BasicOIDC/src/controllers/login_controller.rs

188 lines
5.6 KiB
Rust

use actix::Addr;
use actix_identity::Identity;
use actix_web::{HttpResponse, Responder, web};
use askama::Template;
use crate::actors::{bruteforce_actor, users_actor};
use crate::actors::bruteforce_actor::BruteForceActor;
use crate::actors::users_actor::{ChangePasswordResult, LoginResult, UsersActor};
use crate::constants::{APP_NAME, MAX_FAILED_LOGIN_ATTEMPTS, MIN_PASS_LEN};
use crate::controllers::base_controller::{FatalErrorPage, redirect_user};
use crate::data::remote_ip::RemoteIP;
use crate::data::session_identity::{SessionIdentity, SessionStatus};
struct BaseLoginPage {
danger: String,
success: String,
page_title: &'static str,
app_name: &'static str,
redirect_uri: String,
}
#[derive(Template)]
#[template(path = "login/login.html")]
struct LoginTemplate {
_p: BaseLoginPage,
login: String,
}
#[derive(Template)]
#[template(path = "login/password_reset.html")]
struct PasswordResetTemplate {
_p: BaseLoginPage,
min_pass_len: usize,
}
#[derive(serde::Deserialize)]
pub struct LoginRequestBody {
login: String,
password: String,
}
#[derive(serde::Deserialize)]
pub struct LoginRequestQuery {
logout: Option<bool>,
redirect: Option<String>,
}
/// Authenticate user
pub async fn login_route(
remote_ip: RemoteIP,
users: web::Data<Addr<UsersActor>>,
bruteforce: web::Data<Addr<BruteForceActor>>,
query: web::Query<LoginRequestQuery>,
req: Option<web::Form<LoginRequestBody>>,
id: Identity,
) -> impl Responder {
let mut danger = String::new();
let mut success = String::new();
let mut login = String::new();
let failed_attempts = bruteforce.send(bruteforce_actor::CountFailedAttempt { ip: remote_ip.into() })
.await.unwrap();
if failed_attempts > MAX_FAILED_LOGIN_ATTEMPTS {
return HttpResponse::TooManyRequests().body(
FatalErrorPage {
message: "Too many failed login attempts, please try again later!"
}.render().unwrap()
);
}
let redirect_uri = match query.redirect.as_deref() {
None => "/",
Some(s) => match s.starts_with('/') && !s.starts_with("//") {
true => s,
false => "/",
},
};
// Check if user session must be closed
if let Some(true) = query.logout {
id.forget();
success = "Goodbye!".to_string();
}
// Check if user is already authenticated
if SessionIdentity(&id).is_authenticated() {
return redirect_user(redirect_uri);
}
// Check if user is setting a new password
if let (Some(req), true) = (&req, SessionIdentity(&id).need_new_password()) {
if req.password.len() < MIN_PASS_LEN {
danger = "Password is too short!".to_string();
} else {
let res: ChangePasswordResult = users
.send(users_actor::ChangePasswordRequest {
user_id: SessionIdentity(&id).user_id(),
new_password: req.password.clone(),
temporary: false,
})
.await
.unwrap();
if !res.0 {
danger = "Failed to change password!".to_string();
} else {
SessionIdentity(&id).set_status(SessionStatus::SignedIn);
return redirect_user(redirect_uri);
}
}
}
// Try to authenticate user
else if let Some(req) = &req {
login = req.login.clone();
let response: LoginResult = users
.send(users_actor::LoginRequest {
login: login.clone(),
password: req.password.clone(),
})
.await
.unwrap();
match response {
LoginResult::Success(user) => {
SessionIdentity(&id).set_user(&user);
if user.need_reset_password {
SessionIdentity(&id).set_status(SessionStatus::NeedNewPassword);
} else {
return redirect_user(redirect_uri);
}
}
LoginResult::AccountDisabled => {
log::warn!("Failed login for username {} : account is disabled", login);
danger = "Your account is disabled!".to_string();
}
c => {
log::warn!("Failed login for ip {:?} / username {}: {:?}", remote_ip, login, c);
danger = "Login failed.".to_string();
bruteforce.send(bruteforce_actor::RecordFailedAttempt { ip: remote_ip.into() }).await.unwrap();
}
}
}
// Display password reset form if it is appropriate
if SessionIdentity(&id).need_new_password() {
return HttpResponse::Ok().content_type("text/html").body(
PasswordResetTemplate {
_p: BaseLoginPage {
page_title: "Password reset",
danger,
success,
app_name: APP_NAME,
redirect_uri: urlencoding::encode(redirect_uri).to_string(),
},
min_pass_len: MIN_PASS_LEN,
}
.render()
.unwrap(),
);
}
HttpResponse::Ok().content_type("text/html").body(
LoginTemplate {
_p: BaseLoginPage {
page_title: "Login",
danger,
success,
app_name: APP_NAME,
redirect_uri: urlencoding::encode(redirect_uri).to_string(),
},
login,
}
.render()
.unwrap(),
)
}
/// Sign out user
pub async fn logout_route() -> impl Responder {
redirect_user("/login?logout=true")
}