Compare commits

..

95 Commits

Author SHA1 Message Date
e26faee426 Merge pull request 'Update Rust crate webauthn-rs to 0.5.2' () from renovate/webauthn-rs-0.x into master 2025-07-10 00:23:56 +00:00
a7a761f32a Merge pull request 'Update Rust crate clap to 4.5.41' () from renovate/clap-4.x into master 2025-07-10 00:21:47 +00:00
c05718b2d7 Update Rust crate webauthn-rs to 0.5.2 2025-07-10 00:13:25 +00:00
0e83f64f24 Update Rust crate clap to 4.5.41 2025-07-10 00:13:16 +00:00
8a14521d6e Fix cargo clippy issues 2025-07-09 15:05:30 +02:00
e3e4e8280c Update Rust crate uuid to 1.17.0 2025-06-11 00:19:10 +00:00
03c538cc96 Update Rust crate clap to 4.5.40 2025-06-10 00:19:27 +00:00
77d3e49a94 Update Rust crate futures-util to 0.3.31 2025-06-09 00:19:16 +00:00
df40e5e6be Update Rust crate clap to 4.5.39 2025-06-07 00:18:47 +00:00
e5c6f0d372 Fix cargo clippy issues ()
Reviewed-on: 
2025-06-06 06:11:07 +00:00
46c561ca0b Update Rust crate actix-web to 4.11.0 2025-05-13 00:13:45 +00:00
4a3c1b62e0 Update Rust crate clap to 4.5.38 2025-05-12 00:13:25 +00:00
64e9844f65 Update Rust crate sha2 to 0.10.9 2025-05-01 00:16:56 +00:00
958a614f19 Update Rust crate chrono to 0.4.41 2025-04-30 00:16:57 +00:00
f869bbde07 Update Rust crate askama to 0.14.0 2025-04-24 00:17:03 +00:00
257c9c2b85 Update Rust crate clap to 4.5.37 2025-04-19 00:24:57 +00:00
96b3f35ad0 Update Rust crate rand to 0.9.1 2025-04-18 00:24:58 +00:00
658e6d498b Update Rust crate askama to 0.13.1 2025-04-16 00:24:41 +00:00
5241115f79 Update Rust crate webauthn-rs to 0.5.1 2025-04-15 00:24:36 +00:00
23e8f33069 Update Rust crate uuid to 1.16.0 2025-04-14 00:24:42 +00:00
77c3dc9e94 Update Rust crate url to 2.5.4 2025-04-13 00:24:38 +00:00
0a8fc3c805 Update Rust crate clap to 4.5.36 2025-04-12 00:24:42 +00:00
b820ca4b49 Update Rust crate totp_rfc6238 to 0.6.1 2025-04-11 00:24:41 +00:00
dc30d65d68 Update Rust crate serde_json to 1.0.140 2025-04-10 00:24:38 +00:00
dbea05552d Update Rust crate serde to 1.0.219 2025-04-09 00:24:42 +00:00
fc416752db Update Rust crate mime_guess to 2.0.5 2025-04-08 00:24:48 +00:00
99dd85c973 Update Rust crate mailchecker to 6.0.17 2025-04-07 00:30:22 +00:00
69cabe650e Update Rust crate lazy_static to 1.5.0 2025-04-06 00:30:35 +00:00
18e6ee16ae Update Rust crate clap to 4.5.35 2025-04-05 00:30:18 +00:00
1e5fc7acfe Update Rust crate lazy-regex to 3.4.1 2025-04-04 00:30:39 +00:00
e16e1a5a6a Update Rust crate jwt-simple to 0.12.12 2025-04-03 00:30:21 +00:00
80b9ffd4e0 Update Rust crate env_logger to 0.11.8 2025-04-02 00:30:28 +00:00
0a8f441ecb Update Rust crate include_dir to 0.7.4 2025-04-01 02:01:07 +00:00
ee00b31fd0 Update Rust crate chrono to 0.4.40 2025-03-31 20:46:52 +00:00
7b9ada9164 Update Rust crate base32 to 0.5.1 2025-03-31 00:30:31 +00:00
991f732f22 Update Rust crate actix-web to 4.10.2 2025-03-30 02:16:41 +00:00
e11a902c98 Update Rust crate actix-session to 0.10.1 2025-03-29 22:51:45 +00:00
dc0455c526 Update Rust crate actix to 0.13.5 2025-03-29 18:12:42 +00:00
4cefc7bb0a Update renovate.json 2025-03-29 17:33:18 +00:00
9bcdc84824 Update renovate.json 2025-03-29 13:02:15 +00:00
9c79c3d93c Cargo clippy on test code 2025-03-28 14:50:48 +01:00
bfe6c25f39 Cargo clippy 2025-03-28 14:42:04 +01:00
b77e7895b7 Rust Edition 2024 2025-03-28 14:40:35 +01:00
19f99cf9b9 Update all project dependencies 2025-03-28 14:37:47 +01:00
73988fe5ec Merge pull request 'Update Rust crate mailchecker to v6.0.17' () from renovate/mailchecker-6.x-lockfile into master
Reviewed-on: 
2025-03-28 13:01:09 +00:00
ad1ba1bf19 Merge pull request 'Update Rust crate uuid to v1.16.0' () from renovate/uuid-1.x-lockfile into master
Reviewed-on: 
2025-03-28 13:00:59 +00:00
cabb74b0a3 Merge pull request 'Update Rust crate clap to v4.5.33' () from renovate/clap-4.x-lockfile into master
Reviewed-on: 
2025-03-28 13:00:52 +00:00
2d7635668d Merge pull request 'Update Rust crate askama to 0.13.0' () from renovate/askama-0.x into master
Reviewed-on: 
2025-03-28 13:00:44 +00:00
eeb0594e80 Update Rust crate askama to 0.13.0 2025-03-28 00:22:19 +00:00
4f74e7cfc1 Update Rust crate clap to v4.5.33 2025-03-27 00:22:30 +00:00
10247deb2e Update Rust crate uuid to v1.16.0 2025-03-15 00:03:57 +00:00
286b982506 Update Rust crate mailchecker to v6.0.17 2025-03-13 00:03:58 +00:00
25f7221d0b Update all dependencies 2025-03-12 19:26:57 +01:00
c5b083f2df Merge pull request 'Update Rust crate actix-web to v4.10.2' () from renovate/actix-web-4.x-lockfile into master
Reviewed-on: 
2025-03-12 18:25:09 +00:00
2170d53bb4 Update Rust crate actix-web to v4.10.2 2025-03-12 00:17:31 +00:00
19a1fba460 Merge pull request 'Update Rust crate clap to v4.5.32' () from renovate/clap-4.x-lockfile into master
Reviewed-on: 
2025-03-11 13:13:04 +00:00
402bcbc4cd Merge pull request 'Update Rust crate env_logger to v0.11.7' () from renovate/env_logger-0.x-lockfile into master
Reviewed-on: 
2025-03-11 13:12:58 +00:00
19a7ae24cf Update Rust crate env_logger to v0.11.7 2025-03-11 00:17:37 +00:00
44de2d320a Update Rust crate clap to v4.5.32 2025-03-11 00:17:28 +00:00
b7310bd7ad Merge pull request 'Update Rust crate serde to v1.0.219' () from renovate/serde-1.x-lockfile into master
Reviewed-on: 
2025-03-10 18:04:11 +00:00
e9c14cf146 Update Rust crate serde to v1.0.219 2025-03-10 00:17:39 +00:00
ce07e8e0eb Merge pull request 'Update Rust crate light-openid to v1.0.3' () from renovate/light-openid-1.x-lockfile into master
Reviewed-on: 
2025-03-05 20:40:22 +00:00
5b58b70ca7 Update Rust crate light-openid to v1.0.3 2025-03-05 00:17:22 +00:00
1bbfe494d8 Updated all dependencies 2025-03-04 19:54:04 +01:00
80de6e224e Merge pull request 'Update Rust crate uuid to v1.15.1' () from renovate/uuid-1.x-lockfile into master
Reviewed-on: 
2025-03-04 18:48:09 +00:00
1bb417d02c Merge pull request 'Update Rust crate serde_json to v1.0.140' () from renovate/serde_json-1.x-lockfile into master
Reviewed-on: 
2025-03-04 18:48:04 +00:00
dd05ab563e Merge pull request 'Update Rust crate chrono to v0.4.40' () from renovate/chrono-0.x-lockfile into master
Reviewed-on: 
2025-03-04 18:47:57 +00:00
428a4f8f31 Update Rust crate serde_json to v1.0.140 2025-03-04 00:17:30 +00:00
89d0955137 Update Rust crate uuid to v1.15.1 2025-02-27 00:23:13 +00:00
ea34f867b0 Update Rust crate chrono to v0.4.40 2025-02-27 00:23:09 +00:00
cbda0db231 Merge pull request 'Update Rust crate clap to v4.5.31' () from renovate/clap-4.x-lockfile into master
Reviewed-on: 
2025-02-25 07:16:43 +00:00
91b468ee54 Update Rust crate clap to v4.5.31 2025-02-25 00:23:10 +00:00
c9d41f2517 Add CORS on token endpoint 2025-02-21 15:51:33 +01:00
1a1a41d5dc Disable client secret check when no secret is specified 2025-02-21 14:58:13 +01:00
d01311abf1 Can initiate code authentication without client secret 2025-02-21 14:49:45 +01:00
a73ad4bf41 Add CORS headers on OpenID configuration endpoint 2025-02-21 11:59:32 +01:00
4a248e84ac Merge pull request 'Update Rust crate uuid to v1.13.1' () from renovate/uuid-1.x-lockfile into master
Reviewed-on: 
2025-02-21 10:53:37 +00:00
e650fe0c29 Merge pull request 'Update Rust crate mailchecker to v6.0.16' () from renovate/mailchecker-6.x-lockfile into master
Reviewed-on: 
2025-02-21 10:53:29 +00:00
473abb2d38 Merge pull request 'Update Rust crate clap to v4.5.29' () from renovate/clap-4.x-lockfile into master
Reviewed-on: 
2025-02-21 10:53:23 +00:00
1b743c86bf Merge pull request 'Update Rust crate serde to v1.0.218' () from renovate/serde-1.x-lockfile into master
Reviewed-on: 
2025-02-21 10:53:16 +00:00
8c25e2aa4c Merge pull request 'Update Rust crate serde_json to v1.0.139' () from renovate/serde_json-1.x-lockfile into master
Reviewed-on: 
2025-02-21 10:53:07 +00:00
f7e4eb955c Update Rust crate serde_json to v1.0.139 2025-02-21 00:05:04 +00:00
7d521ef040 Update Rust crate serde to v1.0.218 2025-02-21 00:05:01 +00:00
c59e7b96db Update Rust crate mailchecker to v6.0.16 2025-02-18 00:04:45 +00:00
a0d204ad09 Update Rust crate clap to v4.5.29 2025-02-12 00:04:41 +00:00
a06be2e889 Update Rust crate uuid to v1.13.1 2025-02-06 00:08:38 +00:00
42862aea7f Merge pull request 'Update Rust crate clap to v4.5.28' () from renovate/clap-4.x-lockfile into master
Reviewed-on: 
2025-02-04 07:04:12 +00:00
8173ac5bc1 Update Rust crate clap to v4.5.28 2025-02-04 00:08:27 +00:00
79a00ff7ad Merge pull request 'Update Rust crate rand to 0.9.0' () from renovate/rand-0.x into master
Reviewed-on: 
2025-02-03 20:00:33 +00:00
f2e4d82f87 Fix rand breaking changes 2025-02-03 20:57:49 +01:00
022073f26a Update Rust crate rand to 0.9.0 2025-02-01 00:22:15 +00:00
c22fcdab74 Merge pull request 'Update Rust crate bcrypt to 0.17.0' () from renovate/bcrypt-0.x into master
Reviewed-on: 
2025-01-31 07:10:50 +00:00
672267d521 Merge pull request 'Update Rust crate serde_json to v1.0.138' () from renovate/serde_json-1.x-lockfile into master
Reviewed-on: 
2025-01-31 07:10:41 +00:00
c26a3af253 Update Rust crate bcrypt to 0.17.0 2025-01-31 00:22:28 +00:00
84d69de09b Update Rust crate serde_json to v1.0.138 2025-01-30 00:22:18 +00:00
32 changed files with 906 additions and 813 deletions

1222
Cargo.lock generated

File diff suppressed because it is too large Load Diff

@ -1,42 +1,42 @@
[package] [package]
name = "basic-oidc" name = "basic-oidc"
version = "0.1.4" version = "0.1.5"
edition = "2021" edition = "2024"
# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
[dependencies] [dependencies]
actix = "0.13.3" actix = "0.13.5"
actix-identity = "0.8.0" actix-identity = "0.8.0"
actix-web = "4.5.1" actix-web = "4.11.0"
actix-session = { version = "0.10.0", features = ["cookie-session"] } actix-session = { version = "0.10.1", features = ["cookie-session"] }
actix-remote-ip = "0.1.0" actix-remote-ip = "0.1.0"
clap = { version = "4.5.17", features = ["derive", "env"] } clap = { version = "4.5.41", features = ["derive", "env"] }
include_dir = "0.7.3" include_dir = "0.7.4"
log = "0.4.21" log = "0.4.27"
serde_json = "1.0.128" serde_json = "1.0.140"
serde_yaml = "0.9.34" serde_yaml = "0.9.34"
env_logger = "0.11.3" env_logger = "0.11.8"
serde = { version = "1.0.210", features = ["derive"] } serde = { version = "1.0.219", features = ["derive"] }
bcrypt = "0.16.0" bcrypt = "0.17.0"
uuid = { version = "1.8.0", features = ["v4"] } uuid = { version = "1.17.0", features = ["v4"] }
mime_guess = "2.0.4" mime_guess = "2.0.5"
askama = "0.12.1" askama = "0.14.0"
futures-util = "0.3.30" futures-util = "0.3.31"
urlencoding = "2.1.3" urlencoding = "2.1.3"
rand = "0.8.5" rand = "0.9.1"
base64 = "0.22.1" base64 = "0.22.1"
jwt-simple = { version = "0.12.10", default-features = false, features = ["pure-rust"] } jwt-simple = { version = "0.12.12", default-features = false, features = ["pure-rust"] }
digest = "0.10.7" digest = "0.10.7"
sha2 = "0.10.8" sha2 = "0.10.9"
lazy-regex = "3.3.0" lazy-regex = "3.4.1"
totp_rfc6238 = "0.6.0" totp_rfc6238 = "0.6.1"
base32 = "0.5.0" base32 = "0.5.1"
qrcode-generator = "5.0.0" qrcode-generator = "5.0.0"
webauthn-rs = { version = "0.5.0", features = ["danger-allow-state-serialisation"] } webauthn-rs = { version = "0.5.2", features = ["danger-allow-state-serialisation"] }
url = "2.5.0" url = "2.5.4"
light-openid = { version = "1.0.2", features = ["crypto-wrapper"] } light-openid = { version = "1.0.4", features = ["crypto-wrapper"] }
bincode = "2.0.0-rc.3" bincode = "2.0.1"
chrono = "0.4.38" chrono = "0.4.41"
lazy_static = "1.4.0" lazy_static = "1.5.0"
mailchecker = "6.0.8" mailchecker = "6.0.17"

@ -1,9 +1,3 @@
{ {
"$schema": "https://docs.renovatebot.com/renovate-schema.json", "extends": ["local>renovate/presets"]
"packageRules": [
{
"matchUpdateTypes": ["major", "minor", "patch"],
"automerge": true
}
]
} }

@ -1,5 +1,5 @@
use std::collections::hash_map::Entry;
use std::collections::HashMap; use std::collections::HashMap;
use std::collections::hash_map::Entry;
use std::net::IpAddr; use std::net::IpAddr;
use actix::{Actor, AsyncContext, Context, Handler, Message}; use actix::{Actor, AsyncContext, Context, Handler, Message};

@ -8,8 +8,8 @@ use crate::constants::{
OIDC_STATES_CLEANUP_INTERVAL, OIDC_STATES_CLEANUP_INTERVAL,
}; };
use actix::{Actor, AsyncContext, Context, Handler, Message}; use actix::{Actor, AsyncContext, Context, Handler, Message};
use std::collections::hash_map::Entry;
use std::collections::HashMap; use std::collections::HashMap;
use std::collections::hash_map::Entry;
use std::net::IpAddr; use std::net::IpAddr;
use crate::data::login_redirect::LoginRedirect; use crate::data::login_redirect::LoginRedirect;

@ -151,7 +151,7 @@ impl Handler<LocalLoginRequest> for UsersActor {
fn handle(&mut self, msg: LocalLoginRequest, _ctx: &mut Self::Context) -> Self::Result { fn handle(&mut self, msg: LocalLoginRequest, _ctx: &mut Self::Context) -> Self::Result {
match self.manager.find_by_username_or_email(&msg.login) { match self.manager.find_by_username_or_email(&msg.login) {
Err(e) => { Err(e) => {
log::error!("Failed to find user! {}", e); log::error!("Failed to find user! {e}");
MessageResult(LoginResult::Error) MessageResult(LoginResult::Error)
} }
Ok(None) => MessageResult(LoginResult::AccountNotFound), Ok(None) => MessageResult(LoginResult::AccountNotFound),
@ -184,7 +184,7 @@ impl Handler<ProviderLoginRequest> for UsersActor {
fn handle(&mut self, msg: ProviderLoginRequest, _ctx: &mut Self::Context) -> Self::Result { fn handle(&mut self, msg: ProviderLoginRequest, _ctx: &mut Self::Context) -> Self::Result {
match self.manager.find_by_email(&msg.email) { match self.manager.find_by_email(&msg.email) {
Err(e) => { Err(e) => {
log::error!("Failed to find user! {}", e); log::error!("Failed to find user! {e}");
MessageResult(LoginResult::Error) MessageResult(LoginResult::Error)
} }
Ok(None) => MessageResult(LoginResult::AccountNotFound), Ok(None) => MessageResult(LoginResult::AccountNotFound),
@ -210,7 +210,7 @@ impl Handler<CreateAccount> for UsersActor {
match self.manager.create_user_account(msg.0) { match self.manager.create_user_account(msg.0) {
Ok(id) => Some(id), Ok(id) => Some(id),
Err(e) => { Err(e) => {
log::error!("Failed to create user account! {}", e); log::error!("Failed to create user account! {e}");
None None
} }
} }
@ -227,7 +227,7 @@ impl Handler<ChangePasswordRequest> for UsersActor {
{ {
Ok(_) => true, Ok(_) => true,
Err(e) => { Err(e) => {
log::error!("Failed to change user password! {:?}", e); log::error!("Failed to change user password! {e:?}");
false false
} }
} }
@ -241,7 +241,7 @@ impl Handler<Add2FAFactor> for UsersActor {
match self.manager.add_2fa_factor(&msg.0, msg.1) { match self.manager.add_2fa_factor(&msg.0, msg.1) {
Ok(_) => true, Ok(_) => true,
Err(e) => { Err(e) => {
log::error!("Failed to add 2FA factor! {}", e); log::error!("Failed to add 2FA factor! {e}");
false false
} }
} }
@ -255,7 +255,7 @@ impl Handler<Remove2FAFactor> for UsersActor {
match self.manager.remove_2fa_factor(&msg.0, msg.1) { match self.manager.remove_2fa_factor(&msg.0, msg.1) {
Ok(_) => true, Ok(_) => true,
Err(e) => { Err(e) => {
log::error!("Failed to remove 2FA factor! {}", e); log::error!("Failed to remove 2FA factor! {e}");
false false
} }
} }
@ -272,7 +272,7 @@ impl Handler<AddSuccessful2FALogin> for UsersActor {
{ {
Ok(_) => true, Ok(_) => true,
Err(e) => { Err(e) => {
log::error!("Failed to save successful 2FA authentication! {}", e); log::error!("Failed to save successful 2FA authentication! {e}");
false false
} }
} }
@ -309,10 +309,7 @@ impl Handler<SetAuthorizedAuthenticationSources> for UsersActor {
{ {
Ok(_) => true, Ok(_) => true,
Err(e) => { Err(e) => {
log::error!( log::error!("Failed to set authorized authentication sources for user! {e}");
"Failed to set authorized authentication sources for user! {}",
e
);
false false
} }
} }
@ -325,7 +322,7 @@ impl Handler<SetGrantedClients> for UsersActor {
match self.manager.set_granted_2fa_clients(&msg.0, msg.1) { match self.manager.set_granted_2fa_clients(&msg.0, msg.1) {
Ok(_) => true, Ok(_) => true,
Err(e) => { Err(e) => {
log::error!("Failed to set granted 2FA clients! {}", e); log::error!("Failed to set granted 2FA clients! {e}");
false false
} }
} }
@ -339,7 +336,7 @@ impl Handler<GetUserRequest> for UsersActor {
MessageResult(GetUserResult(match self.manager.find_by_user_id(&msg.0) { MessageResult(GetUserResult(match self.manager.find_by_user_id(&msg.0) {
Ok(r) => r, Ok(r) => r,
Err(e) => { Err(e) => {
log::error!("Failed to find user by id! {}", e); log::error!("Failed to find user by id! {e}");
None None
} }
})) }))
@ -353,7 +350,7 @@ impl Handler<VerifyUserPasswordRequest> for UsersActor {
self.manager self.manager
.verify_user_password(&msg.0, &msg.1) .verify_user_password(&msg.0, &msg.1)
.unwrap_or_else(|e| { .unwrap_or_else(|e| {
log::error!("Failed to verify user password! {}", e); log::error!("Failed to verify user password! {e}");
false false
}) })
} }
@ -367,7 +364,7 @@ impl Handler<FindUserByUsername> for UsersActor {
self.manager self.manager
.find_by_username_or_email(&msg.0) .find_by_username_or_email(&msg.0)
.unwrap_or_else(|e| { .unwrap_or_else(|e| {
log::error!("Failed to find user by username or email! {}", e); log::error!("Failed to find user by username or email! {e}");
None None
}), }),
)) ))
@ -381,7 +378,7 @@ impl Handler<GetAllUsers> for UsersActor {
match self.manager.get_entire_users_list() { match self.manager.get_entire_users_list() {
Ok(r) => r, Ok(r) => r,
Err(e) => { Err(e) => {
log::error!("Failed to get entire users list! {}", e); log::error!("Failed to get entire users list! {e}");
vec![] vec![]
} }
} }
@ -395,7 +392,7 @@ impl Handler<UpdateUserSettings> for UsersActor {
match self.manager.set_general_user_settings(msg.0) { match self.manager.set_general_user_settings(msg.0) {
Ok(_) => true, Ok(_) => true,
Err(e) => { Err(e) => {
log::error!("Failed to update general user information! {:?}", e); log::error!("Failed to update general user information! {e:?}");
false false
} }
} }
@ -409,7 +406,7 @@ impl Handler<DeleteUserRequest> for UsersActor {
match self.manager.delete_account(&msg.0) { match self.manager.delete_account(&msg.0) {
Ok(_) => true, Ok(_) => true,
Err(e) => { Err(e) => {
log::error!("Failed to delete user account! {}", e); log::error!("Failed to delete user account! {e}");
false false
} }
} }

@ -1,6 +1,6 @@
use crate::actors::users_actor; use crate::actors::users_actor;
use actix::Addr; use actix::Addr;
use actix_web::{web, HttpResponse, Responder}; use actix_web::{HttpResponse, Responder, web};
use crate::actors::users_actor::{DeleteUserRequest, FindUserByUsername, UsersActor}; use crate::actors::users_actor::{DeleteUserRequest, FindUserByUsername, UsersActor};
use crate::data::action_logger::{Action, ActionLogger}; use crate::data::action_logger::{Action, ActionLogger};

@ -2,7 +2,7 @@ use std::ops::Deref;
use std::sync::Arc; use std::sync::Arc;
use actix::Addr; use actix::Addr;
use actix_web::{web, HttpResponse, Responder}; use actix_web::{HttpResponse, Responder, web};
use askama::Template; use askama::Template;
use crate::actors::users_actor; use crate::actors::users_actor;

@ -1,7 +1,7 @@
use std::path::Path; use std::path::Path;
use actix_web::{web, HttpResponse}; use actix_web::{HttpResponse, web};
use include_dir::{include_dir, Dir}; use include_dir::{Dir, include_dir};
/// Assets directory /// Assets directory
static ASSETS_DIR: Dir = include_dir!("$CARGO_MANIFEST_DIR/assets"); static ASSETS_DIR: Dir = include_dir!("$CARGO_MANIFEST_DIR/assets");

@ -4,7 +4,7 @@ use crate::data::action_logger::{Action, ActionLogger};
use actix::Addr; use actix::Addr;
use actix_identity::Identity; use actix_identity::Identity;
use actix_remote_ip::RemoteIP; use actix_remote_ip::RemoteIP;
use actix_web::{web, HttpRequest, HttpResponse, Responder}; use actix_web::{HttpRequest, HttpResponse, Responder, web};
use webauthn_rs::prelude::PublicKeyCredential; use webauthn_rs::prelude::PublicKeyCredential;
use crate::data::session_identity::{SessionIdentity, SessionStatus}; use crate::data::session_identity::{SessionIdentity, SessionStatus};
@ -47,7 +47,7 @@ pub async fn auth_webauthn(
HttpResponse::Ok().body("You are authenticated!") HttpResponse::Ok().body("You are authenticated!")
} }
Err(e) => { Err(e) => {
log::error!("Failed to authenticate user using webauthn! {:?}", e); log::error!("Failed to authenticate user using webauthn! {e:?}");
logger.log(Action::LoginWebauthnAttempt { logger.log(Action::LoginWebauthnAttempt {
success: false, success: false,
user_id, user_id,

@ -1,7 +1,7 @@
use actix::Addr; use actix::Addr;
use actix_identity::Identity; use actix_identity::Identity;
use actix_remote_ip::RemoteIP; use actix_remote_ip::RemoteIP;
use actix_web::{web, HttpRequest, HttpResponse, Responder}; use actix_web::{HttpRequest, HttpResponse, Responder, web};
use askama::Template; use askama::Template;
use std::sync::Arc; use std::sync::Arc;
@ -14,7 +14,7 @@ use crate::controllers::base_controller::{
}; };
use crate::data::action_logger::{Action, ActionLogger}; use crate::data::action_logger::{Action, ActionLogger};
use crate::data::force_2fa_auth::Force2FAAuth; use crate::data::force_2fa_auth::Force2FAAuth;
use crate::data::login_redirect::{get_2fa_url, LoginRedirect}; use crate::data::login_redirect::{LoginRedirect, get_2fa_url};
use crate::data::provider::{Provider, ProvidersManager}; use crate::data::provider::{Provider, ProvidersManager};
use crate::data::session_identity::{SessionIdentity, SessionStatus}; use crate::data::session_identity::{SessionIdentity, SessionStatus};
use crate::data::user::User; use crate::data::user::User;
@ -177,7 +177,10 @@ pub async fn login_route(
} }
LoginResult::LocalAuthForbidden => { LoginResult::LocalAuthForbidden => {
log::warn!("Failed login for username {} : attempted to use local auth, but it is forbidden", &login); log::warn!(
"Failed login for username {} : attempted to use local auth, but it is forbidden",
&login
);
logger.log(Action::TryLocalLoginFromUnauthorizedAccount(&login)); logger.log(Action::TryLocalLoginFromUnauthorizedAccount(&login));
danger = Some("You cannot login from local auth with your account!".to_string()); danger = Some("You cannot login from local auth with your account!".to_string());
} }
@ -187,12 +190,7 @@ pub async fn login_route(
} }
c => { c => {
log::warn!( log::warn!("Failed login for ip {remote_ip:?} / username {login}: {c:?}");
"Failed login for ip {:?} / username {}: {:?}",
remote_ip,
login,
c
);
logger.log(Action::FailedLoginWithBadCredentials(&login)); logger.log(Action::FailedLoginWithBadCredentials(&login));
danger = Some("Login failed.".to_string()); danger = Some("Login failed.".to_string());
@ -471,7 +469,7 @@ pub async fn login_with_webauthn(
let challenge = match manager.start_authentication(&user.uid, &pub_keys) { let challenge = match manager.start_authentication(&user.uid, &pub_keys) {
Ok(c) => c, Ok(c) => c,
Err(e) => { Err(e) => {
log::error!("Failed to generate webauthn challenge! {:?}", e); log::error!("Failed to generate webauthn challenge! {e:?}");
return HttpResponse::InternalServerError().body(build_fatal_error_page( return HttpResponse::InternalServerError().body(build_fatal_error_page(
"Failed to generate webauthn challenge", "Failed to generate webauthn challenge",
)); ));
@ -481,7 +479,7 @@ pub async fn login_with_webauthn(
let challenge_json = match serde_json::to_string(&challenge.login_challenge) { let challenge_json = match serde_json::to_string(&challenge.login_challenge) {
Ok(r) => r, Ok(r) => r,
Err(e) => { Err(e) => {
log::error!("Failed to serialize challenge! {:?}", e); log::error!("Failed to serialize challenge! {e:?}");
return HttpResponse::InternalServerError().body("Failed to serialize challenge!"); return HttpResponse::InternalServerError().body("Failed to serialize challenge!");
} }
}; };

@ -4,9 +4,9 @@ use std::sync::Arc;
use actix::Addr; use actix::Addr;
use actix_identity::Identity; use actix_identity::Identity;
use actix_web::error::ErrorUnauthorized; use actix_web::error::ErrorUnauthorized;
use actix_web::{web, HttpRequest, HttpResponse, Responder}; use actix_web::{HttpRequest, HttpResponse, Responder, web};
use base64::engine::general_purpose::STANDARD as BASE64_STANDARD;
use base64::Engine as _; use base64::Engine as _;
use base64::engine::general_purpose::STANDARD as BASE64_STANDARD;
use light_openid::primitives::{OpenIDConfig, OpenIDTokenResponse, OpenIDUserInfo}; use light_openid::primitives::{OpenIDConfig, OpenIDTokenResponse, OpenIDUserInfo};
use crate::actors::openid_sessions_actor::{OpenIDSessionsActor, Session, SessionID}; use crate::actors::openid_sessions_actor::{OpenIDSessionsActor, Session, SessionID};
@ -16,12 +16,12 @@ use crate::constants::*;
use crate::controllers::base_controller::{build_fatal_error_page, redirect_user}; use crate::controllers::base_controller::{build_fatal_error_page, redirect_user};
use crate::data::action_logger::{Action, ActionLogger}; use crate::data::action_logger::{Action, ActionLogger};
use crate::data::app_config::AppConfig; use crate::data::app_config::AppConfig;
use crate::data::client::{AdditionalClaims, AuthenticationFlow, ClientID, ClientManager}; use crate::data::client::{AdditionalClaims, ClientID, ClientManager};
use crate::data::code_challenge::CodeChallenge; use crate::data::code_challenge::CodeChallenge;
use crate::data::current_user::CurrentUser; use crate::data::current_user::CurrentUser;
use crate::data::id_token::IdToken; use crate::data::id_token::IdToken;
use crate::data::jwt_signer::{JWTSigner, JsonWebKey}; use crate::data::jwt_signer::{JWTSigner, JsonWebKey};
use crate::data::login_redirect::{get_2fa_url, LoginRedirect}; use crate::data::login_redirect::{LoginRedirect, get_2fa_url};
use crate::data::session_identity::SessionIdentity; use crate::data::session_identity::SessionIdentity;
use crate::data::user::User; use crate::data::user::User;
@ -50,7 +50,9 @@ pub async fn get_configuration(req: HttpRequest) -> impl Responder {
host host
); );
HttpResponse::Ok().json(OpenIDConfig { HttpResponse::Ok()
.insert_header(("access-control-allow-origin", "*"))
.json(OpenIDConfig {
issuer: AppConfig::get().website_origin.clone(), issuer: AppConfig::get().website_origin.clone(),
authorization_endpoint: AppConfig::get().full_url(AUTHORIZE_URI), authorization_endpoint: AppConfig::get().full_url(AUTHORIZE_URI),
token_endpoint: curr_origin.clone() + TOKEN_URI, token_endpoint: curr_origin.clone() + TOKEN_URI,
@ -109,12 +111,7 @@ pub struct AuthorizeQuery {
} }
fn error_redirect(query: &AuthorizeQuery, error: &str, description: &str) -> HttpResponse { fn error_redirect(query: &AuthorizeQuery, error: &str, description: &str) -> HttpResponse {
log::warn!( log::warn!("Failed to process sign in request ({error} => {description}): {query:?}");
"Failed to process sign in request ({} => {}): {:?}",
error,
description,
query
);
HttpResponse::Found() HttpResponse::Found()
.append_header(( .append_header((
"Location", "Location",
@ -218,8 +215,8 @@ pub async fn authorize(
)); ));
} }
match (client.auth_flow(), query.response_type.as_str()) { match (client.has_secret(), query.response_type.as_str()) {
(AuthenticationFlow::AuthorizationCode, "code") => { (_, "code") => {
// Save all authentication information in memory // Save all authentication information in memory
let session = Session { let session = Session {
session_id: SessionID(rand_str(OPEN_ID_SESSION_LEN)), session_id: SessionID(rand_str(OPEN_ID_SESSION_LEN)),
@ -241,7 +238,7 @@ pub async fn authorize(
.await .await
.unwrap(); .unwrap();
log::trace!("New OpenID session: {:#?}", session); log::trace!("New OpenID session: {session:#?}");
logger.log(Action::NewOpenIDSession { client: &client }); logger.log(Action::NewOpenIDSession { client: &client });
Ok(HttpResponse::Found() Ok(HttpResponse::Found()
@ -261,7 +258,8 @@ pub async fn authorize(
.finish()) .finish())
} }
(AuthenticationFlow::Implicit, "id_token") => { // id_token is available only if user has no secret configured
(false, "id_token") => {
let id_token = IdToken { let id_token = IdToken {
issuer: AppConfig::get().website_origin.to_string(), issuer: AppConfig::get().website_origin.to_string(),
subject_identifier: user.uid.0.clone(), subject_identifier: user.uid.0.clone(),
@ -293,11 +291,11 @@ pub async fn authorize(
.finish()) .finish())
} }
(flow, code) => { (secret, code) => {
log::warn!( log::warn!(
"For client {:?}, configured with flow {:?}, made request with code {}", "For client {:?}, configured with secret {:?}, made request with code {}",
client.id, client.id,
flow, secret,
code code
); );
Ok(error_redirect( Ok(error_redirect(
@ -316,12 +314,7 @@ struct ErrorResponse {
} }
pub fn error_response<D: Debug>(query: &D, error: &str, description: &str) -> HttpResponse { pub fn error_response<D: Debug>(query: &D, error: &str, description: &str) -> HttpResponse {
log::warn!( log::warn!("request failed: {error} - {description} => '{query:#?}'");
"request failed: {} - {} => '{:#?}'",
error,
description,
query
);
HttpResponse::BadRequest().json(ErrorResponse { HttpResponse::BadRequest().json(ErrorResponse {
error: error.to_string(), error: error.to_string(),
error_description: description.to_string(), error_description: description.to_string(),
@ -366,9 +359,7 @@ pub async fn token(
let (client_id, client_secret) = let (client_id, client_secret) =
match (&query.client_id, &query.client_secret, authorization_header) { match (&query.client_id, &query.client_secret, authorization_header) {
// post authentication // post authentication
(Some(client_id), Some(client_secret), None) => { (Some(client_id), client_secret, None) => (client_id.clone(), client_secret.clone()),
(client_id.clone(), client_secret.to_string())
}
// Basic authentication // Basic authentication
(_, None, Some(v)) => { (_, None, Some(v)) => {
@ -388,7 +379,7 @@ pub async fn token(
let decode = String::from_utf8_lossy(&match BASE64_STANDARD.decode(token) { let decode = String::from_utf8_lossy(&match BASE64_STANDARD.decode(token) {
Ok(d) => d, Ok(d) => d,
Err(e) => { Err(e) => {
log::error!("Failed to decode authorization header: {:?}", e); log::error!("Failed to decode authorization header: {e:?}");
return Ok(error_response( return Ok(error_response(
&query, &query,
"invalid_request", "invalid_request",
@ -399,8 +390,8 @@ pub async fn token(
.to_string(); .to_string();
match decode.split_once(':') { match decode.split_once(':') {
None => (ClientID(decode), "".to_string()), None => (ClientID(decode), None),
Some((id, secret)) => (ClientID(id.to_string()), secret.to_string()), Some((id, secret)) => (ClientID(id.to_string()), Some(secret.to_string())),
} }
} }
@ -418,7 +409,7 @@ pub async fn token(
.ok_or_else(|| ErrorUnauthorized("Client not found"))?; .ok_or_else(|| ErrorUnauthorized("Client not found"))?;
// Retrieving token requires the client to have a defined secret // Retrieving token requires the client to have a defined secret
if client.secret != Some(client_secret) { if client.secret != client_secret {
return Ok(error_response( return Ok(error_response(
&query, &query,
"invalid_request", "invalid_request",
@ -608,8 +599,9 @@ pub async fn token(
}; };
Ok(HttpResponse::Ok() Ok(HttpResponse::Ok()
.append_header(("Cache-Control", "no-store")) .insert_header(("Cache-Control", "no-store"))
.append_header(("Pragam", "no-cache")) .insert_header(("Pragma", "no-cache"))
.insert_header(("access-control-allow-origin", "*"))
.json(token_response)) .json(token_response))
} }

@ -3,7 +3,7 @@ use std::sync::Arc;
use actix::Addr; use actix::Addr;
use actix_identity::Identity; use actix_identity::Identity;
use actix_remote_ip::RemoteIP; use actix_remote_ip::RemoteIP;
use actix_web::{web, HttpRequest, HttpResponse, Responder}; use actix_web::{HttpRequest, HttpResponse, Responder, web};
use askama::Template; use askama::Template;
use crate::actors::bruteforce_actor::BruteForceActor; use crate::actors::bruteforce_actor::BruteForceActor;
@ -96,14 +96,14 @@ pub async fn start_login(
let config = match ProviderConfigurationHelper::get_configuration(&provider).await { let config = match ProviderConfigurationHelper::get_configuration(&provider).await {
Ok(c) => c, Ok(c) => c,
Err(e) => { Err(e) => {
log::error!("Failed to load provider configuration! {}", e); log::error!("Failed to load provider configuration! {e}");
return HttpResponse::InternalServerError().body(build_fatal_error_page( return HttpResponse::InternalServerError().body(build_fatal_error_page(
"Failed to load provider configuration!", "Failed to load provider configuration!",
)); ));
} }
}; };
log::debug!("Provider configuration: {:?}", config); log::debug!("Provider configuration: {config:?}");
let url = config.auth_url(&provider, &state); let url = config.auth_url(&provider, &state);
log::debug!("Redirect user on {url} for authentication",); log::debug!("Redirect user on {url} for authentication",);
@ -210,7 +210,7 @@ pub async fn finish_login(
let provider_config = match ProviderConfigurationHelper::get_configuration(&provider).await { let provider_config = match ProviderConfigurationHelper::get_configuration(&provider).await {
Ok(c) => c, Ok(c) => c,
Err(e) => { Err(e) => {
log::error!("Failed to load provider configuration! {}", e); log::error!("Failed to load provider configuration! {e}");
return HttpResponse::InternalServerError().body(build_fatal_error_page( return HttpResponse::InternalServerError().body(build_fatal_error_page(
"Failed to load provider configuration!", "Failed to load provider configuration!",
)); ));
@ -222,7 +222,7 @@ pub async fn finish_login(
let token = match token { let token = match token {
Ok(t) => t, Ok(t) => t,
Err(e) => { Err(e) => {
log::error!("Failed to retrieve login token! {:?}", e); log::error!("Failed to retrieve login token! {e:?}");
bruteforce bruteforce
.send(bruteforce_actor::RecordFailedAttempt { .send(bruteforce_actor::RecordFailedAttempt {
@ -247,7 +247,7 @@ pub async fn finish_login(
let user_info = match provider_config.get_userinfo(&token).await { let user_info = match provider_config.get_userinfo(&token).await {
Ok(info) => info, Ok(info) => info,
Err(e) => { Err(e) => {
log::error!("Failed to retrieve user information! {:?}", e); log::error!("Failed to retrieve user information! {e:?}");
logger.log(Action::ProviderFailedGetUserInfo { logger.log(Action::ProviderFailedGetUserInfo {
provider: &provider, provider: &provider,

@ -1,6 +1,6 @@
use actix::Addr; use actix::Addr;
use actix_remote_ip::RemoteIP; use actix_remote_ip::RemoteIP;
use actix_web::{web, HttpResponse, Responder}; use actix_web::{HttpResponse, Responder, web};
use askama::Template; use askama::Template;
use crate::actors::bruteforce_actor::BruteForceActor; use crate::actors::bruteforce_actor::BruteForceActor;

@ -1,5 +1,5 @@
use actix::Addr; use actix::Addr;
use actix_web::{web, HttpResponse, Responder}; use actix_web::{HttpResponse, Responder, web};
use uuid::Uuid; use uuid::Uuid;
use webauthn_rs::prelude::RegisterPublicKeyCredential; use webauthn_rs::prelude::RegisterPublicKeyCredential;
@ -94,7 +94,7 @@ pub async fn save_webauthn_factor(
let key = match manager.finish_registration(&user, &form.0.opaque_state, form.0.credential) { let key = match manager.finish_registration(&user, &form.0.opaque_state, form.0.credential) {
Ok(k) => k, Ok(k) => k,
Err(e) => { Err(e) => {
log::error!("Failed to register security key! {:?}", e); log::error!("Failed to register security key! {e:?}");
return HttpResponse::InternalServerError().body("Failed to register key!"); return HttpResponse::InternalServerError().body("Failed to register key!");
} }
}; };

@ -2,8 +2,8 @@ use std::ops::Deref;
use actix_web::{HttpResponse, Responder}; use actix_web::{HttpResponse, Responder};
use askama::Template; use askama::Template;
use base64::engine::general_purpose::STANDARD as BASE64_STANDARD;
use base64::Engine as _; use base64::Engine as _;
use base64::engine::general_purpose::STANDARD as BASE64_STANDARD;
use qrcode_generator::QrCodeEcc; use qrcode_generator::QrCodeEcc;
use crate::constants::MAX_SECOND_FACTOR_NAME_LEN; use crate::constants::MAX_SECOND_FACTOR_NAME_LEN;
@ -68,7 +68,7 @@ pub async fn add_totp_factor_route(_critical: CriticalRoute, user: CurrentUser)
let qr_code = match qr_code { let qr_code = match qr_code {
Ok(q) => q, Ok(q) => q,
Err(e) => { Err(e) => {
log::error!("Failed to generate QrCode! {:?}", e); log::error!("Failed to generate QrCode! {e:?}");
return HttpResponse::InternalServerError().body("Failed to generate QrCode!"); return HttpResponse::InternalServerError().body("Failed to generate QrCode!");
} }
}; };
@ -95,7 +95,7 @@ pub async fn add_webauthn_factor_route(
let registration_request = match manager.start_register(&user) { let registration_request = match manager.start_register(&user) {
Ok(r) => r, Ok(r) => r,
Err(e) => { Err(e) => {
log::error!("Failed to request new key! {:?}", e); log::error!("Failed to request new key! {e:?}");
return HttpResponse::InternalServerError() return HttpResponse::InternalServerError()
.body("Failed to generate request for registration!"); .body("Failed to generate request for registration!");
} }
@ -104,7 +104,7 @@ pub async fn add_webauthn_factor_route(
let challenge_json = match serde_json::to_string(&registration_request.creation_challenge) { let challenge_json = match serde_json::to_string(&registration_request.creation_challenge) {
Ok(r) => r, Ok(r) => r,
Err(e) => { Err(e) => {
log::error!("Failed to serialize challenge! {:?}", e); log::error!("Failed to serialize challenge! {e:?}");
return HttpResponse::InternalServerError().body("Failed to serialize challenge!"); return HttpResponse::InternalServerError().body("Failed to serialize challenge!");
} }
}; };

@ -6,7 +6,7 @@ use actix::Addr;
use actix_identity::Identity; use actix_identity::Identity;
use actix_remote_ip::RemoteIP; use actix_remote_ip::RemoteIP;
use actix_web::dev::Payload; use actix_web::dev::Payload;
use actix_web::{web, Error, FromRequest, HttpRequest}; use actix_web::{Error, FromRequest, HttpRequest, web};
use crate::actors::providers_states_actor::ProviderLoginState; use crate::actors::providers_states_actor::ProviderLoginState;
use crate::actors::users_actor; use crate::actors::users_actor;
@ -142,27 +142,55 @@ impl Action<'_> {
false => format!("performed FAILED webauthn attempt for user {user_id:?}"), false => format!("performed FAILED webauthn attempt for user {user_id:?}"),
}, },
Action::StartLoginAttemptWithOpenIDProvider { provider_id, state } => format!( Action::StartLoginAttemptWithOpenIDProvider { provider_id, state } => format!(
"started new authentication attempt through an OpenID provider (prov={} / state={state})", provider_id.0 "started new authentication attempt through an OpenID provider (prov={} / state={state})",
provider_id.0
),
Action::ProviderError { message } => {
format!("failed provider authentication with message '{message}'")
}
Action::ProviderCBInvalidState { state } => {
format!("provided invalid callback state after provider authentication: '{state}'")
}
Action::ProviderRateLimited => {
"could not complete OpenID login because it has reached failed attempts rate limit!"
.to_string()
}
Action::ProviderFailedGetToken { state, code } => format!(
"could not complete login from provider because the id_token could not be retrieved! (state={state:?} code = {code})"
),
Action::ProviderFailedGetUserInfo { provider } => format!(
"could not get user information from userinfo endpoint of provider {}!",
provider.id.0
),
Action::ProviderEmailNotValidated { provider } => format!(
"could not login using provider {} because its email was marked as not validated!",
provider.id.0
),
Action::ProviderMissingEmailInResponse { provider } => format!(
"could not login using provider {} because the email was not provided by userinfo endpoint!",
provider.id.0
),
Action::ProviderAccountNotFound { provider, email } => format!(
"could not login using provider {} because the email {email} could not be associated to any account!",
&provider.id.0
),
Action::ProviderAccountDisabled { provider, email } => format!(
"could not login using provider {} because the account associated to the email {email} is disabled!",
&provider.id.0
),
Action::ProviderAccountNotAllowedToLoginWithProvider { provider, email } => format!(
"could not login using provider {} because the account associated to the email {email} is not allowed to authenticate using this provider!",
&provider.id.0
),
Action::ProviderLoginFailed { provider, email } => format!(
"could not login using provider {} with the email {email} for an unknown reason!",
&provider.id.0
),
Action::ProviderLoginSuccessful { provider, user } => format!(
"successfully authenticated using provider {} as {}",
provider.id.0,
user.quick_identity()
), ),
Action::ProviderError { message } =>
format!("failed provider authentication with message '{message}'"),
Action::ProviderCBInvalidState { state } =>
format!("provided invalid callback state after provider authentication: '{state}'"),
Action::ProviderRateLimited => "could not complete OpenID login because it has reached failed attempts rate limit!".to_string(),
Action::ProviderFailedGetToken {state, code} => format!("could not complete login from provider because the id_token could not be retrieved! (state={:?} code = {code})",state),
Action::ProviderFailedGetUserInfo {provider} => format!("could not get user information from userinfo endpoint of provider {}!", provider.id.0),
Action::ProviderEmailNotValidated {provider}=>format!("could not login using provider {} because its email was marked as not validated!", provider.id.0),
Action::ProviderMissingEmailInResponse {provider}=>format!("could not login using provider {} because the email was not provided by userinfo endpoint!", provider.id.0),
Action::ProviderAccountNotFound { provider, email } =>
format!("could not login using provider {} because the email {email} could not be associated to any account!", &provider.id.0),
Action::ProviderAccountDisabled { provider, email } =>
format!("could not login using provider {} because the account associated to the email {email} is disabled!", &provider.id.0),
Action::ProviderAccountNotAllowedToLoginWithProvider { provider, email } =>
format!("could not login using provider {} because the account associated to the email {email} is not allowed to authenticate using this provider!", &provider.id.0),
Action::ProviderLoginFailed { provider, email } =>
format!("could not login using provider {} with the email {email} for an unknown reason!", &provider.id.0),
Action::ProviderLoginSuccessful {provider, user} =>
format!("successfully authenticated using provider {} as {}", provider.id.0, user.quick_identity()),
Action::Signout => "signed out".to_string(), Action::Signout => "signed out".to_string(),
Action::UserNeed2FAOnLogin(user) => { Action::UserNeed2FAOnLogin(user) => {
format!( format!(
@ -181,7 +209,9 @@ impl Action<'_> {
format!("successfully authenticated as {login}, but this is a DISABLED ACCOUNT") format!("successfully authenticated as {login}, but this is a DISABLED ACCOUNT")
} }
Action::TryLocalLoginFromUnauthorizedAccount(login) => { Action::TryLocalLoginFromUnauthorizedAccount(login) => {
format!("successfully locally authenticated as {login}, but this is a FORBIDDEN for this account!") format!(
"successfully locally authenticated as {login}, but this is a FORBIDDEN for this account!"
)
} }
Action::FailedLoginWithBadCredentials(login) => { Action::FailedLoginWithBadCredentials(login) => {
format!("attempted to authenticate as {login} but with a WRONG PASSWORD") format!("attempted to authenticate as {login} but with a WRONG PASSWORD")
@ -202,7 +232,10 @@ impl Action<'_> {
Action::NewOpenIDSession { client } => { Action::NewOpenIDSession { client } => {
format!("opened a new OpenID session with {:?}", client.id) format!("opened a new OpenID session with {:?}", client.id)
} }
Action::NewOpenIDSuccessfulImplicitAuth { client } => format!("finished an implicit flow connection for client {:?}", client.id), Action::NewOpenIDSuccessfulImplicitAuth { client } => format!(
"finished an implicit flow connection for client {:?}",
client.id
),
Action::ChangedHisPassword => "changed his password".to_string(), Action::ChangedHisPassword => "changed his password".to_string(),
Action::ClearedHisLoginHistory => "cleared his login history".to_string(), Action::ClearedHisLoginHistory => "cleared his login history".to_string(),
Action::AddNewFactor(factor) => format!( Action::AddNewFactor(factor) => format!(
@ -227,7 +260,7 @@ impl ActionLogger {
None => "Anonymous user".to_string(), None => "Anonymous user".to_string(),
Some(u) => u.quick_identity(), Some(u) => u.quick_identity(),
}, },
self.ip.to_string(), self.ip,
action.as_string() action.as_string()
) )
} }

@ -7,12 +7,6 @@ use std::collections::HashMap;
#[derive(Clone, Debug, serde::Serialize, serde::Deserialize, Eq, PartialEq)] #[derive(Clone, Debug, serde::Serialize, serde::Deserialize, Eq, PartialEq)]
pub struct ClientID(pub String); pub struct ClientID(pub String);
#[derive(Debug, Copy, Clone, Eq, PartialEq)]
pub enum AuthenticationFlow {
AuthorizationCode,
Implicit,
}
pub type AdditionalClaims = HashMap<String, Value>; pub type AdditionalClaims = HashMap<String, Value>;
#[derive(Clone, Debug, serde::Serialize, serde::Deserialize)] #[derive(Clone, Debug, serde::Serialize, serde::Deserialize)]
@ -61,12 +55,9 @@ impl PartialEq for Client {
impl Eq for Client {} impl Eq for Client {}
impl Client { impl Client {
/// Get the client authentication flow /// Check if the client has a secret defined
pub fn auth_flow(&self) -> AuthenticationFlow { pub fn has_secret(&self) -> bool {
match self.secret { self.secret.is_some()
None => AuthenticationFlow::Implicit,
Some(_) => AuthenticationFlow::AuthorizationCode,
}
} }
/// Process a single claim value /// Process a single claim value

@ -1,5 +1,5 @@
use base64::engine::general_purpose::URL_SAFE_NO_PAD as BASE64_URL_SAFE_NO_PAD;
use base64::Engine as _; use base64::Engine as _;
use base64::engine::general_purpose::URL_SAFE_NO_PAD as BASE64_URL_SAFE_NO_PAD;
use crate::utils::crypt_utils::sha256; use crate::utils::crypt_utils::sha256;
@ -22,7 +22,7 @@ impl CodeChallenge {
encoded.eq(&self.code_challenge) encoded.eq(&self.code_challenge)
} }
s => { s => {
log::error!("Unknown code challenge method: {}", s); log::error!("Unknown code challenge method: {s}");
false false
} }
} }
@ -40,8 +40,8 @@ mod test {
code_challenge: "text1".to_string(), code_challenge: "text1".to_string(),
}; };
assert_eq!(true, chal.verify_code("text1")); assert!(chal.verify_code("text1"));
assert_eq!(false, chal.verify_code("text2")); assert!(!chal.verify_code("text2"));
} }
#[test] #[test]
@ -51,8 +51,8 @@ mod test {
code_challenge: "uSOvC48D8TMh6RgW-36XppMlMgys-6KAE_wEIev9W2g".to_string(), code_challenge: "uSOvC48D8TMh6RgW-36XppMlMgys-6KAE_wEIev9W2g".to_string(),
}; };
assert_eq!(true, chal.verify_code("HIwht3lCHfnsruA+7Sq8NP2mPj5cBZe0Ewf23eK9UQhK4TdCIt3SK7Fr/giCdnfjxYQILOPG2D562emggAa2lA==")); assert!(chal.verify_code("HIwht3lCHfnsruA+7Sq8NP2mPj5cBZe0Ewf23eK9UQhK4TdCIt3SK7Fr/giCdnfjxYQILOPG2D562emggAa2lA=="));
assert_eq!(false, chal.verify_code("text1")); assert!(!chal.verify_code("text1"));
} }
#[test] #[test]
@ -62,10 +62,7 @@ mod test {
code_challenge: "E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM".to_string(), code_challenge: "E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM".to_string(),
}; };
assert_eq!( assert!(chal.verify_code("dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk"));
true, assert!(!chal.verify_code("text1"));
chal.verify_code("dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk")
);
assert_eq!(false, chal.verify_code("text1"));
} }
} }

@ -1,6 +1,6 @@
use crate::data::current_user::CurrentUser; use crate::data::current_user::CurrentUser;
use crate::data::from_request_redirect::FromRequestRedirect; use crate::data::from_request_redirect::FromRequestRedirect;
use crate::data::login_redirect::{get_2fa_url, LoginRedirect}; use crate::data::login_redirect::{LoginRedirect, get_2fa_url};
use actix_web::dev::Payload; use actix_web::dev::Payload;
use actix_web::{FromRequest, HttpRequest}; use actix_web::{FromRequest, HttpRequest};
use std::future::Future; use std::future::Future;

@ -6,7 +6,7 @@ use actix::Addr;
use actix_identity::Identity; use actix_identity::Identity;
use actix_web::dev::Payload; use actix_web::dev::Payload;
use actix_web::error::ErrorInternalServerError; use actix_web::error::ErrorInternalServerError;
use actix_web::{web, Error, FromRequest, HttpRequest}; use actix_web::{Error, FromRequest, HttpRequest, web};
use crate::actors::users_actor; use crate::actors::users_actor;
use crate::actors::users_actor::UsersActor; use crate::actors::users_actor::UsersActor;

@ -20,7 +20,10 @@ where
/// Open entity /// Open entity
pub fn open_or_create<A: AsRef<Path>>(path: A) -> Res<Self> { pub fn open_or_create<A: AsRef<Path>>(path: A) -> Res<Self> {
if !path.as_ref().is_file() { if !path.as_ref().is_file() {
log::warn!("Entities at {:?} does not point to a file, creating a new empty entity container...", path.as_ref()); log::warn!(
"Entities at {:?} does not point to a file, creating a new empty entity container...",
path.as_ref()
);
return Ok(Self { return Ok(Self {
file_path: path.as_ref().to_path_buf(), file_path: path.as_ref().to_path_buf(),
list: vec![], list: vec![],

@ -2,7 +2,7 @@ use crate::data::current_user::CurrentUser;
use crate::data::session_identity::SessionIdentity; use crate::data::session_identity::SessionIdentity;
use actix_identity::Identity; use actix_identity::Identity;
use actix_web::dev::Payload; use actix_web::dev::Payload;
use actix_web::{web, Error, FromRequest, HttpRequest}; use actix_web::{Error, FromRequest, HttpRequest, web};
use std::future::Future; use std::future::Future;
use std::pin::Pin; use std::pin::Pin;

@ -1,12 +1,12 @@
use jwt_simple::algorithms::RSAKeyPairLike; use jwt_simple::algorithms::RSAKeyPairLike;
use jwt_simple::claims::JWTClaims; use jwt_simple::claims::JWTClaims;
use jwt_simple::prelude::RS256KeyPair; use jwt_simple::prelude::RS256KeyPair;
use serde::de::DeserializeOwned;
use serde::Serialize; use serde::Serialize;
use serde::de::DeserializeOwned;
use base64::Engine as _;
use base64::engine::general_purpose::URL_SAFE as BASE64_URL_URL_SAFE; use base64::engine::general_purpose::URL_SAFE as BASE64_URL_URL_SAFE;
use base64::engine::general_purpose::URL_SAFE_NO_PAD as BASE64_URL_SAFE_NO_PAD; use base64::engine::general_purpose::URL_SAFE_NO_PAD as BASE64_URL_SAFE_NO_PAD;
use base64::Engine as _;
use crate::utils::err::Res; use crate::utils::err::Res;
use crate::utils::string_utils::rand_str; use crate::utils::string_utils::rand_str;

@ -26,7 +26,9 @@ impl ProviderConfiguration {
let state = urlencoding::encode(&state.state_id).to_string(); let state = urlencoding::encode(&state.state_id).to_string();
let callback_url = AppConfig::get().oidc_provider_redirect_url(); let callback_url = AppConfig::get().oidc_provider_redirect_url();
format!("{authorization_url}?response_type=code&scope=openid%20profile%20email&client_id={client_id}&state={state}&redirect_uri={callback_url}") format!(
"{authorization_url}?response_type=code&scope=openid%20profile%20email&client_id={client_id}&state={state}&redirect_uri={callback_url}"
)
} }
/// Retrieve the authorization token after a successful authentication, using an authorization code /// Retrieve the authorization token after a successful authentication, using an authorization code

@ -46,7 +46,7 @@ impl SessionIdentity<'_> {
.map(|f| match f { .map(|f| match f {
Ok(d) => Some(d), Ok(d) => Some(d),
Err(e) => { Err(e) => {
log::warn!("Failed to deserialize session data! {:?}", e); log::warn!("Failed to deserialize session data! {e:?}");
None None
} }
}) })
@ -65,7 +65,7 @@ impl SessionIdentity<'_> {
log::debug!("Will set user session data."); log::debug!("Will set user session data.");
if let Err(e) = Identity::login(&req.extensions(), s) { if let Err(e) = Identity::login(&req.extensions(), s) {
log::error!("Failed to set session data! {}", e); log::error!("Failed to set session data! {e}");
} }
log::debug!("Did set user session data."); log::debug!("Did set user session data.");
} }

@ -1,5 +1,3 @@
use std::io::ErrorKind;
use base32::Alphabet; use base32::Alphabet;
use rand::Rng; use rand::Rng;
use totp_rfc6238::{HashAlgorithm, TotpGenerator}; use totp_rfc6238::{HashAlgorithm, TotpGenerator};
@ -21,7 +19,7 @@ pub struct TotpKey {
impl TotpKey { impl TotpKey {
/// Generate a new TOTP key /// Generate a new TOTP key
pub fn new_random() -> Self { pub fn new_random() -> Self {
let random_bytes = rand::thread_rng().gen::<[u8; 20]>(); let random_bytes = rand::rng().random::<[u8; 20]>();
Self { Self {
encoded: base32::encode(BASE32_ALPHABET, &random_bytes), encoded: base32::encode(BASE32_ALPHABET, &random_bytes),
} }
@ -80,7 +78,7 @@ impl TotpKey {
/// Get the code at a specific time /// Get the code at a specific time
fn get_code_at<F: Fn() -> u64>(&self, get_time: F) -> Res<String> { fn get_code_at<F: Fn() -> u64>(&self, get_time: F) -> Res<String> {
let gen = TotpGenerator::new() let generator = TotpGenerator::new()
.set_digit(NUM_DIGITS) .set_digit(NUM_DIGITS)
.unwrap() .unwrap()
.set_step(PERIOD) .set_step(PERIOD)
@ -90,15 +88,14 @@ impl TotpKey {
let key = match base32::decode(BASE32_ALPHABET, &self.encoded) { let key = match base32::decode(BASE32_ALPHABET, &self.encoded) {
None => { None => {
return Err(Box::new(std::io::Error::new( return Err(Box::new(std::io::Error::other(
ErrorKind::Other,
"Failed to decode base32 secret!", "Failed to decode base32 secret!",
))); )));
} }
Some(k) => k, Some(k) => k,
}; };
Ok(gen.get_code_with(&key, get_time)) Ok(generator.get_code_with(&key, get_time))
} }
/// Check a code's validity /// Check a code's validity

@ -3,7 +3,7 @@ use std::net::IpAddr;
use crate::actors::users_actor::{AuthorizedAuthenticationSources, UsersSyncBackend}; use crate::actors::users_actor::{AuthorizedAuthenticationSources, UsersSyncBackend};
use crate::data::entity_manager::EntityManager; use crate::data::entity_manager::EntityManager;
use crate::data::user::{FactorID, GeneralSettings, GrantedClients, TwoFactor, User, UserID}; use crate::data::user::{FactorID, GeneralSettings, GrantedClients, TwoFactor, User, UserID};
use crate::utils::err::{new_error, Res}; use crate::utils::err::{Res, new_error};
use crate::utils::time::time; use crate::utils::time::time;
impl EntityManager<User> { impl EntityManager<User> {
@ -18,7 +18,7 @@ impl EntityManager<User> {
}; };
if let Err(e) = self.replace_entries(|u| u.uid.eq(id), &update(user)) { if let Err(e) = self.replace_entries(|u| u.uid.eq(id), &update(user)) {
log::error!("Failed to update user information! {:?}", e); log::error!("Failed to update user information! {e:?}");
return Err(e); return Err(e);
} }
@ -34,7 +34,7 @@ fn verify_password<P: AsRef<[u8]>>(pwd: P, hash: &str) -> bool {
match bcrypt::verify(pwd, hash) { match bcrypt::verify(pwd, hash) {
Ok(r) => r, Ok(r) => r,
Err(e) => { Err(e) => {
log::warn!("Failed to verify password! {:?}", e); log::warn!("Failed to verify password! {e:?}");
false false
} }
} }

@ -1,4 +1,3 @@
use std::io::ErrorKind;
use std::sync::Arc; use std::sync::Arc;
use actix_web::web; use actix_web::web;
@ -109,17 +108,11 @@ impl WebAuthManager {
) -> Res<WebauthnPubKey> { ) -> Res<WebauthnPubKey> {
let state: RegisterKeyOpaqueData = self.crypto_wrapper.decrypt(opaque_state)?; let state: RegisterKeyOpaqueData = self.crypto_wrapper.decrypt(opaque_state)?;
if state.user_id != user.uid { if state.user_id != user.uid {
return Err(Box::new(std::io::Error::new( return Err(Box::new(std::io::Error::other("Invalid user for pubkey!")));
ErrorKind::Other,
"Invalid user for pubkey!",
)));
} }
if state.expire < time() { if state.expire < time() {
return Err(Box::new(std::io::Error::new( return Err(Box::new(std::io::Error::other("Challenge has expired!")));
ErrorKind::Other,
"Challenge has expired!",
)));
} }
let res = self.core.finish_passkey_registration( let res = self.core.finish_passkey_registration(
@ -157,17 +150,11 @@ impl WebAuthManager {
) -> Res { ) -> Res {
let state: AuthStateOpaqueData = self.crypto_wrapper.decrypt(opaque_state)?; let state: AuthStateOpaqueData = self.crypto_wrapper.decrypt(opaque_state)?;
if &state.user_id != user_id { if &state.user_id != user_id {
return Err(Box::new(std::io::Error::new( return Err(Box::new(std::io::Error::other("Invalid user for pubkey!")));
ErrorKind::Other,
"Invalid user for pubkey!",
)));
} }
if state.expire < time() { if state.expire < time() {
return Err(Box::new(std::io::Error::new( return Err(Box::new(std::io::Error::other("Challenge has expired!")));
ErrorKind::Other,
"Challenge has expired!",
)));
} }
self.core.finish_passkey_authentication( self.core.finish_passkey_authentication(

@ -2,14 +2,14 @@ use core::time::Duration;
use std::sync::Arc; use std::sync::Arc;
use actix::Actor; use actix::Actor;
use actix_identity::config::LogoutBehaviour;
use actix_identity::IdentityMiddleware; use actix_identity::IdentityMiddleware;
use actix_identity::config::LogoutBehaviour;
use actix_remote_ip::RemoteIPConfig; use actix_remote_ip::RemoteIPConfig;
use actix_session::storage::CookieSessionStore;
use actix_session::SessionMiddleware; use actix_session::SessionMiddleware;
use actix_session::storage::CookieSessionStore;
use actix_web::cookie::{Key, SameSite}; use actix_web::cookie::{Key, SameSite};
use actix_web::middleware::Logger; use actix_web::middleware::Logger;
use actix_web::{get, middleware, web, App, HttpResponse, HttpServer}; use actix_web::{App, HttpResponse, HttpServer, get, middleware, web};
use basic_oidc::actors::bruteforce_actor::BruteForceActor; use basic_oidc::actors::bruteforce_actor::BruteForceActor;
use basic_oidc::actors::openid_sessions_actor::OpenIDSessionsActor; use basic_oidc::actors::openid_sessions_actor::OpenIDSessionsActor;
@ -51,7 +51,7 @@ async fn main() -> std::io::Result<()> {
// Create initial user if required // Create initial user if required
if users.is_empty() { if users.is_empty() {
log::info!("Create default {} user", DEFAULT_ADMIN_USERNAME); log::info!("Create default {DEFAULT_ADMIN_USERNAME} user");
let default_admin = User { let default_admin = User {
username: DEFAULT_ADMIN_USERNAME.to_string(), username: DEFAULT_ADMIN_USERNAME.to_string(),
authorized_clients: None, authorized_clients: None,

@ -1,15 +1,15 @@
//! # Authentication middleware //! # Authentication middleware
use std::future::{ready, Future, Ready}; use std::future::{Future, Ready, ready};
use std::pin::Pin; use std::pin::Pin;
use std::rc::Rc; use std::rc::Rc;
use actix_identity::IdentityExt; use actix_identity::IdentityExt;
use actix_web::body::EitherBody; use actix_web::body::EitherBody;
use actix_web::http::{header, Method}; use actix_web::http::{Method, header};
use actix_web::{ use actix_web::{
dev::{forward_ready, Service, ServiceRequest, ServiceResponse, Transform},
Error, HttpResponse, Error, HttpResponse,
dev::{Service, ServiceRequest, ServiceResponse, Transform, forward_ready},
}; };
use crate::constants::{ use crate::constants::{
@ -97,10 +97,7 @@ where
.unwrap_or("bad") .unwrap_or("bad")
.eq(&AppConfig::get().website_origin) .eq(&AppConfig::get().website_origin)
{ {
log::warn!( log::warn!("Blocked POST request from invalid origin! Origin given {o:?}");
"Blocked POST request from invalid origin! Origin given {:?}",
o
);
return Ok(req.into_response( return Ok(req.into_response(
HttpResponse::Unauthorized() HttpResponse::Unauthorized()
.body("POST request from invalid origin!") .body("POST request from invalid origin!")
@ -133,8 +130,8 @@ where
_ => ConnStatus::SignedOut, _ => ConnStatus::SignedOut,
}; };
log::trace!("Connection data: {:#?}", session_data); log::trace!("Connection data: {session_data:#?}");
log::debug!("Connection status: {:?}", session); log::debug!("Connection status: {session:?}");
// Redirect user to login page // Redirect user to login page
if !session.is_auth() if !session.is_auth()

@ -1,14 +1,9 @@
use lazy_regex::regex_find; use lazy_regex::regex_find;
use rand::distributions::Alphanumeric; use rand::distr::{Alphanumeric, SampleString};
use rand::Rng;
/// Generate a random string of a given size /// Generate a random string of a given size
pub fn rand_str(len: usize) -> String { pub fn rand_str(len: usize) -> String {
rand::thread_rng() Alphanumeric.sample_string(&mut rand::rng(), len)
.sample_iter(&Alphanumeric)
.map(char::from)
.take(len)
.collect()
} }
/// Parse environment variables /// Parse environment variables
@ -49,8 +44,10 @@ mod test {
const VAR_ONE: &str = "VAR_ONE"; const VAR_ONE: &str = "VAR_ONE";
#[test] #[test]
fn test_apply_env_var() { fn test_apply_env_var() {
unsafe {
env::set_var(VAR_ONE, "good"); env::set_var(VAR_ONE, "good");
let src = format!("This is ${{{}}}", VAR_ONE); }
let src = format!("This is ${{{VAR_ONE}}}");
assert_eq!("This is good", apply_env_vars(&src)); assert_eq!("This is good", apply_env_vars(&src));
} }
@ -58,7 +55,7 @@ mod test {
#[test] #[test]
fn test_invalid_var_syntax() { fn test_invalid_var_syntax() {
let src = format!("This is ${{{}}}", VAR_INVALID); let src = format!("This is ${{{VAR_INVALID}}}");
assert_eq!(src, apply_env_vars(&src)); assert_eq!(src, apply_env_vars(&src));
} }