Can block token unauthorized to access a specific route
This commit is contained in:
parent
579e54f7d3
commit
d5eee04d7a
@ -19,7 +19,7 @@ impl TokenID {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
#[derive(serde::Serialize, serde::Deserialize, Debug, Clone)]
|
#[derive(serde::Serialize, serde::Deserialize, Debug, Clone, Eq, PartialEq)]
|
||||||
pub struct TokenRight {
|
pub struct TokenRight {
|
||||||
verb: TokenVerb,
|
verb: TokenVerb,
|
||||||
path: String,
|
path: String,
|
||||||
@ -28,6 +28,24 @@ pub struct TokenRight {
|
|||||||
#[derive(serde::Serialize, serde::Deserialize, Debug, Clone)]
|
#[derive(serde::Serialize, serde::Deserialize, Debug, Clone)]
|
||||||
pub struct TokenRights(Vec<TokenRight>);
|
pub struct TokenRights(Vec<TokenRight>);
|
||||||
|
|
||||||
|
impl TokenRights {
|
||||||
|
pub fn check_error(&self) -> Option<&'static str> {
|
||||||
|
for r in &self.0 {
|
||||||
|
if !r.path.starts_with("/api/") {
|
||||||
|
return Some("All API rights shall start with /api/");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
None
|
||||||
|
}
|
||||||
|
|
||||||
|
pub fn contains(&self, verb: TokenVerb, path: &str) -> bool {
|
||||||
|
self.0.contains(&TokenRight {
|
||||||
|
verb,
|
||||||
|
path: path.to_string(),
|
||||||
|
})
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
#[derive(serde::Serialize, serde::Deserialize, Debug, Clone)]
|
#[derive(serde::Serialize, serde::Deserialize, Debug, Clone)]
|
||||||
pub struct Token {
|
pub struct Token {
|
||||||
pub id: TokenID,
|
pub id: TokenID,
|
||||||
@ -121,17 +139,6 @@ pub struct NewToken {
|
|||||||
pub delete_after_inactivity: Option<u64>,
|
pub delete_after_inactivity: Option<u64>,
|
||||||
}
|
}
|
||||||
|
|
||||||
impl TokenRights {
|
|
||||||
pub fn check_error(&self) -> Option<&'static str> {
|
|
||||||
for r in &self.0 {
|
|
||||||
if !r.path.starts_with("/api/") {
|
|
||||||
return Some("All API rights shall start with /api/");
|
|
||||||
}
|
|
||||||
}
|
|
||||||
None
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
impl NewToken {
|
impl NewToken {
|
||||||
/// Check for error in token
|
/// Check for error in token
|
||||||
pub fn check_error(&self) -> Option<&'static str> {
|
pub fn check_error(&self) -> Option<&'static str> {
|
||||||
|
@ -4,7 +4,7 @@ use crate::api_tokens;
|
|||||||
use crate::utils::jwt_utils;
|
use crate::utils::jwt_utils;
|
||||||
use crate::utils::time_utils::time;
|
use crate::utils::time_utils::time;
|
||||||
use actix_web::dev::Payload;
|
use actix_web::dev::Payload;
|
||||||
use actix_web::error::ErrorBadRequest;
|
use actix_web::error::{ErrorBadRequest, ErrorUnauthorized};
|
||||||
use actix_web::{Error, FromRequest, HttpRequest};
|
use actix_web::{Error, FromRequest, HttpRequest};
|
||||||
use std::future::Future;
|
use std::future::Future;
|
||||||
use std::pin::Pin;
|
use std::pin::Pin;
|
||||||
@ -108,7 +108,16 @@ impl FromRequest for ApiAuthExtractor {
|
|||||||
return Err(ErrorBadRequest("JWT method mismatch!"));
|
return Err(ErrorBadRequest("JWT method mismatch!"));
|
||||||
}
|
}
|
||||||
|
|
||||||
// TODO : check if route is authorized with token
|
if !token.rights.contains(claims.verb, req.path()) {
|
||||||
|
log::error!(
|
||||||
|
"Attempt to use a token for an unauthorized route! (token_id={})",
|
||||||
|
token.id.0
|
||||||
|
);
|
||||||
|
return Err(ErrorUnauthorized(
|
||||||
|
"Token cannot be used to query this route!",
|
||||||
|
));
|
||||||
|
}
|
||||||
|
|
||||||
// TODO : check for ip restriction
|
// TODO : check for ip restriction
|
||||||
|
|
||||||
// TODO : manually validate all checks
|
// TODO : manually validate all checks
|
||||||
@ -116,7 +125,7 @@ impl FromRequest for ApiAuthExtractor {
|
|||||||
if token.should_update_last_activity() {
|
if token.should_update_last_activity() {
|
||||||
if let Err(e) = api_tokens::refresh_last_used(token.id).await {
|
if let Err(e) = api_tokens::refresh_last_used(token.id).await {
|
||||||
log::error!("Could not update token last activity! {e}");
|
log::error!("Could not update token last activity! {e}");
|
||||||
return Err(ErrorBadRequest("!"));
|
return Err(ErrorBadRequest("Couldn't refresh token last activity!"));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user