Add middleware to check authentication
This commit is contained in:
parent
849bf0cdfb
commit
caaf3d703f
@ -6,3 +6,6 @@ pub const MAX_INACTIVITY_DURATION: u64 = 60 * 30;
|
|||||||
|
|
||||||
/// Maximum session duration (6 hours)
|
/// Maximum session duration (6 hours)
|
||||||
pub const MAX_SESSION_DURATION: u64 = 3600 * 6;
|
pub const MAX_SESSION_DURATION: u64 = 3600 * 6;
|
||||||
|
|
||||||
|
/// The routes that can be accessed without authentication
|
||||||
|
pub const ROUTES_WITHOUT_AUTH: [&str; 3] = ["/", "/api/server/static_config", "/api/auth/local"];
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
use crate::app_config::AppConfig;
|
use crate::app_config::AppConfig;
|
||||||
use crate::extractors::auth_extractor::AuthChecker;
|
use crate::extractors::auth_extractor::AuthExtractor;
|
||||||
use crate::extractors::local_auth_extractor::LocalAuthEnabled;
|
use crate::extractors::local_auth_extractor::LocalAuthEnabled;
|
||||||
use actix_web::{web, HttpResponse, Responder};
|
use actix_web::{web, HttpResponse, Responder};
|
||||||
|
|
||||||
@ -13,7 +13,7 @@ pub struct LocalAuthReq {
|
|||||||
pub async fn local_auth(
|
pub async fn local_auth(
|
||||||
local_auth_enabled: LocalAuthEnabled,
|
local_auth_enabled: LocalAuthEnabled,
|
||||||
req: web::Json<LocalAuthReq>,
|
req: web::Json<LocalAuthReq>,
|
||||||
auth: AuthChecker,
|
auth: AuthExtractor,
|
||||||
) -> impl Responder {
|
) -> impl Responder {
|
||||||
if !*local_auth_enabled {
|
if !*local_auth_enabled {
|
||||||
log::error!("Local auth attempt while this authentication method is disabled!");
|
log::error!("Local auth attempt while this authentication method is disabled!");
|
||||||
@ -29,3 +29,15 @@ pub async fn local_auth(
|
|||||||
|
|
||||||
HttpResponse::Accepted().json("Welcome")
|
HttpResponse::Accepted().json("Welcome")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#[derive(serde::Serialize)]
|
||||||
|
struct CurrentUser {
|
||||||
|
id: String,
|
||||||
|
}
|
||||||
|
|
||||||
|
/// Get current authenticated user
|
||||||
|
pub async fn current_user(auth: AuthExtractor) -> impl Responder {
|
||||||
|
HttpResponse::Ok().json(CurrentUser {
|
||||||
|
id: auth.id().unwrap(),
|
||||||
|
})
|
||||||
|
}
|
||||||
|
@ -4,24 +4,24 @@ use actix_web::{Error, FromRequest, HttpMessage, HttpRequest};
|
|||||||
use futures_util::future::{ready, Ready};
|
use futures_util::future::{ready, Ready};
|
||||||
use std::fmt::Display;
|
use std::fmt::Display;
|
||||||
|
|
||||||
pub struct AuthChecker {
|
pub struct AuthExtractor {
|
||||||
identity: Option<Identity>,
|
identity: Option<Identity>,
|
||||||
request: HttpRequest,
|
request: HttpRequest,
|
||||||
}
|
}
|
||||||
|
|
||||||
impl AuthChecker {
|
impl AuthExtractor {
|
||||||
/// Check whether the user is authenticated or not
|
/// Check whether the user is authenticated or not
|
||||||
pub fn is_authenticated(&self) -> bool {
|
pub fn is_authenticated(&self) -> bool {
|
||||||
self.identity.is_some()
|
self.identity.is_some()
|
||||||
}
|
}
|
||||||
|
|
||||||
/// Authenticate the user
|
/// Authenticate the user
|
||||||
pub fn authenticate(&self, username: impl Display) {
|
pub fn authenticate(&self, id: impl Display) {
|
||||||
Identity::login(&self.request.extensions(), username.to_string())
|
Identity::login(&self.request.extensions(), id.to_string())
|
||||||
.expect("Unable to set authentication!");
|
.expect("Unable to set authentication!");
|
||||||
}
|
}
|
||||||
|
|
||||||
pub fn user_name(&self) -> Option<String> {
|
pub fn id(&self) -> Option<String> {
|
||||||
self.identity.as_ref().map(|i| i.id().unwrap())
|
self.identity.as_ref().map(|i| i.id().unwrap())
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -32,7 +32,7 @@ impl AuthChecker {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
impl FromRequest for AuthChecker {
|
impl FromRequest for AuthExtractor {
|
||||||
type Error = Error;
|
type Error = Error;
|
||||||
type Future = Ready<Result<Self, Error>>;
|
type Future = Ready<Result<Self, Error>>;
|
||||||
|
|
||||||
|
@ -2,3 +2,4 @@ pub mod app_config;
|
|||||||
pub mod constants;
|
pub mod constants;
|
||||||
pub mod controllers;
|
pub mod controllers;
|
||||||
pub mod extractors;
|
pub mod extractors;
|
||||||
|
pub mod middlewares;
|
||||||
|
@ -12,6 +12,7 @@ use virtweb_backend::constants::{
|
|||||||
MAX_INACTIVITY_DURATION, MAX_SESSION_DURATION, SESSION_COOKIE_NAME,
|
MAX_INACTIVITY_DURATION, MAX_SESSION_DURATION, SESSION_COOKIE_NAME,
|
||||||
};
|
};
|
||||||
use virtweb_backend::controllers::{auth_controller, server_controller};
|
use virtweb_backend::controllers::{auth_controller, server_controller};
|
||||||
|
use virtweb_backend::middlewares::auth_middleware::AuthChecker;
|
||||||
|
|
||||||
#[actix_web::main]
|
#[actix_web::main]
|
||||||
async fn main() -> std::io::Result<()> {
|
async fn main() -> std::io::Result<()> {
|
||||||
@ -37,6 +38,7 @@ async fn main() -> std::io::Result<()> {
|
|||||||
|
|
||||||
App::new()
|
App::new()
|
||||||
.wrap(Logger::default())
|
.wrap(Logger::default())
|
||||||
|
.wrap(AuthChecker)
|
||||||
.wrap(identity_middleware)
|
.wrap(identity_middleware)
|
||||||
.wrap(session_mw)
|
.wrap(session_mw)
|
||||||
.app_data(web::Data::new(RemoteIPConfig {
|
.app_data(web::Data::new(RemoteIPConfig {
|
||||||
@ -53,6 +55,10 @@ async fn main() -> std::io::Result<()> {
|
|||||||
"/api/auth/local",
|
"/api/auth/local",
|
||||||
web::post().to(auth_controller::local_auth),
|
web::post().to(auth_controller::local_auth),
|
||||||
)
|
)
|
||||||
|
.route(
|
||||||
|
"/api/auth/user",
|
||||||
|
web::get().to(auth_controller::current_user),
|
||||||
|
)
|
||||||
})
|
})
|
||||||
.bind(&AppConfig::get().listen_address)?
|
.bind(&AppConfig::get().listen_address)?
|
||||||
.run()
|
.run()
|
||||||
|
1
virtweb_backend/src/middlewares.rs
Normal file
1
virtweb_backend/src/middlewares.rs
Normal file
@ -0,0 +1 @@
|
|||||||
|
pub mod auth_middleware;
|
95
virtweb_backend/src/middlewares/auth_middleware.rs
Normal file
95
virtweb_backend/src/middlewares/auth_middleware.rs
Normal file
@ -0,0 +1,95 @@
|
|||||||
|
use std::future::{ready, Ready};
|
||||||
|
use std::rc::Rc;
|
||||||
|
|
||||||
|
use crate::constants;
|
||||||
|
use crate::extractors::auth_extractor::AuthExtractor;
|
||||||
|
use actix_web::body::EitherBody;
|
||||||
|
use actix_web::dev::Payload;
|
||||||
|
use actix_web::{
|
||||||
|
dev::{forward_ready, Service, ServiceRequest, ServiceResponse, Transform},
|
||||||
|
Error, FromRequest, HttpResponse,
|
||||||
|
};
|
||||||
|
use futures_util::future::LocalBoxFuture;
|
||||||
|
|
||||||
|
// There are two steps in middleware processing.
|
||||||
|
// 1. Middleware initialization, middleware factory gets called with
|
||||||
|
// next service in chain as parameter.
|
||||||
|
// 2. Middleware's call method gets called with normal request.
|
||||||
|
#[derive(Default)]
|
||||||
|
pub struct AuthChecker;
|
||||||
|
|
||||||
|
// Middleware factory is `Transform` trait
|
||||||
|
// `S` - type of the next service
|
||||||
|
// `B` - type of response's body
|
||||||
|
impl<S, B> Transform<S, ServiceRequest> for AuthChecker
|
||||||
|
where
|
||||||
|
S: Service<ServiceRequest, Response = ServiceResponse<B>, Error = Error> + 'static,
|
||||||
|
S::Future: 'static,
|
||||||
|
B: 'static,
|
||||||
|
{
|
||||||
|
type Response = ServiceResponse<EitherBody<B>>;
|
||||||
|
type Error = Error;
|
||||||
|
type InitError = ();
|
||||||
|
type Transform = AuthMiddleware<S>;
|
||||||
|
type Future = Ready<Result<Self::Transform, Self::InitError>>;
|
||||||
|
|
||||||
|
fn new_transform(&self, service: S) -> Self::Future {
|
||||||
|
ready(Ok(AuthMiddleware {
|
||||||
|
service: Rc::new(service),
|
||||||
|
}))
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
pub struct AuthMiddleware<S> {
|
||||||
|
service: Rc<S>,
|
||||||
|
}
|
||||||
|
|
||||||
|
impl<S, B> Service<ServiceRequest> for AuthMiddleware<S>
|
||||||
|
where
|
||||||
|
S: Service<ServiceRequest, Response = ServiceResponse<B>, Error = Error> + 'static,
|
||||||
|
S::Future: 'static,
|
||||||
|
B: 'static,
|
||||||
|
{
|
||||||
|
type Response = ServiceResponse<EitherBody<B>>;
|
||||||
|
type Error = Error;
|
||||||
|
type Future = LocalBoxFuture<'static, Result<Self::Response, Self::Error>>;
|
||||||
|
|
||||||
|
forward_ready!(service);
|
||||||
|
|
||||||
|
fn call(&self, req: ServiceRequest) -> Self::Future {
|
||||||
|
let service = Rc::clone(&self.service);
|
||||||
|
|
||||||
|
Box::pin(async move {
|
||||||
|
// Check authentication, if required
|
||||||
|
if !constants::ROUTES_WITHOUT_AUTH.contains(&req.path()) {
|
||||||
|
let auth = match AuthExtractor::from_request(req.request(), &mut Payload::None)
|
||||||
|
.into_inner()
|
||||||
|
{
|
||||||
|
Ok(auth) => auth,
|
||||||
|
Err(e) => {
|
||||||
|
log::error!(
|
||||||
|
"Failed to extract authentication information from request! {e}"
|
||||||
|
);
|
||||||
|
return Ok(req
|
||||||
|
.into_response(HttpResponse::InternalServerError().finish())
|
||||||
|
.map_into_right_body());
|
||||||
|
}
|
||||||
|
};
|
||||||
|
|
||||||
|
if !auth.is_authenticated() {
|
||||||
|
log::error!(
|
||||||
|
"User attempted to access privileged route without authentication!"
|
||||||
|
);
|
||||||
|
return Ok(req
|
||||||
|
.into_response(HttpResponse::Unauthorized().json("Please authenticate!"))
|
||||||
|
.map_into_right_body());
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
service
|
||||||
|
.call(req)
|
||||||
|
.await
|
||||||
|
.map(ServiceResponse::map_into_left_body)
|
||||||
|
})
|
||||||
|
}
|
||||||
|
}
|
Loading…
Reference in New Issue
Block a user