Can block token unauthorized to access a specific route
Some checks failed
continuous-integration/drone/push Build is failing
continuous-integration/drone/pr Build is passing

This commit is contained in:
Pierre HUBERT 2024-04-10 21:22:15 +02:00
parent 579e54f7d3
commit d5eee04d7a
2 changed files with 31 additions and 15 deletions

View File

@ -19,7 +19,7 @@ impl TokenID {
} }
} }
#[derive(serde::Serialize, serde::Deserialize, Debug, Clone)] #[derive(serde::Serialize, serde::Deserialize, Debug, Clone, Eq, PartialEq)]
pub struct TokenRight { pub struct TokenRight {
verb: TokenVerb, verb: TokenVerb,
path: String, path: String,
@ -28,6 +28,24 @@ pub struct TokenRight {
#[derive(serde::Serialize, serde::Deserialize, Debug, Clone)] #[derive(serde::Serialize, serde::Deserialize, Debug, Clone)]
pub struct TokenRights(Vec<TokenRight>); pub struct TokenRights(Vec<TokenRight>);
impl TokenRights {
pub fn check_error(&self) -> Option<&'static str> {
for r in &self.0 {
if !r.path.starts_with("/api/") {
return Some("All API rights shall start with /api/");
}
}
None
}
pub fn contains(&self, verb: TokenVerb, path: &str) -> bool {
self.0.contains(&TokenRight {
verb,
path: path.to_string(),
})
}
}
#[derive(serde::Serialize, serde::Deserialize, Debug, Clone)] #[derive(serde::Serialize, serde::Deserialize, Debug, Clone)]
pub struct Token { pub struct Token {
pub id: TokenID, pub id: TokenID,
@ -121,17 +139,6 @@ pub struct NewToken {
pub delete_after_inactivity: Option<u64>, pub delete_after_inactivity: Option<u64>,
} }
impl TokenRights {
pub fn check_error(&self) -> Option<&'static str> {
for r in &self.0 {
if !r.path.starts_with("/api/") {
return Some("All API rights shall start with /api/");
}
}
None
}
}
impl NewToken { impl NewToken {
/// Check for error in token /// Check for error in token
pub fn check_error(&self) -> Option<&'static str> { pub fn check_error(&self) -> Option<&'static str> {

View File

@ -4,7 +4,7 @@ use crate::api_tokens;
use crate::utils::jwt_utils; use crate::utils::jwt_utils;
use crate::utils::time_utils::time; use crate::utils::time_utils::time;
use actix_web::dev::Payload; use actix_web::dev::Payload;
use actix_web::error::ErrorBadRequest; use actix_web::error::{ErrorBadRequest, ErrorUnauthorized};
use actix_web::{Error, FromRequest, HttpRequest}; use actix_web::{Error, FromRequest, HttpRequest};
use std::future::Future; use std::future::Future;
use std::pin::Pin; use std::pin::Pin;
@ -108,7 +108,16 @@ impl FromRequest for ApiAuthExtractor {
return Err(ErrorBadRequest("JWT method mismatch!")); return Err(ErrorBadRequest("JWT method mismatch!"));
} }
// TODO : check if route is authorized with token if !token.rights.contains(claims.verb, req.path()) {
log::error!(
"Attempt to use a token for an unauthorized route! (token_id={})",
token.id.0
);
return Err(ErrorUnauthorized(
"Token cannot be used to query this route!",
));
}
// TODO : check for ip restriction // TODO : check for ip restriction
// TODO : manually validate all checks // TODO : manually validate all checks
@ -116,7 +125,7 @@ impl FromRequest for ApiAuthExtractor {
if token.should_update_last_activity() { if token.should_update_last_activity() {
if let Err(e) = api_tokens::refresh_last_used(token.id).await { if let Err(e) = api_tokens::refresh_last_used(token.id).await {
log::error!("Could not update token last activity! {e}"); log::error!("Could not update token last activity! {e}");
return Err(ErrorBadRequest("!")); return Err(ErrorBadRequest("Couldn't refresh token last activity!"));
} }
} }