Start to implement OpenID authentication
This commit is contained in:
97
remote_backend/src/controllers/auth_controller.rs
Normal file
97
remote_backend/src/controllers/auth_controller.rs
Normal file
@ -0,0 +1,97 @@
|
||||
use actix_remote_ip::RemoteIP;
|
||||
use actix_web::web::Data;
|
||||
use actix_web::{web, HttpResponse, Responder};
|
||||
use light_openid::basic_state_manager::BasicStateManager;
|
||||
|
||||
use crate::app_config::AppConfig;
|
||||
use crate::controllers::HttpResult;
|
||||
use crate::extractors::auth_extractor::AuthExtractor;
|
||||
|
||||
#[derive(serde::Serialize)]
|
||||
struct StartOIDCResponse {
|
||||
url: String,
|
||||
}
|
||||
|
||||
/// Start OIDC authentication
|
||||
pub async fn start_oidc(sm: Data<BasicStateManager>, ip: RemoteIP) -> HttpResult {
|
||||
let prov = AppConfig::get().openid_provider();
|
||||
|
||||
let conf =
|
||||
light_openid::primitives::OpenIDConfig::load_from_url(prov.configuration_url).await?;
|
||||
|
||||
Ok(HttpResponse::Ok().json(StartOIDCResponse {
|
||||
url: conf.gen_authorization_url(
|
||||
prov.client_id,
|
||||
&sm.gen_state(ip.0)?,
|
||||
&AppConfig::get().oidc_redirect_url(),
|
||||
),
|
||||
}))
|
||||
}
|
||||
|
||||
#[derive(serde::Deserialize)]
|
||||
pub struct FinishOpenIDLoginQuery {
|
||||
code: String,
|
||||
state: String,
|
||||
}
|
||||
|
||||
/// Finish OIDC authentication
|
||||
pub async fn finish_oidc(
|
||||
sm: Data<BasicStateManager>,
|
||||
remote_ip: RemoteIP,
|
||||
req: web::Json<FinishOpenIDLoginQuery>,
|
||||
auth: AuthExtractor,
|
||||
) -> HttpResult {
|
||||
if let Err(e) = sm.validate_state(remote_ip.0, &req.state) {
|
||||
log::error!("Failed to validate OIDC CB state! {e}");
|
||||
return Ok(HttpResponse::BadRequest().json("Invalid state!"));
|
||||
}
|
||||
|
||||
let prov = AppConfig::get().openid_provider();
|
||||
|
||||
let conf =
|
||||
light_openid::primitives::OpenIDConfig::load_from_url(prov.configuration_url).await?;
|
||||
|
||||
let (token, _) = conf
|
||||
.request_token(
|
||||
prov.client_id,
|
||||
prov.client_secret,
|
||||
&req.code,
|
||||
&AppConfig::get().oidc_redirect_url(),
|
||||
)
|
||||
.await?;
|
||||
let (user_info, _) = conf.request_user_info(&token).await?;
|
||||
|
||||
if user_info.email_verified != Some(true) {
|
||||
log::error!("Email is not verified!");
|
||||
return Ok(HttpResponse::Unauthorized().json("Email unverified by IDP!"));
|
||||
}
|
||||
|
||||
let mail = match user_info.email {
|
||||
Some(m) => m,
|
||||
None => {
|
||||
return Ok(HttpResponse::Unauthorized().json("Email not provided by the IDP!"));
|
||||
}
|
||||
};
|
||||
|
||||
auth.authenticate(mail);
|
||||
|
||||
Ok(HttpResponse::Ok().finish())
|
||||
}
|
||||
|
||||
#[derive(serde::Serialize)]
|
||||
struct CurrentUser {
|
||||
id: String,
|
||||
}
|
||||
|
||||
/// Get current authenticated user
|
||||
pub async fn current_user(auth: AuthExtractor) -> impl Responder {
|
||||
HttpResponse::Ok().json(CurrentUser {
|
||||
id: auth.id().unwrap_or_else(|| "Anonymous".to_string()),
|
||||
})
|
||||
}
|
||||
|
||||
/// Sign out
|
||||
pub async fn sign_out(auth: AuthExtractor) -> impl Responder {
|
||||
auth.sign_out();
|
||||
HttpResponse::Ok().finish()
|
||||
}
|
||||
89
remote_backend/src/controllers/mod.rs
Normal file
89
remote_backend/src/controllers/mod.rs
Normal file
@ -0,0 +1,89 @@
|
||||
use actix_web::body::BoxBody;
|
||||
use actix_web::http::StatusCode;
|
||||
use actix_web::HttpResponse;
|
||||
use std::error::Error;
|
||||
use std::fmt::{Display, Formatter};
|
||||
use std::io::ErrorKind;
|
||||
|
||||
pub mod auth_controller;
|
||||
|
||||
/// Custom error to ease controller writing
|
||||
#[derive(Debug)]
|
||||
pub enum HttpErr {
|
||||
Err(anyhow::Error),
|
||||
HTTPResponse(HttpResponse),
|
||||
}
|
||||
|
||||
impl Display for HttpErr {
|
||||
fn fmt(&self, f: &mut Formatter<'_>) -> std::fmt::Result {
|
||||
match self {
|
||||
HttpErr::Err(err) => Display::fmt(err, f),
|
||||
HttpErr::HTTPResponse(res) => {
|
||||
Display::fmt(&format!("HTTP RESPONSE {}", res.status().as_str()), f)
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
impl actix_web::error::ResponseError for HttpErr {
|
||||
fn status_code(&self) -> StatusCode {
|
||||
match self {
|
||||
HttpErr::Err(_) => StatusCode::INTERNAL_SERVER_ERROR,
|
||||
HttpErr::HTTPResponse(r) => r.status(),
|
||||
}
|
||||
}
|
||||
fn error_response(&self) -> HttpResponse<BoxBody> {
|
||||
log::error!("Error while processing request! {}", self);
|
||||
|
||||
HttpResponse::InternalServerError().body("Failed to execute request!")
|
||||
}
|
||||
}
|
||||
|
||||
impl From<anyhow::Error> for HttpErr {
|
||||
fn from(err: anyhow::Error) -> HttpErr {
|
||||
HttpErr::Err(err)
|
||||
}
|
||||
}
|
||||
|
||||
impl From<Box<dyn Error>> for HttpErr {
|
||||
fn from(value: Box<dyn Error>) -> Self {
|
||||
HttpErr::Err(std::io::Error::new(ErrorKind::Other, value.to_string()).into())
|
||||
}
|
||||
}
|
||||
|
||||
impl From<std::io::Error> for HttpErr {
|
||||
fn from(value: std::io::Error) -> Self {
|
||||
HttpErr::Err(value.into())
|
||||
}
|
||||
}
|
||||
|
||||
impl From<std::num::ParseIntError> for HttpErr {
|
||||
fn from(value: std::num::ParseIntError) -> Self {
|
||||
HttpErr::Err(value.into())
|
||||
}
|
||||
}
|
||||
|
||||
impl From<reqwest::Error> for HttpErr {
|
||||
fn from(value: reqwest::Error) -> Self {
|
||||
HttpErr::Err(value.into())
|
||||
}
|
||||
}
|
||||
|
||||
impl From<reqwest::header::ToStrError> for HttpErr {
|
||||
fn from(value: reqwest::header::ToStrError) -> Self {
|
||||
HttpErr::Err(value.into())
|
||||
}
|
||||
}
|
||||
|
||||
impl From<actix_web::Error> for HttpErr {
|
||||
fn from(value: actix_web::Error) -> Self {
|
||||
HttpErr::Err(std::io::Error::new(ErrorKind::Other, value.to_string()).into())
|
||||
}
|
||||
}
|
||||
|
||||
impl From<HttpResponse> for HttpErr {
|
||||
fn from(value: HttpResponse) -> Self {
|
||||
HttpErr::HTTPResponse(value)
|
||||
}
|
||||
}
|
||||
pub type HttpResult = Result<HttpResponse, HttpErr>;
|
||||
Reference in New Issue
Block a user