VirtWeb/virtweb_backend/src/middlewares/auth_middleware.rs

use std::future::{ready, Ready};
use std::rc::Rc;

use crate::app_config::AppConfig;
use crate::constants;
use crate::extractors::api_auth_extractor::ApiAuthExtractor;
use crate::extractors::auth_extractor::AuthExtractor;
use actix_web::body::EitherBody;
use actix_web::dev::Payload;
use actix_web::{
    dev::{forward_ready, Service, ServiceRequest, ServiceResponse, Transform},
    Error, FromRequest, HttpResponse,
};
use futures_util::future::LocalBoxFuture;

// There are two steps in middleware processing.
// 1. Middleware initialization, middleware factory gets called with
//    next service in chain as parameter.
// 2. Middleware's call method gets called with normal request.
#[derive(Default)]
pub struct AuthChecker;

// Middleware factory is `Transform` trait
// `S` - type of the next service
// `B` - type of response's body
impl<S, B> Transform<S, ServiceRequest> for AuthChecker
where
    S: Service<ServiceRequest, Response = ServiceResponse<B>, Error = Error> + 'static,
    S::Future: 'static,
    B: 'static,
{
    type Response = ServiceResponse<EitherBody<B>>;
    type Error = Error;
    type InitError = ();
    type Transform = AuthMiddleware<S>;
    type Future = Ready<Result<Self::Transform, Self::InitError>>;

    fn new_transform(&self, service: S) -> Self::Future {
        ready(Ok(AuthMiddleware {
            service: Rc::new(service),
        }))
    }
}

pub struct AuthMiddleware<S> {
    service: Rc<S>,
}

impl<S, B> Service<ServiceRequest> for AuthMiddleware<S>
where
    S: Service<ServiceRequest, Response = ServiceResponse<B>, Error = Error> + 'static,
    S::Future: 'static,
    B: 'static,
{
    type Response = ServiceResponse<EitherBody<B>>;
    type Error = Error;
    type Future = LocalBoxFuture<'static, Result<Self::Response, Self::Error>>;

    forward_ready!(service);

    fn call(&self, req: ServiceRequest) -> Self::Future {
        let service = Rc::clone(&self.service);

        Box::pin(async move {
            let remote_ip =
                actix_remote_ip::RemoteIP::from_request(req.request(), &mut Payload::None)
                    .await
                    .unwrap();

            if !AppConfig::get().is_allowed_ip(remote_ip.0) {
                log::error!("An attempt to access VirtWeb from an unauthorized network has been intercepted! {:?}", remote_ip);
                return Ok(req
                    .into_response(
                        HttpResponse::MethodNotAllowed()
                            .json("I am sorry, but your IP is not allowed to access this service!"),
                    )
                    .map_into_right_body());
            }

            let auth_disabled = AppConfig::get().unsecure_disable_auth;

            // Check API authentication
            if req.headers().get("x-token-id").is_some() {
                let auth =
                    match ApiAuthExtractor::from_request(req.request(), &mut Payload::None).await {
                        Ok(auth) => auth,
                        Err(e) => {
                            log::error!(
                            "Failed to extract API authentication information from request! {e}"
                        );
                            return Ok(req
                                .into_response(HttpResponse::PreconditionFailed().finish())
                                .map_into_right_body());
                        }
                    };

                log::info!(
                    "Using API token '{}' to perform the request",
                    auth.token.name
                );
            }
            // Check user authentication, if required
            else if !auth_disabled
                && !constants::ROUTES_WITHOUT_AUTH.contains(&req.path())
                && req.path().starts_with("/api/")
            {
                let auth = match AuthExtractor::from_request(req.request(), &mut Payload::None)
                    .into_inner()
                {
                    Ok(auth) => auth,
                    Err(e) => {
                        log::error!(
                            "Failed to extract authentication information from request! {e}"
                        );
                        return Ok(req
                            .into_response(HttpResponse::PreconditionFailed().finish())
                            .map_into_right_body());
                    }
                };

                if !auth.is_authenticated() {
                    log::error!(
                        "User attempted to access privileged route without authentication!"
                    );
                    return Ok(req
                        .into_response(
                            HttpResponse::PreconditionFailed().json("Please authenticate!"),
                        )
                        .map_into_right_body());
                }

                if !AppConfig::get().is_trusted_ip(remote_ip.0) && !req.method().as_str().eq("GET")
                {
                    return Ok(req
                        .into_response(
                            HttpResponse::MethodNotAllowed().json("I am sorry, but your IP is not trusted. You cannot perform this action!"),
                        )
                        .map_into_right_body());
                }
            }

            service
                .call(req)
                .await
                .map(ServiceResponse::map_into_left_body)
        })
    }
}