Add db table for login tokens which allows for invalidation (#3818)

* wip

* stuff

* fmt

* fmt 2

* fmt 3

* fix default feature

* use Authorization header

* store ip and user agent for each login

* add list_logins endpoint

* serde(skip) for token

* fix api tests

* A few suggestions for login_token (#3991)

* A few suggestions.

* Fixing SQL format.

* review

* review

* rename cookie

---------

Co-authored-by: Dessalines <dessalines@users.noreply.github.com>
pull/4030/head
Nutomic 2023-10-09 12:46:12 +02:00 committed by GitHub
parent b7d570cf35
commit dc327652a5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
42 changed files with 586 additions and 288 deletions

16
Cargo.lock generated
View File

@ -2625,6 +2625,7 @@ version = "0.19.0-beta.7"
dependencies = [
"activitypub_federation",
"actix-web",
"actix-web-httpauth",
"anyhow",
"async-trait",
"base64 0.21.2",
@ -2660,6 +2661,7 @@ dependencies = [
"encoding",
"futures",
"getrandom",
"jsonwebtoken",
"lemmy_db_schema",
"lemmy_db_views",
"lemmy_db_views_actor",
@ -2673,6 +2675,7 @@ dependencies = [
"rosetta-i18n",
"serde",
"serde_with",
"serial_test",
"tokio",
"tracing",
"ts-rs",
@ -2938,7 +2941,6 @@ dependencies = [
"html2text",
"http",
"itertools 0.11.0",
"jsonwebtoken",
"lettre",
"markdown-it",
"once_cell",
@ -3366,9 +3368,9 @@ dependencies = [
[[package]]
name = "num-bigint"
version = "0.4.3"
version = "0.4.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f93ab6289c7b344a8a9f60f88d80aa20032336fe78da341afc91c8a2341fc75f"
checksum = "608e7659b5c3d7cba262d894801b9ec9d00de989e8a82bd4bef91d08da45cdc0"
dependencies = [
"autocfg",
"num-integer",
@ -3398,9 +3400,9 @@ dependencies = [
[[package]]
name = "num-traits"
version = "0.2.15"
version = "0.2.16"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "578ede34cf02f8924ab9447f50c28075b4d3e5b269972345e7e0372b38c6cdcd"
checksum = "f30b0abd723be7e2ffca1272140fac1a2f084c77ec3e123c192b66af1ee9e6c2"
dependencies = [
"autocfg",
]
@ -3669,9 +3671,9 @@ checksum = "8835116a5c179084a830efb3adc117ab007512b535bc1a21c991d3b32a6b44dd"
[[package]]
name = "pem"
version = "1.1.0"
version = "1.1.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "03c64931a1a212348ec4f3b4362585eca7159d0d09cbdf4a7f74f02173596fd4"
checksum = "a8835c273a76a90455d7344889b0964598e3316e2a79ede8e36f16bdcf2228b8"
dependencies = [
"base64 0.13.1",
]

View File

@ -82,6 +82,7 @@ actix-web = { version = "4.3.1", default-features = false, features = [
"compress-brotli",
"compress-gzip",
"compress-zstd",
"cookies",
] }
tracing = "0.1.37"
tracing-actix-web = { version = "0.7.5", default-features = false }
@ -135,6 +136,7 @@ lemmy_utils = { workspace = true }
lemmy_db_schema = { workspace = true }
lemmy_api_common = { workspace = true }
lemmy_routes = { workspace = true }
lemmy_federate = { version = "0.19.0-beta.7", path = "crates/federate" }
activitypub_federation = { workspace = true }
diesel = { workspace = true }
diesel-async = { workspace = true }
@ -169,4 +171,3 @@ actix-web-prom = { version = "0.6.0", optional = true }
serial_test = { workspace = true }
clap = { version = "4.3.19", features = ["derive"] }
actix-web-httpauth = "0.8.1"
lemmy_federate = { version = "0.19.0-beta.7", path = "crates/federate" }

View File

@ -36,10 +36,11 @@ import {
waitUntil,
waitForPost,
alphaUrl,
loginUser,
} from "./shared";
import { PostView } from "lemmy-js-client/dist/types/PostView";
import { CreatePost } from "lemmy-js-client/dist/types/CreatePost";
import { LemmyHttp } from "lemmy-js-client";
import { LemmyHttp, Login } from "lemmy-js-client";
let betaCommunity: CommunityView | undefined;
@ -391,8 +392,9 @@ test("Enforce site ban for federated user", async () => {
let alpha_user = new LemmyHttp(alphaUrl, {
headers: { Authorization: `Bearer ${alphaUserJwt.jwt ?? ""}` },
});
let alphaUserActorId = (await getSite(alpha_user)).my_user?.local_user_view
.person.actor_id;
let alphaUserPerson = (await getSite(alpha_user)).my_user?.local_user_view
.person;
let alphaUserActorId = alphaUserPerson?.actor_id;
if (!alphaUserActorId) {
throw "Missing alpha user actor id";
}
@ -438,8 +440,13 @@ test("Enforce site ban for federated user", async () => {
);
expect(unBanAlpha.banned).toBe(false);
// Login gets invalidated by ban, need to login again
let newAlphaUserJwt = await loginUser(alpha, alphaUserPerson?.name!);
alpha_user.setHeaders({
Authorization: "Bearer " + newAlphaUserJwt.jwt ?? "",
});
// alpha makes new post in beta community, it federates
let postRes2 = await createPost(alpha_user, betaCommunity.community.id);
let postRes2 = await createPost(alpha_user, betaCommunity!.community.id);
let searchBeta3 = await waitForPost(beta, postRes2.post_view.post);
let alphaUserOnBeta2 = await resolvePerson(beta, alphaUserActorId!);

View File

@ -619,6 +619,17 @@ export async function registerUser(
return api.register(form);
}
export async function loginUser(
api: LemmyHttp,
username: string,
): Promise<LoginResponse> {
let form: Login = {
username_or_email: username,
password: password,
};
return api.login(form);
}
export async function saveUserSettingsBio(
api: LemmyHttp,
): Promise<LoginResponse> {

View File

@ -35,6 +35,7 @@ url = { workspace = true }
wav = "1.0.0"
sitemap-rs = "0.2.0"
totp-rs = { version = "5.0.2", features = ["gen_secret", "otpauth"] }
actix-web-httpauth = "0.8.1"
[dev-dependencies]
serial_test = { workspace = true }

View File

@ -1,6 +1,8 @@
use actix_web::{http::header::Header, HttpRequest};
use actix_web_httpauth::headers::authorization::{Authorization, Bearer};
use base64::{engine::general_purpose::STANDARD_NO_PAD as base64, Engine};
use captcha::Captcha;
use lemmy_api_common::utils::local_site_to_slur_regex;
use lemmy_api_common::utils::{local_site_to_slur_regex, AUTH_COOKIE_NAME};
use lemmy_db_schema::source::local_site::LocalSite;
use lemmy_db_views::structs::LocalUserView;
use lemmy_utils::{
@ -69,6 +71,28 @@ pub(crate) fn check_report_reason(reason: &str, local_site: &LocalSite) -> Resul
}
}
pub fn read_auth_token(req: &HttpRequest) -> Result<Option<String>, LemmyError> {
// Try reading jwt from auth header
if let Ok(header) = Authorization::<Bearer>::parse(req) {
Ok(Some(header.as_ref().token().to_string()))
}
// If that fails, try to read from cookie
else if let Some(cookie) = &req.cookie(AUTH_COOKIE_NAME) {
// ensure that its marked as httponly and secure
let secure = cookie.secure().unwrap_or_default();
let http_only = cookie.http_only().unwrap_or_default();
if !secure || !http_only {
Err(LemmyError::from(LemmyErrorType::AuthCookieInsecure))
} else {
Ok(Some(cookie.value().to_string()))
}
}
// Otherwise, there's no auth
else {
Ok(None)
}
}
pub(crate) fn check_totp_2fa_valid(
local_user_view: &LocalUserView,
totp_token: &Option<String>,

View File

@ -8,6 +8,7 @@ use lemmy_api_common::{
};
use lemmy_db_schema::{
source::{
login_token::LoginToken,
moderator::{ModBan, ModBanForm},
person::{Person, PersonUpdateForm},
},
@ -44,6 +45,12 @@ pub async fn ban_from_site(
.await
.with_lemmy_type(LemmyErrorType::CouldntUpdateUser)?;
let local_user_id = LocalUserView::read_person(&mut context.pool(), data.person_id)
.await?
.local_user
.id;
LoginToken::invalidate_all(&mut context.pool(), local_user_id).await?;
// Remove their data if that's desired
let remove_data = data.remove_data.unwrap_or(false);
if remove_data {

View File

@ -1,20 +1,22 @@
use actix_web::web::{Data, Json};
use actix_web::{
web::{Data, Json},
HttpRequest,
};
use bcrypt::verify;
use lemmy_api_common::{
claims::Claims,
context::LemmyContext,
person::{ChangePassword, LoginResponse},
utils::password_length_check,
};
use lemmy_db_schema::source::local_user::LocalUser;
use lemmy_db_schema::source::{local_user::LocalUser, login_token::LoginToken};
use lemmy_db_views::structs::LocalUserView;
use lemmy_utils::{
claims::Claims,
error::{LemmyError, LemmyErrorType},
};
use lemmy_utils::error::{LemmyError, LemmyErrorType};
#[tracing::instrument(skip(context))]
pub async fn change_password(
data: Json<ChangePassword>,
req: HttpRequest,
context: Data<LemmyContext>,
local_user_view: LocalUserView,
) -> Result<Json<LoginResponse>, LemmyError> {
@ -40,16 +42,11 @@ pub async fn change_password(
let updated_local_user =
LocalUser::update_password(&mut context.pool(), local_user_id, &new_password).await?;
LoginToken::invalidate_all(&mut context.pool(), local_user_view.local_user.id).await?;
// Return the jwt
Ok(Json(LoginResponse {
jwt: Some(
Claims::jwt(
updated_local_user.id.0,
&context.secret().jwt_secret,
&context.settings().hostname,
)?
.into(),
),
jwt: Some(Claims::generate(updated_local_user.id, req, &context).await?),
verify_email_sent: false,
registration_created: false,
}))

View File

@ -6,6 +6,7 @@ use lemmy_api_common::{
};
use lemmy_db_schema::source::{
local_user::LocalUser,
login_token::LoginToken,
password_reset_request::PasswordResetRequest,
};
use lemmy_utils::error::{LemmyError, LemmyErrorExt, LemmyErrorType};
@ -34,6 +35,8 @@ pub async fn change_password_after_reset(
.await
.with_lemmy_type(LemmyErrorType::CouldntUpdateUser)?;
LoginToken::invalidate_all(&mut context.pool(), local_user_id).await?;
Ok(Json(LoginResponse {
jwt: None,
verify_email_sent: false,

View File

@ -0,0 +1,14 @@
use actix_web::web::{Data, Json};
use lemmy_api_common::context::LemmyContext;
use lemmy_db_schema::source::login_token::LoginToken;
use lemmy_db_views::structs::LocalUserView;
use lemmy_utils::error::LemmyError;
pub async fn list_logins(
context: Data<LemmyContext>,
local_user_view: LocalUserView,
) -> Result<Json<Vec<LoginToken>>, LemmyError> {
let logins = LoginToken::list(&mut context.pool(), local_user_view.local_user.id).await?;
Ok(Json(logins))
}

View File

@ -1,10 +1,16 @@
use crate::check_totp_2fa_valid;
use actix_web::web::{Data, Json};
use actix_web::{
http::StatusCode,
web::{Data, Json},
HttpRequest,
HttpResponse,
};
use bcrypt::verify;
use lemmy_api_common::{
claims::Claims,
context::LemmyContext,
person::{Login, LoginResponse},
utils::check_user_valid,
utils::{check_user_valid, create_login_cookie},
};
use lemmy_db_schema::{
source::{local_site::LocalSite, registration_application::RegistrationApplication},
@ -12,16 +18,14 @@ use lemmy_db_schema::{
RegistrationMode,
};
use lemmy_db_views::structs::{LocalUserView, SiteView};
use lemmy_utils::{
claims::Claims,
error::{LemmyError, LemmyErrorExt, LemmyErrorType},
};
use lemmy_utils::error::{LemmyError, LemmyErrorExt, LemmyErrorType};
#[tracing::instrument(skip(context))]
pub async fn login(
data: Json<Login>,
req: HttpRequest,
context: Data<LemmyContext>,
) -> Result<Json<LoginResponse>, LemmyError> {
) -> Result<HttpResponse, LemmyError> {
let site_view = SiteView::read_local(&mut context.pool()).await?;
// Fetch that username / email
@ -63,19 +67,17 @@ pub async fn login(
check_totp_2fa_valid(&local_user_view, &data.totp_2fa_token, &site_view.site.name)?;
}
// Return the jwt
Ok(Json(LoginResponse {
jwt: Some(
Claims::jwt(
local_user_view.local_user.id.0,
&context.secret().jwt_secret,
&context.settings().hostname,
)?
.into(),
),
let jwt = Claims::generate(local_user_view.local_user.id, req, &context).await?;
let json = LoginResponse {
jwt: Some(jwt.clone()),
verify_email_sent: false,
registration_created: false,
}))
};
let mut res = HttpResponse::build(StatusCode::OK).json(json);
res.add_cookie(&create_login_cookie(jwt))?;
Ok(res)
}
async fn check_registration_application(

View File

@ -0,0 +1,23 @@
use crate::read_auth_token;
use activitypub_federation::config::Data;
use actix_web::{cookie::Cookie, HttpRequest, HttpResponse};
use lemmy_api_common::{context::LemmyContext, utils::AUTH_COOKIE_NAME};
use lemmy_db_schema::source::login_token::LoginToken;
use lemmy_db_views::structs::LocalUserView;
use lemmy_utils::error::{LemmyErrorType, LemmyResult};
#[tracing::instrument(skip(context))]
pub async fn logout(
req: HttpRequest,
// require login
_local_user_view: LocalUserView,
context: Data<LemmyContext>,
) -> LemmyResult<HttpResponse> {
let jwt = read_auth_token(&req)?.ok_or(LemmyErrorType::NotLoggedIn)?;
LoginToken::invalidate(&mut context.pool(), &jwt).await?;
let mut res = HttpResponse::Ok().finish();
let cookie = Cookie::new(AUTH_COOKIE_NAME, "");
res.add_removal_cookie(&cookie)?;
Ok(res)
}

View File

@ -6,7 +6,9 @@ pub mod change_password_after_reset;
pub mod generate_totp_secret;
pub mod get_captcha;
pub mod list_banned;
pub mod list_logins;
pub mod login;
pub mod logout;
pub mod notifications;
pub mod report_count;
pub mod reset_password;

View File

@ -1,8 +1,9 @@
use actix_web::web::{Data, Json};
use lemmy_api_common::{
context::LemmyContext,
person::{LoginResponse, SaveUserSettings},
person::SaveUserSettings,
utils::{sanitize_html_api_opt, send_verification_email},
SuccessResponse,
};
use lemmy_db_schema::{
source::{
@ -15,7 +16,6 @@ use lemmy_db_schema::{
};
use lemmy_db_views::structs::{LocalUserView, SiteView};
use lemmy_utils::{
claims::Claims,
error::{LemmyError, LemmyErrorExt, LemmyErrorType},
utils::validation::{is_valid_bio_field, is_valid_display_name, is_valid_matrix_id},
};
@ -25,7 +25,7 @@ pub async fn save_user_settings(
data: Json<SaveUserSettings>,
context: Data<LemmyContext>,
local_user_view: LocalUserView,
) -> Result<Json<LoginResponse>, LemmyError> {
) -> Result<Json<SuccessResponse>, LemmyError> {
let site_view = SiteView::read_local(&mut context.pool()).await?;
let bio = sanitize_html_api_opt(&data.bio);
@ -41,8 +41,11 @@ pub async fn save_user_settings(
if let Some(Some(email)) = &email {
let previous_email = local_user_view.local_user.email.clone().unwrap_or_default();
// Only send the verification email if there was an email change
if previous_email.ne(email) {
// if email was changed, check that it is not taken and send verification mail
if &previous_email != email {
if LocalUser::is_email_taken(&mut context.pool(), email).await? {
return Err(LemmyErrorType::EmailAlreadyExists)?;
}
send_verification_email(
&local_user_view,
email,
@ -119,34 +122,7 @@ pub async fn save_user_settings(
..Default::default()
};
let local_user_res =
LocalUser::update(&mut context.pool(), local_user_id, &local_user_form).await;
let updated_local_user = match local_user_res {
Ok(u) => u,
Err(e) => {
let err_type = if e.to_string()
== "duplicate key value violates unique constraint \"local_user_email_key\""
{
LemmyErrorType::EmailAlreadyExists
} else {
LemmyErrorType::UserAlreadyExists
};
LocalUser::update(&mut context.pool(), local_user_id, &local_user_form).await?;
return Err(e).with_lemmy_type(err_type);
}
};
// Return the jwt
Ok(Json(LoginResponse {
jwt: Some(
Claims::jwt(
updated_local_user.id.0,
&context.secret().jwt_secret,
&context.settings().hostname,
)?
.into(),
),
verify_email_sent: false,
registration_created: false,
}))
Ok(Json(SuccessResponse::default()))
}

View File

@ -34,6 +34,7 @@ full = [
"actix-web",
"futures",
"once_cell",
"jsonwebtoken",
]
[dependencies]
@ -64,5 +65,10 @@ reqwest = { workspace = true, optional = true }
ts-rs = { workspace = true, optional = true }
once_cell = { workspace = true, optional = true }
actix-web = { workspace = true, optional = true }
jsonwebtoken = { version = "8.3.0", optional = true }
# necessary for wasmt compilation
getrandom = { version = "0.2.10", features = ["js"] }
[dev-dependencies]
serial_test = { workspace = true }
reqwest-middleware = { workspace = true }

View File

@ -0,0 +1,141 @@
use crate::{context::LemmyContext, sensitive::Sensitive};
use actix_web::{http::header::USER_AGENT, HttpRequest};
use chrono::Utc;
use jsonwebtoken::{decode, encode, DecodingKey, EncodingKey, Header, Validation};
use lemmy_db_schema::{
newtypes::LocalUserId,
source::login_token::{LoginToken, LoginTokenCreateForm},
};
use lemmy_utils::error::{LemmyErrorExt, LemmyErrorType, LemmyResult};
use serde::{Deserialize, Serialize};
#[derive(Debug, Serialize, Deserialize)]
pub struct Claims {
/// local_user_id, standard claim by RFC 7519.
pub sub: String,
pub iss: String,
/// Time when this token was issued as UNIX-timestamp in seconds
pub iat: i64,
}
impl Claims {
pub async fn validate(jwt: &str, context: &LemmyContext) -> LemmyResult<LocalUserId> {
let mut validation = Validation::default();
validation.validate_exp = false;
validation.required_spec_claims.remove("exp");
let jwt_secret = &context.secret().jwt_secret;
let key = DecodingKey::from_secret(jwt_secret.as_ref());
let claims =
decode::<Claims>(jwt, &key, &validation).with_lemmy_type(LemmyErrorType::NotLoggedIn)?;
let user_id = LocalUserId(claims.claims.sub.parse()?);
let is_valid = LoginToken::validate(&mut context.pool(), user_id, jwt).await?;
if !is_valid {
Err(LemmyErrorType::NotLoggedIn)?
} else {
Ok(user_id)
}
}
pub async fn generate(
user_id: LocalUserId,
req: HttpRequest,
context: &LemmyContext,
) -> LemmyResult<Sensitive<String>> {
let hostname = context.settings().hostname.clone();
let my_claims = Claims {
sub: user_id.0.to_string(),
iss: hostname,
iat: Utc::now().timestamp(),
};
let secret = &context.secret().jwt_secret;
let key = EncodingKey::from_secret(secret.as_ref());
let token = encode(&Header::default(), &my_claims, &key)?;
let ip = req
.connection_info()
.realip_remote_addr()
.map(ToString::to_string);
let user_agent = req
.headers()
.get(USER_AGENT)
.and_then(|ua| ua.to_str().ok())
.map(ToString::to_string);
let form = LoginTokenCreateForm {
token: token.clone(),
user_id,
ip,
user_agent,
};
LoginToken::create(&mut context.pool(), form).await?;
Ok(Sensitive::new(token))
}
}
#[cfg(test)]
mod tests {
#![allow(clippy::unwrap_used)]
#![allow(clippy::indexing_slicing)]
use crate::{claims::Claims, context::LemmyContext};
use actix_web::test::TestRequest;
use lemmy_db_schema::{
source::{
instance::Instance,
local_user::{LocalUser, LocalUserInsertForm},
person::{Person, PersonInsertForm},
secret::Secret,
},
traits::Crud,
utils::build_db_pool_for_tests,
};
use lemmy_utils::rate_limit::{RateLimitCell, RateLimitConfig};
use reqwest::Client;
use reqwest_middleware::ClientBuilder;
use serial_test::serial;
#[tokio::test]
#[serial]
async fn test_should_not_validate_user_token_after_password_change() {
let pool_ = build_db_pool_for_tests().await;
let pool = &mut (&pool_).into();
let secret = Secret::init(pool).await.unwrap();
let context = LemmyContext::create(
pool_.clone(),
ClientBuilder::new(Client::default()).build(),
secret,
RateLimitCell::new(RateLimitConfig::builder().build())
.await
.clone(),
);
let inserted_instance = Instance::read_or_create(pool, "my_domain.tld".to_string())
.await
.unwrap();
let new_person = PersonInsertForm::builder()
.name("Gerry9812".into())
.public_key("pubkey".to_string())
.instance_id(inserted_instance.id)
.build();
let inserted_person = Person::create(pool, &new_person).await.unwrap();
let local_user_form = LocalUserInsertForm::builder()
.person_id(inserted_person.id)
.password_encrypted("123456".to_string())
.build();
let inserted_local_user = LocalUser::create(pool, &local_user_form).await.unwrap();
let req = TestRequest::default().to_http_request();
let jwt = Claims::generate(inserted_local_user.id, req, &context)
.await
.unwrap();
let valid = Claims::validate(&jwt, &context).await;
assert!(valid.is_ok());
let num_deleted = Person::delete(pool, inserted_person.id).await.unwrap();
assert_eq!(1, num_deleted);
}
}

View File

@ -1,5 +1,7 @@
#[cfg(feature = "full")]
pub mod build_response;
#[cfg(feature = "full")]
pub mod claims;
pub mod comment;
pub mod community;
#[cfg(feature = "full")]
@ -21,3 +23,19 @@ pub extern crate lemmy_db_schema;
pub extern crate lemmy_db_views;
pub extern crate lemmy_db_views_actor;
pub extern crate lemmy_db_views_moderator;
use serde::{Deserialize, Serialize};
#[derive(Debug, Serialize, Deserialize, Clone)]
#[cfg_attr(feature = "full", derive(ts_rs::TS))]
#[cfg_attr(feature = "full", ts(export))]
/// Saves settings for your user.
pub struct SuccessResponse {
pub success: bool,
}
impl Default for SuccessResponse {
fn default() -> Self {
SuccessResponse { success: true }
}
}

View File

@ -1,4 +1,10 @@
use crate::{context::LemmyContext, request::purge_image_from_pictrs, site::FederatedInstances};
use crate::{
context::LemmyContext,
request::purge_image_from_pictrs,
sensitive::Sensitive,
site::FederatedInstances,
};
use actix_web::cookie::{Cookie, SameSite};
use anyhow::Context;
use chrono::{DateTime, Utc};
use lemmy_db_schema::{
@ -38,6 +44,8 @@ use rosetta_i18n::{Language, LanguageId};
use tracing::warn;
use url::{ParseError, Url};
pub static AUTH_COOKIE_NAME: &str = "auth";
#[tracing::instrument(skip_all)]
pub async fn is_mod_or_admin(
pool: &mut DbPool<'_>,
@ -743,6 +751,14 @@ pub fn sanitize_html_federation_opt(data: &Option<String>) -> Option<String> {
data.as_ref().map(|d| sanitize_html_federation(d))
}
pub fn create_login_cookie(jwt: Sensitive<String>) -> Cookie<'static> {
let mut cookie = Cookie::new(AUTH_COOKIE_NAME, jwt.into_inner());
cookie.set_secure(true);
cookie.set_same_site(SameSite::Lax);
cookie.set_http_only(true);
cookie
}
#[cfg(test)]
mod tests {
#![allow(clippy::unwrap_used)]

View File

@ -24,8 +24,8 @@ use lemmy_utils::{
#[tracing::instrument(skip(context))]
pub async fn get_site(
context: Data<LemmyContext>,
local_user_view: Option<LocalUserView>,
context: Data<LemmyContext>,
) -> Result<Json<GetSiteResponse>, LemmyError> {
let site_view = SiteView::read_local(&mut context.pool()).await?;

View File

@ -1,9 +1,11 @@
use activitypub_federation::{config::Data, http_signatures::generate_actor_keypair};
use actix_web::web::Json;
use actix_web::{http::StatusCode, web::Json, HttpRequest, HttpResponse, HttpResponseBuilder};
use lemmy_api_common::{
claims::Claims,
context::LemmyContext,
person::{LoginResponse, Register},
utils::{
create_login_cookie,
generate_inbox_url,
generate_local_apub_endpoint,
generate_shared_inbox_url,
@ -30,7 +32,6 @@ use lemmy_db_schema::{
};
use lemmy_db_views::structs::{LocalUserView, SiteView};
use lemmy_utils::{
claims::Claims,
error::{LemmyError, LemmyErrorExt, LemmyErrorType},
utils::{
slurs::{check_slurs, check_slurs_opt},
@ -41,8 +42,9 @@ use lemmy_utils::{
#[tracing::instrument(skip(context))]
pub async fn register(
data: Json<Register>,
req: HttpRequest,
context: Data<LemmyContext>,
) -> Result<Json<LoginResponse>, LemmyError> {
) -> Result<HttpResponse, LemmyError> {
let site_view = SiteView::read_local(&mut context.pool()).await?;
let local_site = site_view.local_site;
let require_registration_application =
@ -164,6 +166,7 @@ pub async fn register(
.await?;
}
let mut res = HttpResponseBuilder::new(StatusCode::OK);
let mut login_response = LoginResponse {
jwt: None,
registration_created: false,
@ -174,14 +177,9 @@ pub async fn register(
if !local_site.site_setup
|| (!require_registration_application && !local_site.require_email_verification)
{
login_response.jwt = Some(
Claims::jwt(
inserted_local_user.id.0,
&context.secret().jwt_secret,
&context.settings().hostname,
)?
.into(),
);
let jwt = Claims::generate(inserted_local_user.id, req, &context).await?;
res.cookie(create_login_cookie(jwt.clone()));
login_response.jwt = Some(jwt);
} else {
if local_site.require_email_verification {
let local_user_view = LocalUserView {
@ -211,5 +209,5 @@ pub async fn register(
}
}
Ok(Json(login_response))
Ok(res.json(login_response))
}

View File

@ -7,7 +7,7 @@ use lemmy_api_common::{
send_activity::{ActivityChannel, SendActivityData},
utils::purge_user_account,
};
use lemmy_db_schema::source::person::Person;
use lemmy_db_schema::source::{login_token::LoginToken, person::Person};
use lemmy_db_views::structs::LocalUserView;
use lemmy_utils::error::{LemmyError, LemmyErrorType};
@ -33,6 +33,8 @@ pub async fn delete_account(
Person::delete_account(&mut context.pool(), local_user_view.person.id).await?;
}
LoginToken::invalidate_all(&mut context.pool(), local_user_view.local_user.id).await?;
ActivityChannel::submit_activity(
SendActivityData::DeleteUser(local_user_view.person, data.delete_content),
&context,

View File

@ -6,14 +6,17 @@ use crate::{
email_verified,
local_user,
password_encrypted,
validator_time,
},
source::{
actor_language::{LocalUserLanguage, SiteLanguage},
local_user::{LocalUser, LocalUserInsertForm, LocalUserUpdateForm},
},
traits::Crud,
utils::{get_conn, naive_now, DbPool},
utils::{
functions::{coalesce, lower},
get_conn,
DbPool,
},
};
use bcrypt::{hash, DEFAULT_COST};
use diesel::{dsl::insert_into, result::Error, ExpressionMethods, QueryDsl};
@ -29,10 +32,7 @@ impl LocalUser {
let password_hash = hash(new_password, DEFAULT_COST).expect("Couldn't hash password");
diesel::update(local_user.find(local_user_id))
.set((
password_encrypted.eq(password_hash),
validator_time.eq(naive_now()),
))
.set((password_encrypted.eq(password_hash),))
.get_result::<Self>(conn)
.await
}
@ -58,9 +58,11 @@ impl LocalUser {
pub async fn is_email_taken(pool: &mut DbPool<'_>, email_: &str) -> Result<bool, Error> {
use diesel::dsl::{exists, select};
let conn = &mut get_conn(pool).await?;
select(exists(local_user.filter(email.eq(email_))))
.get_result(conn)
.await
select(exists(
local_user.filter(lower(coalesce(email, "")).eq(email_.to_lowercase())),
))
.get_result(conn)
.await
}
}

View File

@ -0,0 +1,66 @@
use crate::{
diesel::{ExpressionMethods, QueryDsl},
newtypes::LocalUserId,
schema::login_token::{dsl::login_token, token, user_id},
source::login_token::{LoginToken, LoginTokenCreateForm},
utils::{get_conn, DbPool},
};
use diesel::{delete, dsl::exists, insert_into, result::Error, select};
use diesel_async::RunQueryDsl;
impl LoginToken {
pub async fn create(pool: &mut DbPool<'_>, form: LoginTokenCreateForm) -> Result<Self, Error> {
let conn = &mut get_conn(pool).await?;
insert_into(login_token)
.values(form)
.get_result::<Self>(conn)
.await
}
/// Check if the given token is valid for user.
pub async fn validate(
pool: &mut DbPool<'_>,
user_id_: LocalUserId,
token_: &str,
) -> Result<bool, Error> {
let conn = &mut get_conn(pool).await?;
select(exists(
login_token
.filter(user_id.eq(user_id_))
.filter(token.eq(token_)),
))
.get_result(conn)
.await
}
pub async fn list(
pool: &mut DbPool<'_>,
user_id_: LocalUserId,
) -> Result<Vec<LoginToken>, Error> {
let conn = &mut get_conn(pool).await?;
login_token
.filter(user_id.eq(user_id_))
.get_results(conn)
.await
}
/// Invalidate specific token on user logout.
pub async fn invalidate(pool: &mut DbPool<'_>, token_: &str) -> Result<usize, Error> {
let conn = &mut get_conn(pool).await?;
delete(login_token.filter(token.eq(token_)))
.execute(conn)
.await
}
/// Invalidate all logins of given user on password reset/change, account deletion or site ban.
pub async fn invalidate_all(
pool: &mut DbPool<'_>,
user_id_: LocalUserId,
) -> Result<usize, Error> {
let conn = &mut get_conn(pool).await?;
delete(login_token.filter(user_id.eq(user_id_)))
.execute(conn)
.await
}
}

View File

@ -17,6 +17,7 @@ pub mod language;
pub mod local_site;
pub mod local_site_rate_limit;
pub mod local_user;
pub mod login_token;
pub mod moderator;
pub mod password_reset_request;
pub mod person;

View File

@ -68,10 +68,7 @@ impl Person {
// Set the local user info to none
diesel::update(local_user::table.filter(local_user::person_id.eq(person_id)))
.set((
local_user::email.eq::<Option<String>>(None),
local_user::validator_time.eq(naive_now()),
))
.set(local_user::email.eq::<Option<String>>(None))
.execute(conn)
.await?;

View File

@ -428,7 +428,6 @@ diesel::table! {
interface_language -> Varchar,
show_avatars -> Bool,
send_notifications_to_email -> Bool,
validator_time -> Timestamptz,
show_scores -> Bool,
show_bot_accounts -> Bool,
show_read_posts -> Bool,
@ -454,6 +453,17 @@ diesel::table! {
}
}
diesel::table! {
login_token (id) {
id -> Int4,
token -> Text,
user_id -> Int4,
published -> Timestamptz,
ip -> Nullable<Text>,
user_agent -> Nullable<Text>,
}
}
diesel::table! {
mod_add (id) {
id -> Int4,
@ -945,6 +955,7 @@ diesel::joinable!(local_site_rate_limit -> local_site (local_site_id));
diesel::joinable!(local_user -> person (person_id));
diesel::joinable!(local_user_language -> language (language_id));
diesel::joinable!(local_user_language -> local_user (local_user_id));
diesel::joinable!(login_token -> local_user (user_id));
diesel::joinable!(mod_add_community -> community (community_id));
diesel::joinable!(mod_ban_from_community -> community (community_id));
diesel::joinable!(mod_feature_post -> person (mod_person_id));
@ -1024,6 +1035,7 @@ diesel::allow_tables_to_appear_in_same_query!(
local_site_rate_limit,
local_user,
local_user_language,
login_token,
mod_add,
mod_add_community,
mod_ban,

View File

@ -6,7 +6,6 @@ use crate::{
PostListingMode,
SortType,
};
use chrono::{DateTime, Utc};
use serde::{Deserialize, Serialize};
use serde_with::skip_serializing_none;
#[cfg(feature = "full")]
@ -35,8 +34,6 @@ pub struct LocalUser {
/// Whether to show avatars.
pub show_avatars: bool,
pub send_notifications_to_email: bool,
/// A validation ID used in logging out sessions.
pub validator_time: DateTime<Utc>,
/// Whether to show comment / post scores.
pub show_scores: bool,
/// Whether to show bot accounts.

View File

@ -0,0 +1,32 @@
use crate::newtypes::LocalUserId;
#[cfg(feature = "full")]
use crate::schema::login_token;
use chrono::{DateTime, Utc};
use serde::{Deserialize, Serialize};
/// Stores data related to a specific user login session.
#[derive(Clone, PartialEq, Eq, Debug, Serialize, Deserialize)]
#[cfg_attr(feature = "full", derive(Queryable, Identifiable))]
#[cfg_attr(feature = "full", diesel(table_name = login_token))]
pub struct LoginToken {
pub id: i32,
/// Jwt token for this login
#[serde(skip)]
pub token: String,
pub user_id: LocalUserId,
/// Time of login
pub published: DateTime<Utc>,
/// IP address where login was made from, allows invalidating logins by IP address.
/// Could be stored in truncated format, or store derived information for better privacy.
pub ip: Option<String>,
pub user_agent: Option<String>,
}
#[cfg_attr(feature = "full", derive(Insertable, AsChangeset))]
#[cfg_attr(feature = "full", diesel(table_name = login_token))]
pub struct LoginTokenCreateForm {
pub token: String,
pub user_id: LocalUserId,
pub ip: Option<String>,
pub user_agent: Option<String>,
}

View File

@ -22,6 +22,7 @@ pub mod language;
pub mod local_site;
pub mod local_site_rate_limit;
pub mod local_user;
pub mod login_token;
pub mod moderator;
pub mod password_reset_request;
pub mod person;

View File

@ -254,7 +254,6 @@ mod tests {
interface_language: inserted_sara_local_user.interface_language,
show_avatars: inserted_sara_local_user.show_avatars,
send_notifications_to_email: inserted_sara_local_user.send_notifications_to_email,
validator_time: inserted_sara_local_user.validator_time,
show_bot_accounts: inserted_sara_local_user.show_bot_accounts,
show_scores: inserted_sara_local_user.show_scores,
show_read_posts: inserted_sara_local_user.show_read_posts,

View File

@ -1,19 +1,18 @@
use crate::local_user_view_from_jwt;
use actix_web::{error::ErrorBadRequest, web, Error, HttpRequest, HttpResponse, Result};
use anyhow::anyhow;
use chrono::{DateTime, Utc};
use lemmy_api_common::context::LemmyContext;
use lemmy_db_schema::{
newtypes::LocalUserId,
source::{community::Community, local_user::LocalUser, person::Person},
traits::{ApubActor, Crud},
utils::DbPool,
source::{community::Community, person::Person},
traits::ApubActor,
CommentSortType,
ListingType,
SortType,
};
use lemmy_db_views::{
post_view::PostQuery,
structs::{LocalUserView, PostView, SiteView},
structs::{PostView, SiteView},
};
use lemmy_db_views_actor::{
comment_reply_view::CommentReplyQuery,
@ -22,7 +21,6 @@ use lemmy_db_views_actor::{
};
use lemmy_utils::{
cache_header::cache_1hour,
claims::Claims,
error::LemmyError,
utils::markdown::markdown_to_html,
};
@ -182,53 +180,38 @@ async fn get_feed(
_ => return Err(ErrorBadRequest(LemmyError::from(anyhow!("wrong_type")))),
};
let jwt_secret = context.secret().jwt_secret.clone();
let protocol_and_hostname = context.settings().get_protocol_and_hostname();
let builder = match request_type {
RequestType::User => {
get_feed_user(
&mut context.pool(),
&context,
&info.sort_type()?,
&info.get_limit(),
&info.get_page(),
&param,
&protocol_and_hostname,
)
.await
}
RequestType::Community => {
get_feed_community(
&mut context.pool(),
&context,
&info.sort_type()?,
&info.get_limit(),
&info.get_page(),
&param,
&protocol_and_hostname,
)
.await
}
RequestType::Front => {
get_feed_front(
&mut context.pool(),
&jwt_secret,
&context,
&info.sort_type()?,
&info.get_limit(),
&info.get_page(),
&param,
&protocol_and_hostname,
)
.await
}
RequestType::Inbox => {
get_feed_inbox(
&mut context.pool(),
&jwt_secret,
&param,
&protocol_and_hostname,
)
.await
}
RequestType::Inbox => get_feed_inbox(&context, &param).await,
}
.map_err(ErrorBadRequest)?;
@ -243,15 +226,14 @@ async fn get_feed(
#[tracing::instrument(skip_all)]
async fn get_feed_user(
pool: &mut DbPool<'_>,
context: &LemmyContext,
sort_type: &SortType,
limit: &i64,
page: &i64,
user_name: &str,
protocol_and_hostname: &str,
) -> Result<ChannelBuilder, LemmyError> {
let site_view = SiteView::read_local(pool).await?;
let person = Person::read_from_name(pool, user_name, false).await?;
let site_view = SiteView::read_local(&mut context.pool()).await?;
let person = Person::read_from_name(&mut context.pool(), user_name, false).await?;
let posts = PostQuery {
listing_type: (Some(ListingType::All)),
@ -261,10 +243,10 @@ async fn get_feed_user(
page: (Some(*page)),
..Default::default()
}
.list(pool)
.list(&mut context.pool())
.await?;
let items = create_post_items(posts, protocol_and_hostname)?;
let items = create_post_items(posts, &context.settings().get_protocol_and_hostname())?;
let mut channel_builder = ChannelBuilder::default();
channel_builder
@ -278,15 +260,14 @@ async fn get_feed_user(
#[tracing::instrument(skip_all)]
async fn get_feed_community(
pool: &mut DbPool<'_>,
context: &LemmyContext,
sort_type: &SortType,
limit: &i64,
page: &i64,
community_name: &str,
protocol_and_hostname: &str,
) -> Result<ChannelBuilder, LemmyError> {
let site_view = SiteView::read_local(pool).await?;
let community = Community::read_from_name(pool, community_name, false).await?;
let site_view = SiteView::read_local(&mut context.pool()).await?;
let community = Community::read_from_name(&mut context.pool(), community_name, false).await?;
let posts = PostQuery {
sort: (Some(*sort_type)),
@ -295,10 +276,10 @@ async fn get_feed_community(
page: (Some(*page)),
..Default::default()
}
.list(pool)
.list(&mut context.pool())
.await?;
let items = create_post_items(posts, protocol_and_hostname)?;
let items = create_post_items(posts, &context.settings().get_protocol_and_hostname())?;
let mut channel_builder = ChannelBuilder::default();
channel_builder
@ -316,17 +297,14 @@ async fn get_feed_community(
#[tracing::instrument(skip_all)]
async fn get_feed_front(
pool: &mut DbPool<'_>,
jwt_secret: &str,
context: &LemmyContext,
sort_type: &SortType,
limit: &i64,
page: &i64,
jwt: &str,
protocol_and_hostname: &str,
) -> Result<ChannelBuilder, LemmyError> {
let site_view = SiteView::read_local(pool).await?;
let local_user_id = LocalUserId(Claims::decode(jwt, jwt_secret)?.claims.sub);
let local_user = LocalUserView::read(pool, local_user_id).await?;
let site_view = SiteView::read_local(&mut context.pool()).await?;
let local_user = local_user_view_from_jwt(jwt, context).await?;
let posts = PostQuery {
listing_type: (Some(ListingType::Subscribed)),
@ -336,10 +314,11 @@ async fn get_feed_front(
page: (Some(*page)),
..Default::default()
}
.list(pool)
.list(&mut context.pool())
.await?;
let items = create_post_items(posts, protocol_and_hostname)?;
let protocol_and_hostname = context.settings().get_protocol_and_hostname();
let items = create_post_items(posts, &protocol_and_hostname)?;
let mut channel_builder = ChannelBuilder::default();
channel_builder
@ -356,17 +335,11 @@ async fn get_feed_front(
}
#[tracing::instrument(skip_all)]
async fn get_feed_inbox(
pool: &mut DbPool<'_>,
jwt_secret: &str,
jwt: &str,
protocol_and_hostname: &str,
) -> Result<ChannelBuilder, LemmyError> {
let site_view = SiteView::read_local(pool).await?;
let local_user_id = LocalUserId(Claims::decode(jwt, jwt_secret)?.claims.sub);
let local_user = LocalUser::read(pool, local_user_id).await?;
let person_id = local_user.person_id;
let show_bot_accounts = local_user.show_bot_accounts;
async fn get_feed_inbox(context: &LemmyContext, jwt: &str) -> Result<ChannelBuilder, LemmyError> {
let site_view = SiteView::read_local(&mut context.pool()).await?;
let local_user = local_user_view_from_jwt(jwt, context).await?;
let person_id = local_user.local_user.person_id;
let show_bot_accounts = local_user.local_user.show_bot_accounts;
let sort = CommentSortType::New;
@ -378,7 +351,7 @@ async fn get_feed_inbox(
limit: (Some(RSS_FETCH_LIMIT)),
..Default::default()
}
.list(pool)
.list(&mut context.pool())
.await?;
let mentions = PersonMentionQuery {
@ -389,10 +362,11 @@ async fn get_feed_inbox(
limit: (Some(RSS_FETCH_LIMIT)),
..Default::default()
}
.list(pool)
.list(&mut context.pool())
.await?;
let items = create_reply_and_mention_items(replies, mentions, protocol_and_hostname)?;
let protocol_and_hostname = context.settings().get_protocol_and_hostname();
let items = create_reply_and_mention_items(replies, mentions, &protocol_and_hostname)?;
let mut channel_builder = ChannelBuilder::default();
channel_builder

View File

@ -93,17 +93,15 @@ fn adapt_request(
async fn upload(
req: HttpRequest,
body: web::Payload,
client: web::Data<ClientWithMiddleware>,
context: web::Data<LemmyContext>,
// require login
local_user_view: LocalUserView,
context: web::Data<LemmyContext>,
) -> Result<HttpResponse, Error> {
// TODO: check rate limit here
let pictrs_config = context.settings().pictrs_config()?;
let image_url = format!("{}image", pictrs_config.url);
let mut client_req = adapt_request(&req, &client, image_url);
let mut client_req = adapt_request(&req, context.client(), image_url);
if let Some(addr) = req.head().peer_addr {
client_req = client_req.header("X-Forwarded-For", addr.to_string())

View File

@ -1,4 +1,24 @@
use lemmy_api_common::{claims::Claims, context::LemmyContext, utils::check_user_valid};
use lemmy_db_views::structs::LocalUserView;
use lemmy_utils::error::LemmyError;
pub mod feeds;
pub mod images;
pub mod nodeinfo;
pub mod webfinger;
#[tracing::instrument(skip_all)]
async fn local_user_view_from_jwt(
jwt: &str,
context: &LemmyContext,
) -> Result<LocalUserView, LemmyError> {
let local_user_id = Claims::validate(jwt, context).await?;
let local_user_view = LocalUserView::read(&mut context.pool(), local_user_id).await?;
check_user_valid(
local_user_view.person.banned,
local_user_view.person.ban_expires,
local_user_view.person.deleted,
)?;
Ok(local_user_view)
}

View File

@ -44,7 +44,6 @@ openssl = "0.10.55"
html2text = "0.6.0"
deser-hjson = "1.2.0"
smart-default = "0.7.1"
jsonwebtoken = "8.3.0"
lettre = { version = "0.10.4", features = ["tokio1", "tokio1-native-tls"] }
markdown-it = "0.5.1"
ts-rs = { workspace = true, optional = true }

View File

@ -1,35 +0,0 @@
use crate::error::LemmyError;
use chrono::Utc;
use jsonwebtoken::{decode, encode, DecodingKey, EncodingKey, Header, TokenData, Validation};
use serde::{Deserialize, Serialize};
type Jwt = String;
#[derive(Debug, Serialize, Deserialize)]
pub struct Claims {
/// local_user_id, standard claim by RFC 7519.
pub sub: i32,
pub iss: String,
/// Time when this token was issued as UNIX-timestamp in seconds
pub iat: i64,
}
impl Claims {
pub fn decode(jwt: &str, jwt_secret: &str) -> Result<TokenData<Claims>, LemmyError> {
let mut validation = Validation::default();
validation.validate_exp = false;
validation.required_spec_claims.remove("exp");
let key = DecodingKey::from_secret(jwt_secret.as_ref());
Ok(decode::<Claims>(jwt, &key, &validation)?)
}
pub fn jwt(local_user_id: i32, jwt_secret: &str, hostname: &str) -> Result<Jwt, LemmyError> {
let my_claims = Claims {
sub: local_user_id,
iss: hostname.to_string(),
iat: Utc::now().timestamp(),
};
let key = EncodingKey::from_secret(jwt_secret.as_ref());
Ok(encode(&Header::default(), &my_claims, &key)?)
}
}

View File

@ -213,6 +213,7 @@ pub enum LemmyErrorType {
CouldntSendWebmention,
ContradictingFilters,
InstanceBlockAlreadyExists,
/// `jwt` cookie must be marked secure and httponly
AuthCookieInsecure,
Unknown(String),
}

View File

@ -6,13 +6,11 @@ extern crate smart_default;
pub mod apub;
pub mod cache_header;
pub mod email;
pub mod rate_limit;
pub mod settings;
pub mod claims;
pub mod error;
pub mod rate_limit;
pub mod request;
pub mod response;
pub mod settings;
pub mod utils;
pub mod version;

@ -1 +1 @@
Subproject commit e943f97fe481dc425acdebc8872bf1fdcabaf875
Subproject commit 18da10858d8c63750beb06247947f25d91944741

View File

@ -0,0 +1,5 @@
DROP TABLE login_token;
ALTER TABLE local_user
ADD COLUMN validator_time timestamp NOT NULL DEFAULT now();

View File

@ -0,0 +1,15 @@
CREATE TABLE login_token (
id serial PRIMARY KEY,
token text NOT NULL UNIQUE,
user_id int REFERENCES local_user ON UPDATE CASCADE ON DELETE CASCADE NOT NULL,
published timestamptz NOT NULL DEFAULT now(),
ip text,
user_agent text
);
CREATE INDEX idx_login_token_user_token ON login_token (user_id, token);
-- not needed anymore as we invalidate login tokens on password change
ALTER TABLE local_user
DROP COLUMN validator_time;

View File

@ -23,7 +23,9 @@ use lemmy_api::{
generate_totp_secret::generate_totp_secret,
get_captcha::get_captcha,
list_banned::list_banned_users,
list_logins::list_logins,
login::login,
logout::logout,
notifications::{
list_mentions::list_mentions,
list_replies::list_replies,
@ -273,6 +275,7 @@ pub fn config(cfg: &mut web::ServiceConfig, rate_limit: &RateLimitCell) {
.route("/block", web::post().to(block_person))
// Account actions. I don't like that they're in /user maybe /accounts
.route("/login", web::post().to(login))
.route("/logout", web::post().to(logout))
.route("/delete_account", web::post().to(delete_account))
.route("/password_reset", web::post().to(reset_password))
.route(
@ -291,7 +294,8 @@ pub fn config(cfg: &mut web::ServiceConfig, rate_limit: &RateLimitCell) {
.route("/verify_email", web::post().to(verify_email))
.route("/leave_admin", web::post().to(leave_admin))
.route("/totp/generate", web::post().to(generate_totp_secret))
.route("/totp/update", web::post().to(update_totp)),
.route("/totp/update", web::post().to(update_totp))
.route("/list_logins", web::get().to(list_logins)),
)
// Admin Actions
.service(

View File

@ -1,30 +1,23 @@
use actix_web::{
body::MessageBody,
cookie::SameSite,
dev::{forward_ready, Service, ServiceRequest, ServiceResponse, Transform},
http::header::{Header, CACHE_CONTROL},
http::header::CACHE_CONTROL,
Error,
HttpMessage,
};
use actix_web_httpauth::headers::authorization::{Authorization, Bearer};
use chrono::{DateTime, Utc};
use core::future::Ready;
use futures_util::future::LocalBoxFuture;
use lemmy_api::read_auth_token;
use lemmy_api_common::{
claims::Claims,
context::LemmyContext,
lemmy_db_views::structs::LocalUserView,
utils::check_user_valid,
};
use lemmy_db_schema::newtypes::LocalUserId;
use lemmy_utils::{
claims::Claims,
error::{LemmyError, LemmyErrorExt2, LemmyErrorType},
};
use lemmy_utils::error::{LemmyError, LemmyErrorExt2, LemmyErrorType};
use reqwest::header::HeaderValue;
use std::{future::ready, rc::Rc};
static AUTH_COOKIE_NAME: &str = "auth";
#[derive(Clone)]
pub struct SessionMiddleware {
context: LemmyContext,
@ -77,25 +70,7 @@ where
let context = self.context.clone();
Box::pin(async move {
let auth_header = Authorization::<Bearer>::parse(&req).ok();
let jwt = if let Some(a) = auth_header {
Some(a.as_ref().token().to_string())
}
// If that fails, try auth cookie. Dont use the `jwt` cookie from lemmy-ui because
// its not http-only.
else {
let auth_cookie = req.cookie(AUTH_COOKIE_NAME);
if let Some(a) = &auth_cookie {
// ensure that its marked as httponly and secure
let secure = a.secure().unwrap_or_default();
let http_only = a.http_only().unwrap_or_default();
let same_site = a.same_site();
if !secure || !http_only || same_site != Some(SameSite::Strict) {
return Err(LemmyError::from(LemmyErrorType::AuthCookieInsecure).into());
}
}
auth_cookie.map(|c| c.value().to_string())
};
let jwt = read_auth_token(req.request())?;
if let Some(jwt) = &jwt {
// Ignore any invalid auth so the site can still be used
@ -130,10 +105,9 @@ async fn local_user_view_from_jwt(
jwt: &str,
context: &LemmyContext,
) -> Result<LocalUserView, LemmyError> {
let claims = Claims::decode(jwt, &context.secret().jwt_secret)
.with_lemmy_type(LemmyErrorType::NotLoggedIn)?
.claims;
let local_user_id = LocalUserId(claims.sub);
let local_user_id = Claims::validate(jwt, context)
.await
.with_lemmy_type(LemmyErrorType::NotLoggedIn)?;
let local_user_view = LocalUserView::read(&mut context.pool(), local_user_id).await?;
check_user_valid(
local_user_view.person.banned,
@ -141,27 +115,16 @@ async fn local_user_view_from_jwt(
local_user_view.person.deleted,
)?;
check_validator_time(&local_user_view.local_user.validator_time, &claims)?;
Ok(local_user_view)
}
/// Checks if user's token was issued before user's password reset.
fn check_validator_time(validator_time: &DateTime<Utc>, claims: &Claims) -> Result<(), LemmyError> {
let user_validation_time = validator_time.timestamp();
if user_validation_time > claims.iat {
Err(LemmyErrorType::NotLoggedIn)?
} else {
Ok(())
}
}
#[cfg(test)]
mod tests {
#![allow(clippy::unwrap_used)]
#![allow(clippy::indexing_slicing)]
use super::*;
use actix_web::test::TestRequest;
use lemmy_db_schema::{
source::{
instance::Instance,
@ -172,21 +135,29 @@ mod tests {
traits::Crud,
utils::build_db_pool_for_tests,
};
use lemmy_utils::{claims::Claims, settings::SETTINGS};
use lemmy_utils::rate_limit::{RateLimitCell, RateLimitConfig};
use reqwest::Client;
use reqwest_middleware::ClientBuilder;
use serial_test::serial;
use std::env;
use std::env::set_current_dir;
#[tokio::test]
#[serial]
async fn test_session_auth() {
let pool = &build_db_pool_for_tests().await;
let pool = &mut pool.into();
let secret = Secret::init(pool).await.unwrap();
// hack, necessary so that config file can be loaded from hardcoded, relative path
set_current_dir("crates/utils").unwrap();
// test.sh sets `LEMMY_CONFIG_LOCATION=../../config/config.hjson` for code under crates folder.
// this results in a config not found error, so we need to unset this var and use default.
env::remove_var("LEMMY_CONFIG_LOCATION");
let settings = &SETTINGS.to_owned();
let pool_ = build_db_pool_for_tests().await;
let pool = &mut (&pool_).into();
let secret = Secret::init(pool).await.unwrap();
let context = LemmyContext::create(
pool_.clone(),
ClientBuilder::new(Client::default()).build(),
secret,
RateLimitCell::new(RateLimitConfig::builder().build())
.await
.clone(),
);
let inserted_instance = Instance::read_or_create(pool, "my_domain.tld".to_string())
.await
@ -207,23 +178,13 @@ mod tests {
let inserted_local_user = LocalUser::create(pool, &local_user_form).await.unwrap();
let jwt = Claims::jwt(
inserted_local_user.id.0,
&secret.jwt_secret,
&settings.hostname,
)
.unwrap();
let claims = Claims::decode(&jwt, &secret.jwt_secret).unwrap().claims;
let check = check_validator_time(&inserted_local_user.validator_time, &claims);
assert!(check.is_ok());
let req = TestRequest::default().to_http_request();
let jwt = Claims::generate(inserted_local_user.id, req, &context)
.await
.unwrap();
// The check should fail, since the validator time is now newer than the jwt issue time
let updated_local_user =
LocalUser::update_password(pool, inserted_local_user.id, "password111")
.await
.unwrap();
let check_after = check_validator_time(&updated_local_user.validator_time, &claims);
assert!(check_after.is_err());
let valid = Claims::validate(&jwt, &context).await;
assert!(valid.is_ok());
let num_deleted = Person::delete(pool, inserted_person.id).await.unwrap();
assert_eq!(1, num_deleted);