.uid.clone(),
|
||||||
|
req.old_pass.clone(),
|
||||||
|
))
|
||||||
|
.await
|
||||||
|
.unwrap()
|
||||||
|
{
|
||||||
danger = Some("Old password is invalid!".to_string());
|
danger = Some("Old password is invalid!".to_string());
|
||||||
bruteforce
|
bruteforce
|
||||||
.send(bruteforce_actor::RecordFailedAttempt {
|
.send(bruteforce_actor::RecordFailedAttempt {
|
||||||
|
@ -15,4 +15,5 @@ pub mod remote_ip;
|
|||||||
pub mod session_identity;
|
pub mod session_identity;
|
||||||
pub mod totp_key;
|
pub mod totp_key;
|
||||||
pub mod user;
|
pub mod user;
|
||||||
|
pub mod users_file_entity;
|
||||||
pub mod webauthn_manager;
|
pub mod webauthn_manager;
|
||||||
|
@ -3,11 +3,9 @@ use std::net::IpAddr;
|
|||||||
|
|
||||||
use crate::constants::SECOND_FACTOR_EXEMPTION_AFTER_SUCCESSFUL_LOGIN;
|
use crate::constants::SECOND_FACTOR_EXEMPTION_AFTER_SUCCESSFUL_LOGIN;
|
||||||
use crate::data::client::ClientID;
|
use crate::data::client::ClientID;
|
||||||
use crate::data::entity_manager::EntityManager;
|
|
||||||
use crate::data::login_redirect::LoginRedirect;
|
use crate::data::login_redirect::LoginRedirect;
|
||||||
use crate::data::totp_key::TotpKey;
|
use crate::data::totp_key::TotpKey;
|
||||||
use crate::data::webauthn_manager::WebauthnPubKey;
|
use crate::data::webauthn_manager::WebauthnPubKey;
|
||||||
use crate::utils::err::Res;
|
|
||||||
use crate::utils::time::{fmt_time, time};
|
use crate::utils::time::{fmt_time, time};
|
||||||
|
|
||||||
#[derive(Clone, Debug, Eq, PartialEq, serde::Serialize, serde::Deserialize)]
|
#[derive(Clone, Debug, Eq, PartialEq, serde::Serialize, serde::Deserialize)]
|
||||||
@ -133,10 +131,6 @@ impl User {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
pub fn verify_password<P: AsRef<[u8]>>(&self, pass: P) -> bool {
|
|
||||||
verify_password(pass, &self.password)
|
|
||||||
}
|
|
||||||
|
|
||||||
pub fn has_two_factor(&self) -> bool {
|
pub fn has_two_factor(&self) -> bool {
|
||||||
!self.two_factor.is_empty()
|
!self.two_factor.is_empty()
|
||||||
}
|
}
|
||||||
@ -247,90 +241,3 @@ impl Default for User {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
pub fn hash_password<P: AsRef<[u8]>>(pwd: P) -> Res<String> {
|
|
||||||
Ok(bcrypt::hash(pwd, bcrypt::DEFAULT_COST)?)
|
|
||||||
}
|
|
||||||
|
|
||||||
pub fn verify_password<P: AsRef<[u8]>>(pwd: P, hash: &str) -> bool {
|
|
||||||
match bcrypt::verify(pwd, hash) {
|
|
||||||
Ok(r) => r,
|
|
||||||
Err(e) => {
|
|
||||||
log::warn!("Failed to verify password! {:?}", e);
|
|
||||||
false
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
impl EntityManager<User> {
|
|
||||||
pub fn find_by_username_or_email(&self, u: &str) -> Option<User> {
|
|
||||||
for entry in self.iter() {
|
|
||||||
if entry.username.eq(u) || entry.email.eq(u) {
|
|
||||||
return Some(entry.clone());
|
|
||||||
}
|
|
||||||
}
|
|
||||||
None
|
|
||||||
}
|
|
||||||
|
|
||||||
pub fn find_by_user_id(&self, id: &UserID) -> Option<User> {
|
|
||||||
for entry in self.iter() {
|
|
||||||
if entry.uid.eq(id) {
|
|
||||||
return Some(entry.clone());
|
|
||||||
}
|
|
||||||
}
|
|
||||||
None
|
|
||||||
}
|
|
||||||
|
|
||||||
/// Update user information
|
|
||||||
fn update_user<F>(&mut self, id: &UserID, update: F) -> bool
|
|
||||||
where
|
|
||||||
F: FnOnce(User) -> User,
|
|
||||||
{
|
|
||||||
let user = match self.find_by_user_id(id) {
|
|
||||||
None => return false,
|
|
||||||
Some(user) => user,
|
|
||||||
};
|
|
||||||
|
|
||||||
if let Err(e) = self.replace_entries(|u| u.uid.eq(id), &update(user)) {
|
|
||||||
log::error!("Failed to update user information! {:?}", e);
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
|
|
||||||
true
|
|
||||||
}
|
|
||||||
|
|
||||||
pub fn change_user_password(&mut self, id: &UserID, password: &str, temporary: bool) -> bool {
|
|
||||||
let new_hash = match hash_password(password) {
|
|
||||||
Ok(h) => h,
|
|
||||||
Err(e) => {
|
|
||||||
log::error!("Failed to hash user password! {}", e);
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
};
|
|
||||||
|
|
||||||
self.update_user(id, |mut user| {
|
|
||||||
user.password = new_hash;
|
|
||||||
user.need_reset_password = temporary;
|
|
||||||
user.two_factor_exemption_after_successful_login = Default::default();
|
|
||||||
user
|
|
||||||
})
|
|
||||||
}
|
|
||||||
|
|
||||||
pub fn save_new_successful_2fa_authentication(&mut self, id: &UserID, ip: IpAddr) -> bool {
|
|
||||||
self.update_user(id, |mut user| {
|
|
||||||
user.last_successful_2fa.insert(ip, time());
|
|
||||||
|
|
||||||
// Remove outdated successful attempts
|
|
||||||
user.remove_outdated_successful_2fa_attempts();
|
|
||||||
|
|
||||||
user
|
|
||||||
})
|
|
||||||
}
|
|
||||||
|
|
||||||
pub fn clear_2fa_login_history(&mut self, id: &UserID) -> bool {
|
|
||||||
self.update_user(id, |mut user| {
|
|
||||||
user.last_successful_2fa = Default::default();
|
|
||||||
user
|
|
||||||
})
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
98
src/data/users_file_entity.rs
Normal file
98
src/data/users_file_entity.rs
Normal file
@ -0,0 +1,98 @@
|
|||||||
|
use crate::data::entity_manager::EntityManager;
|
||||||
|
use crate::data::user::{User, UserID};
|
||||||
|
use crate::utils::err::Res;
|
||||||
|
use crate::utils::time::time;
|
||||||
|
use std::net::IpAddr;
|
||||||
|
|
||||||
|
fn hash_password<P: AsRef<[u8]>>(pwd: P) -> Res<String> {
|
||||||
|
Ok(bcrypt::hash(pwd, bcrypt::DEFAULT_COST)?)
|
||||||
|
}
|
||||||
|
|
||||||
|
fn verify_password<P: AsRef<[u8]>>(pwd: P, hash: &str) -> bool {
|
||||||
|
match bcrypt::verify(pwd, hash) {
|
||||||
|
Ok(r) => r,
|
||||||
|
Err(e) => {
|
||||||
|
log::warn!("Failed to verify password! {:?}", e);
|
||||||
|
false
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
impl EntityManager<User> {
|
||||||
|
pub fn find_by_username_or_email(&self, u: &str) -> Option<User> {
|
||||||
|
for entry in self.iter() {
|
||||||
|
if entry.username.eq(u) || entry.email.eq(u) {
|
||||||
|
return Some(entry.clone());
|
||||||
|
}
|
||||||
|
}
|
||||||
|
None
|
||||||
|
}
|
||||||
|
|
||||||
|
pub fn find_by_user_id(&self, id: &UserID) -> Option<User> {
|
||||||
|
for entry in self.iter() {
|
||||||
|
if entry.uid.eq(id) {
|
||||||
|
return Some(entry.clone());
|
||||||
|
}
|
||||||
|
}
|
||||||
|
None
|
||||||
|
}
|
||||||
|
|
||||||
|
/// Update user information
|
||||||
|
fn update_user<F>(&mut self, id: &UserID, update: F) -> bool
|
||||||
|
where
|
||||||
|
F: FnOnce(User) -> User,
|
||||||
|
{
|
||||||
|
let user = match self.find_by_user_id(id) {
|
||||||
|
None => return false,
|
||||||
|
Some(user) => user,
|
||||||
|
};
|
||||||
|
|
||||||
|
if let Err(e) = self.replace_entries(|u| u.uid.eq(id), &update(user)) {
|
||||||
|
log::error!("Failed to update user information! {:?}", e);
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
true
|
||||||
|
}
|
||||||
|
|
||||||
|
pub fn change_user_password(&mut self, id: &UserID, password: &str, temporary: bool) -> bool {
|
||||||
|
let new_hash = match hash_password(password) {
|
||||||
|
Ok(h) => h,
|
||||||
|
Err(e) => {
|
||||||
|
log::error!("Failed to hash user password! {}", e);
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
};
|
||||||
|
|
||||||
|
self.update_user(id, |mut user| {
|
||||||
|
user.password = new_hash;
|
||||||
|
user.need_reset_password = temporary;
|
||||||
|
user.two_factor_exemption_after_successful_login = Default::default();
|
||||||
|
user
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
|
pub fn verify_user_password(&self, user: &UserID, password: &str) -> bool {
|
||||||
|
self.find_by_user_id(user)
|
||||||
|
.map(|u| verify_password(password, &u.password))
|
||||||
|
.unwrap_or(false)
|
||||||
|
}
|
||||||
|
|
||||||
|
pub fn save_new_successful_2fa_authentication(&mut self, id: &UserID, ip: IpAddr) -> bool {
|
||||||
|
self.update_user(id, |mut user| {
|
||||||
|
user.last_successful_2fa.insert(ip, time());
|
||||||
|
|
||||||
|
// Remove outdated successful attempts
|
||||||
|
user.remove_outdated_successful_2fa_attempts();
|
||||||
|
|
||||||
|
user
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
|
pub fn clear_2fa_login_history(&mut self, id: &UserID) -> bool {
|
||||||
|
self.update_user(id, |mut user| {
|
||||||
|
user.last_successful_2fa = Default::default();
|
||||||
|
user
|
||||||
|
})
|
||||||
|
}
|
||||||
|
}
|
@ -20,7 +20,7 @@ use basic_oidc::data::app_config::AppConfig;
|
|||||||
use basic_oidc::data::client::ClientManager;
|
use basic_oidc::data::client::ClientManager;
|
||||||
use basic_oidc::data::entity_manager::EntityManager;
|
use basic_oidc::data::entity_manager::EntityManager;
|
||||||
use basic_oidc::data::jwt_signer::JWTSigner;
|
use basic_oidc::data::jwt_signer::JWTSigner;
|
||||||
use basic_oidc::data::user::{hash_password, User};
|
use basic_oidc::data::user::User;
|
||||||
use basic_oidc::data::webauthn_manager::WebAuthManager;
|
use basic_oidc::data::webauthn_manager::WebAuthManager;
|
||||||
use basic_oidc::middlewares::auth_middleware::AuthMiddleware;
|
use basic_oidc::middlewares::auth_middleware::AuthMiddleware;
|
||||||
|
|
||||||
@ -51,16 +51,17 @@ async fn main() -> std::io::Result<()> {
|
|||||||
log::info!("Create default {} user", DEFAULT_ADMIN_USERNAME);
|
log::info!("Create default {} user", DEFAULT_ADMIN_USERNAME);
|
||||||
let default_admin = User {
|
let default_admin = User {
|
||||||
username: DEFAULT_ADMIN_USERNAME.to_string(),
|
username: DEFAULT_ADMIN_USERNAME.to_string(),
|
||||||
password: hash_password(DEFAULT_ADMIN_PASSWORD).unwrap(),
|
|
||||||
need_reset_password: true,
|
|
||||||
authorized_clients: None,
|
authorized_clients: None,
|
||||||
admin: true,
|
admin: true,
|
||||||
..Default::default()
|
..Default::default()
|
||||||
};
|
};
|
||||||
|
|
||||||
users
|
users
|
||||||
.insert(default_admin)
|
.insert(default_admin.clone())
|
||||||
.expect("Failed to create initial user!");
|
.expect("Failed to create initial user!");
|
||||||
|
|
||||||
|
// Set default admin password
|
||||||
|
users.change_user_password(&default_admin.uid, DEFAULT_ADMIN_PASSWORD, true);
|
||||||
}
|
}
|
||||||
|
|
||||||
let users_actor = UsersActor::new(users).start();
|
let users_actor = UsersActor::new(users).start();
|
||||||
|
Loading…
Reference in New Issue
Block a user