Add users authentication routes

matrixgw_backend/src/controllers/auth_controller.rs

@@ -0,0 +1,131 @@
+use crate::app_config::AppConfig;
+use crate::controllers::{HttpFailure, HttpResult};
+use crate::extractors::auth_extractor::{AuthExtractor, AuthenticatedMethod};
+use crate::extractors::session_extractor::MatrixGWSession;
+use crate::users::{User, UserEmail};
+use actix_remote_ip::RemoteIP;
+use actix_web::{HttpResponse, web};
+use light_openid::primitives::OpenIDConfig;
+
+#[derive(serde::Serialize)]
+struct StartOIDCResponse {
+    url: String,
+}
+
+/// Start OIDC authentication
+pub async fn start_oidc(session: MatrixGWSession, remote_ip: RemoteIP) -> HttpResult {
+    let prov = AppConfig::get().openid_provider();
+
+    let conf = match OpenIDConfig::load_from_url(prov.configuration_url).await {
+        Ok(c) => c,
+        Err(e) => {
+            log::error!("Failed to fetch OpenID provider configuration! {e}");
+            return Ok(HttpResponse::InternalServerError()
+                .json("Failed to fetch OpenID provider configuration!"));
+        }
+    };
+
+    let state = match session.gen_oidc_state(remote_ip.0) {
+        Ok(s) => s,
+        Err(e) => {
+            log::error!("Failed to generate auth state! {e}");
+            return Ok(HttpResponse::InternalServerError().json("Failed to generate auth state!"));
+        }
+    };
+
+    Ok(HttpResponse::Ok().json(StartOIDCResponse {
+        url: conf.gen_authorization_url(
+            prov.client_id,
+            &state,
+            &AppConfig::get().openid_provider().redirect_url,
+        ),
+    }))
+}
+
+#[derive(serde::Deserialize)]
+pub struct FinishOpenIDLoginQuery {
+    code: String,
+    state: String,
+}
+
+/// Finish OIDC authentication
+pub async fn finish_oidc(
+    session: MatrixGWSession,
+    remote_ip: RemoteIP,
+    req: web::Json<FinishOpenIDLoginQuery>,
+) -> HttpResult {
+    if let Err(e) = session.validate_state(&req.state, remote_ip.0) {
+        log::error!("Failed to validate OIDC CB state! {e}");
+        return Ok(HttpResponse::BadRequest().json("Invalid state!"));
+    }
+
+    let prov = AppConfig::get().openid_provider();
+
+    let conf = OpenIDConfig::load_from_url(prov.configuration_url)
+        .await
+        .map_err(HttpFailure::OpenID)?;
+
+    let (token, _) = conf
+        .request_token(
+            prov.client_id,
+            prov.client_secret,
+            &req.code,
+            &AppConfig::get().openid_provider().redirect_url,
+        )
+        .await
+        .map_err(HttpFailure::OpenID)?;
+    let (user_info, _) = conf
+        .request_user_info(&token)
+        .await
+        .map_err(HttpFailure::OpenID)?;
+
+    if user_info.email_verified != Some(true) {
+        log::error!("Email is not verified!");
+        return Ok(HttpResponse::Unauthorized().json("Email unverified by IDP!"));
+    }
+
+    let mail = match user_info.email {
+        Some(m) => m,
+        None => {
+            return Ok(HttpResponse::Unauthorized().json("Email not provided by the IDP!"));
+        }
+    };
+
+    let user_name = user_info.name.unwrap_or_else(|| {
+        format!(
+            "{} {}",
+            user_info.given_name.as_deref().unwrap_or(""),
+            user_info.family_name.as_deref().unwrap_or("")
+        )
+    });
+
+    let user = User::create_or_update_user(&UserEmail(mail), &user_name).await?;
+
+    session.set_user(&user)?;
+
+    Ok(HttpResponse::Ok().finish())
+}
+
+/// Get current user information
+pub async fn auth_info(auth: AuthExtractor) -> HttpResult {
+    Ok(HttpResponse::Ok().json(auth.user))
+}
+
+/// Sign out user
+pub async fn sign_out(auth: AuthExtractor, session: MatrixGWSession) -> HttpResult {
+    match auth.method {
+        AuthenticatedMethod::Cookie => {
+            session.unset_current_user()?;
+        }
+
+        AuthenticatedMethod::Token(token) => {
+            token.delete(&auth.user.email).await?;
+        }
+
+        AuthenticatedMethod::Dev => {
+            // Nothing to be done, user is always authenticated
+        }
+    }
+
+    Ok(HttpResponse::NoContent().finish())
+}

matrixgw_backend/src/controllers/mod.rs

@@ -1 +1,34 @@
+use actix_web::http::StatusCode;
+use actix_web::{HttpResponse, ResponseError};
+use std::error::Error;
+
+pub mod auth_controller;
 pub mod server_controller;
+
+#[derive(thiserror::Error, Debug)]
+pub enum HttpFailure {
+    #[error("this resource requires higher privileges")]
+    Forbidden,
+    #[error("this resource was not found")]
+    NotFound,
+    #[error("an unspecified open id error occurred: {0}")]
+    OpenID(Box<dyn Error>),
+    #[error("an unspecified internal error occurred: {0}")]
+    InternalError(#[from] anyhow::Error),
+}
+
+impl ResponseError for HttpFailure {
+    fn status_code(&self) -> StatusCode {
+        match &self {
+            Self::Forbidden => StatusCode::FORBIDDEN,
+            Self::NotFound => StatusCode::NOT_FOUND,
+            _ => StatusCode::INTERNAL_SERVER_ERROR,
+        }
+    }
+
+    fn error_response(&self) -> HttpResponse {
+        HttpResponse::build(self.status_code()).body(self.to_string())
+    }
+}
+
+pub type HttpResult = Result<HttpResponse, HttpFailure>;