Add middleware to check authentication

This commit is contained in:
Pierre HUBERT 2023-09-02 19:15:11 +02:00
parent 849bf0cdfb
commit caaf3d703f
7 changed files with 126 additions and 8 deletions

View File

@ -6,3 +6,6 @@ pub const MAX_INACTIVITY_DURATION: u64 = 60 * 30;
/// Maximum session duration (6 hours) /// Maximum session duration (6 hours)
pub const MAX_SESSION_DURATION: u64 = 3600 * 6; pub const MAX_SESSION_DURATION: u64 = 3600 * 6;
/// The routes that can be accessed without authentication
pub const ROUTES_WITHOUT_AUTH: [&str; 3] = ["/", "/api/server/static_config", "/api/auth/local"];

View File

@ -1,5 +1,5 @@
use crate::app_config::AppConfig; use crate::app_config::AppConfig;
use crate::extractors::auth_extractor::AuthChecker; use crate::extractors::auth_extractor::AuthExtractor;
use crate::extractors::local_auth_extractor::LocalAuthEnabled; use crate::extractors::local_auth_extractor::LocalAuthEnabled;
use actix_web::{web, HttpResponse, Responder}; use actix_web::{web, HttpResponse, Responder};
@ -13,7 +13,7 @@ pub struct LocalAuthReq {
pub async fn local_auth( pub async fn local_auth(
local_auth_enabled: LocalAuthEnabled, local_auth_enabled: LocalAuthEnabled,
req: web::Json<LocalAuthReq>, req: web::Json<LocalAuthReq>,
auth: AuthChecker, auth: AuthExtractor,
) -> impl Responder { ) -> impl Responder {
if !*local_auth_enabled { if !*local_auth_enabled {
log::error!("Local auth attempt while this authentication method is disabled!"); log::error!("Local auth attempt while this authentication method is disabled!");
@ -29,3 +29,15 @@ pub async fn local_auth(
HttpResponse::Accepted().json("Welcome") HttpResponse::Accepted().json("Welcome")
} }
#[derive(serde::Serialize)]
struct CurrentUser {
id: String,
}
/// Get current authenticated user
pub async fn current_user(auth: AuthExtractor) -> impl Responder {
HttpResponse::Ok().json(CurrentUser {
id: auth.id().unwrap(),
})
}

View File

@ -4,24 +4,24 @@ use actix_web::{Error, FromRequest, HttpMessage, HttpRequest};
use futures_util::future::{ready, Ready}; use futures_util::future::{ready, Ready};
use std::fmt::Display; use std::fmt::Display;
pub struct AuthChecker { pub struct AuthExtractor {
identity: Option<Identity>, identity: Option<Identity>,
request: HttpRequest, request: HttpRequest,
} }
impl AuthChecker { impl AuthExtractor {
/// Check whether the user is authenticated or not /// Check whether the user is authenticated or not
pub fn is_authenticated(&self) -> bool { pub fn is_authenticated(&self) -> bool {
self.identity.is_some() self.identity.is_some()
} }
/// Authenticate the user /// Authenticate the user
pub fn authenticate(&self, username: impl Display) { pub fn authenticate(&self, id: impl Display) {
Identity::login(&self.request.extensions(), username.to_string()) Identity::login(&self.request.extensions(), id.to_string())
.expect("Unable to set authentication!"); .expect("Unable to set authentication!");
} }
pub fn user_name(&self) -> Option<String> { pub fn id(&self) -> Option<String> {
self.identity.as_ref().map(|i| i.id().unwrap()) self.identity.as_ref().map(|i| i.id().unwrap())
} }
@ -32,7 +32,7 @@ impl AuthChecker {
} }
} }
impl FromRequest for AuthChecker { impl FromRequest for AuthExtractor {
type Error = Error; type Error = Error;
type Future = Ready<Result<Self, Error>>; type Future = Ready<Result<Self, Error>>;

View File

@ -2,3 +2,4 @@ pub mod app_config;
pub mod constants; pub mod constants;
pub mod controllers; pub mod controllers;
pub mod extractors; pub mod extractors;
pub mod middlewares;

View File

@ -12,6 +12,7 @@ use virtweb_backend::constants::{
MAX_INACTIVITY_DURATION, MAX_SESSION_DURATION, SESSION_COOKIE_NAME, MAX_INACTIVITY_DURATION, MAX_SESSION_DURATION, SESSION_COOKIE_NAME,
}; };
use virtweb_backend::controllers::{auth_controller, server_controller}; use virtweb_backend::controllers::{auth_controller, server_controller};
use virtweb_backend::middlewares::auth_middleware::AuthChecker;
#[actix_web::main] #[actix_web::main]
async fn main() -> std::io::Result<()> { async fn main() -> std::io::Result<()> {
@ -37,6 +38,7 @@ async fn main() -> std::io::Result<()> {
App::new() App::new()
.wrap(Logger::default()) .wrap(Logger::default())
.wrap(AuthChecker)
.wrap(identity_middleware) .wrap(identity_middleware)
.wrap(session_mw) .wrap(session_mw)
.app_data(web::Data::new(RemoteIPConfig { .app_data(web::Data::new(RemoteIPConfig {
@ -53,6 +55,10 @@ async fn main() -> std::io::Result<()> {
"/api/auth/local", "/api/auth/local",
web::post().to(auth_controller::local_auth), web::post().to(auth_controller::local_auth),
) )
.route(
"/api/auth/user",
web::get().to(auth_controller::current_user),
)
}) })
.bind(&AppConfig::get().listen_address)? .bind(&AppConfig::get().listen_address)?
.run() .run()

View File

@ -0,0 +1 @@
pub mod auth_middleware;

View File

@ -0,0 +1,95 @@
use std::future::{ready, Ready};
use std::rc::Rc;
use crate::constants;
use crate::extractors::auth_extractor::AuthExtractor;
use actix_web::body::EitherBody;
use actix_web::dev::Payload;
use actix_web::{
dev::{forward_ready, Service, ServiceRequest, ServiceResponse, Transform},
Error, FromRequest, HttpResponse,
};
use futures_util::future::LocalBoxFuture;
// There are two steps in middleware processing.
// 1. Middleware initialization, middleware factory gets called with
// next service in chain as parameter.
// 2. Middleware's call method gets called with normal request.
#[derive(Default)]
pub struct AuthChecker;
// Middleware factory is `Transform` trait
// `S` - type of the next service
// `B` - type of response's body
impl<S, B> Transform<S, ServiceRequest> for AuthChecker
where
S: Service<ServiceRequest, Response = ServiceResponse<B>, Error = Error> + 'static,
S::Future: 'static,
B: 'static,
{
type Response = ServiceResponse<EitherBody<B>>;
type Error = Error;
type InitError = ();
type Transform = AuthMiddleware<S>;
type Future = Ready<Result<Self::Transform, Self::InitError>>;
fn new_transform(&self, service: S) -> Self::Future {
ready(Ok(AuthMiddleware {
service: Rc::new(service),
}))
}
}
pub struct AuthMiddleware<S> {
service: Rc<S>,
}
impl<S, B> Service<ServiceRequest> for AuthMiddleware<S>
where
S: Service<ServiceRequest, Response = ServiceResponse<B>, Error = Error> + 'static,
S::Future: 'static,
B: 'static,
{
type Response = ServiceResponse<EitherBody<B>>;
type Error = Error;
type Future = LocalBoxFuture<'static, Result<Self::Response, Self::Error>>;
forward_ready!(service);
fn call(&self, req: ServiceRequest) -> Self::Future {
let service = Rc::clone(&self.service);
Box::pin(async move {
// Check authentication, if required
if !constants::ROUTES_WITHOUT_AUTH.contains(&req.path()) {
let auth = match AuthExtractor::from_request(req.request(), &mut Payload::None)
.into_inner()
{
Ok(auth) => auth,
Err(e) => {
log::error!(
"Failed to extract authentication information from request! {e}"
);
return Ok(req
.into_response(HttpResponse::InternalServerError().finish())
.map_into_right_body());
}
};
if !auth.is_authenticated() {
log::error!(
"User attempted to access privileged route without authentication!"
);
return Ok(req
.into_response(HttpResponse::Unauthorized().json("Please authenticate!"))
.map_into_right_body());
}
}
service
.call(req)
.await
.map(ServiceResponse::map_into_left_body)
})
}
}