JavaScript is disabled, refresh for a better experience. ambee/giterated

ambee/giterated

Git repository hosting, collaboration, and discovery for the Fediverse.

fixes

View files Patch

Amber - ⁨2⁩ years ago

parent: tbd commit: ⁨b91129f

⁨src/authentication.rs⁩ - ⁨5230⁩ bytes
Raw
1 use std::{error::Error, time::SystemTime};
2
3 use jsonwebtoken::{decode, encode, Algorithm, DecodingKey, EncodingKey, TokenData, Validation};
4 use serde::{Deserialize, Serialize};
5 use tokio::{fs::File, io::AsyncReadExt};
6 use toml::Table;
7
8 use crate::{
9 messages::{
10 authentication::{
11 AuthenticationTokenRequest, AuthenticationTokenResponse, TokenExtensionRequest,
12 TokenExtensionResponse,
13 },
14 InstanceAuthenticated,
15 },
16 model::{instance::Instance, user::User},
17 };
18
19 #[derive(Debug, Serialize, Deserialize)]
20 struct UserTokenMetadata {
21 user: User,
22 generated_for: Instance,
23 exp: u64,
24 }
25
26 pub struct AuthenticationTokenGranter {
27 pub config: Table,
28 }
29
30 impl AuthenticationTokenGranter {
31 pub async fn token_request(
32 &mut self,
33 raw_request: InstanceAuthenticated<AuthenticationTokenRequest>,
34 ) -> Result<AuthenticationTokenResponse, Box<dyn Error + Send>> {
35 let request = raw_request.inner().await;
36
37 info!("Ensuring token request is from the same instance...");
38 raw_request
39 .validate(&Instance {
40 url: String::from("giterated.dev"),
41 })
42 .await
43 .unwrap();
44
45 let secret_key = self.config["authentication"]["secret_key"]
46 .as_str()
47 .unwrap();
48 let private_key = {
49 let mut file = File::open(self.config["keys"]["private"].as_str().unwrap())
50 .await
51 .unwrap();
52
53 let mut key = vec![];
54 file.read_to_end(&mut key).await.unwrap();
55
56 key
57 };
58
59 if request.secret_key != secret_key {
60 error!("Incorrect secret key!");
61
62 panic!()
63 }
64
65 let encoding_key = EncodingKey::from_rsa_pem(&private_key).unwrap();
66
67 let claims = UserTokenMetadata {
68 user: User {
69 username: String::from("ambee"),
70 instance: Instance {
71 url: String::from("giterated.dev"),
72 },
73 },
74 generated_for: Instance {
75 url: String::from("giterated.dev"),
76 },
77 exp: (SystemTime::UNIX_EPOCH.elapsed().unwrap()
78 + std::time::Duration::from_secs(24 * 60 * 60))
79 .as_secs(),
80 };
81
82 let token = encode(
83 &jsonwebtoken::Header::new(Algorithm::RS256),
84 &claims,
85 &encoding_key,
86 )
87 .unwrap();
88
89 Ok(AuthenticationTokenResponse { token })
90 }
91
92 pub async fn extension_request(
93 &mut self,
94 raw_request: InstanceAuthenticated<TokenExtensionRequest>,
95 ) -> Result<TokenExtensionResponse, Box<dyn Error + Send>> {
96 let request = raw_request.inner().await;
97
98 // let server_public_key = {
99 // let mut file = File::open(self.config["keys"]["public"].as_str().unwrap())
100 // .await
101 // .unwrap();
102
103 // let mut key = String::default();
104 // file.read_to_string(&mut key).await.unwrap();
105
106 // key
107 // };
108
109 let server_public_key = public_key(&Instance {
110 url: String::from("giterated.dev"),
111 })
112 .await
113 .unwrap();
114
115 let verification_key = DecodingKey::from_rsa_pem(server_public_key.as_bytes()).unwrap();
116
117 let data: TokenData<UserTokenMetadata> = decode(
118 &request.token,
119 &verification_key,
120 &Validation::new(Algorithm::RS256),
121 )
122 .unwrap();
123
124 info!("Token Extension Request Token validated");
125
126 let secret_key = self.config["authentication"]["secret_key"]
127 .as_str()
128 .unwrap();
129
130 if request.secret_key != secret_key {
131 error!("Incorrect secret key!");
132
133 panic!()
134 }
135 // Validate request
136 raw_request
137 .validate(&data.claims.generated_for)
138 .await
139 .unwrap();
140 info!("Validated request for key extension");
141
142 let private_key = {
143 let mut file = File::open(self.config["keys"]["private"].as_str().unwrap())
144 .await
145 .unwrap();
146
147 let mut key = vec![];
148 file.read_to_end(&mut key).await.unwrap();
149
150 key
151 };
152
153 let encoding_key = EncodingKey::from_rsa_pem(&private_key).unwrap();
154
155 let claims = UserTokenMetadata {
156 // TODO: Probably exploitable
157 user: data.claims.user,
158 generated_for: data.claims.generated_for,
159 exp: (SystemTime::UNIX_EPOCH.elapsed().unwrap()
160 + std::time::Duration::from_secs(24 * 60 * 60))
161 .as_secs(),
162 };
163
164 let token = encode(
165 &jsonwebtoken::Header::new(Algorithm::RS256),
166 &claims,
167 &encoding_key,
168 )
169 .unwrap();
170
171 Ok(TokenExtensionResponse {
172 new_token: Some(token),
173 })
174 }
175 }
176
177 async fn public_key(instance: &Instance) -> Result<String, Box<dyn Error>> {
178 let key = reqwest::get(format!("https://{}/.giterated/pubkey.pem", instance.url))
179 .await?
180 .text()
181 .await?;
182
183 Ok(key)
184 }
185