use std::future::{ready, Ready}; use std::rc::Rc; use crate::app_config::AppConfig; use crate::constants; use crate::extractors::api_auth_extractor::ApiAuthExtractor; use crate::extractors::auth_extractor::AuthExtractor; use actix_web::body::EitherBody; use actix_web::dev::Payload; use actix_web::{ dev::{forward_ready, Service, ServiceRequest, ServiceResponse, Transform}, Error, FromRequest, HttpResponse, }; use futures_util::future::LocalBoxFuture; // There are two steps in middleware processing. // 1. Middleware initialization, middleware factory gets called with // next service in chain as parameter. // 2. Middleware's call method gets called with normal request. #[derive(Default)] pub struct AuthChecker; // Middleware factory is `Transform` trait // `S` - type of the next service // `B` - type of response's body impl Transform for AuthChecker where S: Service, Error = Error> + 'static, S::Future: 'static, B: 'static, { type Response = ServiceResponse>; type Error = Error; type InitError = (); type Transform = AuthMiddleware; type Future = Ready>; fn new_transform(&self, service: S) -> Self::Future { ready(Ok(AuthMiddleware { service: Rc::new(service), })) } } pub struct AuthMiddleware { service: Rc, } impl Service for AuthMiddleware where S: Service, Error = Error> + 'static, S::Future: 'static, B: 'static, { type Response = ServiceResponse>; type Error = Error; type Future = LocalBoxFuture<'static, Result>; forward_ready!(service); fn call(&self, req: ServiceRequest) -> Self::Future { let service = Rc::clone(&self.service); Box::pin(async move { let remote_ip = actix_remote_ip::RemoteIP::from_request(req.request(), &mut Payload::None) .await .unwrap(); if !AppConfig::get().is_allowed_ip(remote_ip.0) { log::error!("An attempt to access VirtWeb from an unauthorized network has been intercepted! {:?}", remote_ip); return Ok(req .into_response( HttpResponse::MethodNotAllowed() .json("I am sorry, but your IP is not allowed to access this service!"), ) .map_into_right_body()); } let auth_disabled = AppConfig::get().unsecure_disable_auth; // Check API authentication if req.headers().get("x-token-id").is_some() { let auth = match ApiAuthExtractor::from_request(req.request(), &mut Payload::None).await { Ok(auth) => auth, Err(e) => { log::error!( "Failed to extract API authentication information from request! {e}" ); return Ok(req .into_response(HttpResponse::PreconditionFailed().finish()) .map_into_right_body()); } }; log::info!( "Using API token '{}' to perform the request", auth.token.name ); } // Check user authentication, if required else if !auth_disabled && !constants::ROUTES_WITHOUT_AUTH.contains(&req.path()) && req.path().starts_with("/api/") { let auth = match AuthExtractor::from_request(req.request(), &mut Payload::None) .into_inner() { Ok(auth) => auth, Err(e) => { log::error!( "Failed to extract authentication information from request! {e}" ); return Ok(req .into_response(HttpResponse::PreconditionFailed().finish()) .map_into_right_body()); } }; if !auth.is_authenticated() { log::error!( "User attempted to access privileged route without authentication!" ); return Ok(req .into_response( HttpResponse::PreconditionFailed().json("Please authenticate!"), ) .map_into_right_body()); } if !AppConfig::get().is_trusted_ip(remote_ip.0) && !req.method().as_str().eq("GET") { return Ok(req .into_response( HttpResponse::MethodNotAllowed().json("I am sorry, but your IP is not trusted. You cannot perform this action!"), ) .map_into_right_body()); } } service .call(req) .await .map(ServiceResponse::map_into_left_body) }) } }