From 1dec56ed14b60a3d774261399238f63327108bfb Mon Sep 17 00:00:00 2001
From: Philippe Loctaux <p@philippeloctaux.com>
Date: Sun, 19 Mar 2023 22:52:22 +0100
Subject: [PATCH] ezidam: authorize: don't prompt login if already
 authenticated

---
 crates/ezidam/src/guards/jwt/admin.rs         |  1 +
 crates/ezidam/src/guards/jwt/user.rs          |  4 +-
 crates/ezidam/src/routes/oauth.rs             |  2 +
 crates/ezidam/src/routes/oauth/authorize.rs   | 83 ++++++++++++-------
 .../templates/pages/oauth/authorize.html.tera | 20 ++++-
 5 files changed, 76 insertions(+), 34 deletions(-)

diff --git a/crates/ezidam/src/guards/jwt/admin.rs b/crates/ezidam/src/guards/jwt/admin.rs
index d5e34c9..d9bb62a 100644
--- a/crates/ezidam/src/guards/jwt/admin.rs
+++ b/crates/ezidam/src/guards/jwt/admin.rs
@@ -4,6 +4,7 @@ use jwt::JwtClaims;
 use rocket::request::{FromRequest, Outcome};
 use rocket::Request;
 
+#[derive(Debug)]
 pub struct JwtAdmin(pub JwtClaims);
 
 #[rocket::async_trait]
diff --git a/crates/ezidam/src/guards/jwt/user.rs b/crates/ezidam/src/guards/jwt/user.rs
index 685473a..5172afa 100644
--- a/crates/ezidam/src/guards/jwt/user.rs
+++ b/crates/ezidam/src/guards/jwt/user.rs
@@ -1,13 +1,15 @@
 use super::use_access_token_or_refresh_token;
+use super::Error;
 use jwt::JwtClaims;
 use rocket::request::{FromRequest, Outcome};
 use rocket::Request;
 
+#[derive(Debug)]
 pub struct JwtUser(pub JwtClaims);
 
 #[rocket::async_trait]
 impl<'r> FromRequest<'r> for JwtUser {
-    type Error = super::Error;
+    type Error = Error;
 
     async fn from_request(request: &'r Request<'_>) -> Outcome<Self, Self::Error> {
         let get_admin: Option<bool> = None;
diff --git a/crates/ezidam/src/routes/oauth.rs b/crates/ezidam/src/routes/oauth.rs
index d0398ca..8cc7f2b 100644
--- a/crates/ezidam/src/routes/oauth.rs
+++ b/crates/ezidam/src/routes/oauth.rs
@@ -15,6 +15,7 @@ pub fn routes() -> Vec<Route> {
 }
 
 pub mod content {
+    use jwt::JwtClaims;
     use rocket::serde::Serialize;
 
     #[derive(Serialize)]
@@ -23,6 +24,7 @@ pub mod content {
     pub struct Authorize {
         pub app_name: String,
         pub business_name: String,
+        pub user: Option<JwtClaims>,
     }
 
     #[derive(Serialize)]
diff --git a/crates/ezidam/src/routes/oauth/authorize.rs b/crates/ezidam/src/routes/oauth/authorize.rs
index 171be92..d030ecf 100644
--- a/crates/ezidam/src/routes/oauth/authorize.rs
+++ b/crates/ezidam/src/routes/oauth/authorize.rs
@@ -6,11 +6,10 @@ use rocket::{get, post};
 use settings::Settings;
 use users::User;
 
-// TODO: When already signed in, pass Result<GuardType> in existing routes directly
-
-#[get("/oauth/authorize?<auth_request..>", rank = 2)]
+#[get("/oauth/authorize?<auth_request..>", rank = 1)]
 pub async fn authorize_page(
     mut db: Connection<Database>,
+    user: Option<JwtUser>,
     flash: Option<FlashMessage<'_>>,
     auth_request: AuthenticationRequest<'_>,
 ) -> Result<Template> {
@@ -34,6 +33,7 @@ pub async fn authorize_page(
     let content = super::content::Authorize {
         app_name: app.label().into(),
         business_name: settings.business_name().into(),
+        user: user.map(|user| user.0),
     };
 
     Ok(flash
@@ -41,7 +41,7 @@ pub async fn authorize_page(
         .unwrap_or_else(|| Page::Authorize(content).into()))
 }
 
-#[get("/oauth/authorize", rank = 3)]
+#[get("/oauth/authorize", rank = 2)]
 pub async fn authorize_ezidam(mut db: Connection<Database>) -> Result<Redirect> {
     let mut transaction = db.begin().await?;
 
@@ -92,7 +92,8 @@ fn user_archived(login: &str, request: AuthenticationRequest) -> Flash<Redirect>
 
 #[post("/oauth/authorize?<auth_request..>", data = "<form>")]
 pub async fn authorize_form(
-    form: Form<Authorize<'_>>,
+    form: Option<Form<Authorize<'_>>>,
+    user: Option<JwtUser>,
     mut db: Connection<Database>,
     auth_request: AuthenticationRequest<'_>,
 ) -> Result<Either<Redirect, Flash<Redirect>>> {
@@ -108,41 +109,59 @@ pub async fn authorize_form(
     )
     .await?;
 
-    if form.login.is_empty() {
-        return Ok(Either::Right(invalid_form(auth_request)));
-    }
-    let form = form.into_inner();
+    let user_id = match user {
+        Some(user) => {
+            transaction.commit().await?;
 
-    // Get user
-    let Some(user) = User::get_by_login(&mut transaction, form.login).await? else {
-        return Ok(Either::Right(invalid_credentials(form.login, auth_request)));
+            UserID(user.0.subject)
+        }
+        None => {
+            let form = match form {
+                Some(form) => {
+                    if form.login.is_empty() {
+                        return Ok(Either::Right(invalid_form(auth_request)));
+                    }
+                    form.into_inner()
+                }
+                None => {
+                    return Ok(Either::Right(invalid_form(auth_request)));
+                }
+            };
+
+            // Get user
+            let Some(user) = User::get_by_login(&mut transaction, form.login).await? else {
+                return Ok(Either::Right(invalid_credentials(form.login, auth_request)));
+            };
+
+            transaction.commit().await?;
+
+            // Check if user is archived
+            if user.is_archived() {
+                return Ok(Either::Right(user_archived(form.login, auth_request)));
+            }
+
+            // Get password (can't use Password struct directly because of non-async `compare`)
+            let password = match user.password_hashed() {
+                Some(password_hashed) => Password::from_hash(password_hashed),
+                None => return Ok(Either::Right(invalid_credentials(form.login, auth_request))),
+            };
+
+            // Verify password
+            let password_input = form.password.to_string();
+            if !task::spawn_blocking(move || password.compare(&password_input)).await?? {
+                return Ok(Either::Right(invalid_credentials(form.login, auth_request)));
+            }
+
+            user.id().to_owned()
+        }
     };
 
-    transaction.commit().await?;
-
-    // Check if user is archived
-    if user.is_archived() {
-        return Ok(Either::Right(user_archived(form.login, auth_request)));
-    }
-
-    // Get password (can't use Password struct directly because of non-async `compare`)
-    let password = match user.password_hashed() {
-        Some(password_hashed) => Password::from_hash(password_hashed),
-        None => return Ok(Either::Right(invalid_credentials(form.login, auth_request))),
-    };
-
-    // Verify password
-    let password_input = form.password.to_string();
-    if !task::spawn_blocking(move || password.compare(&password_input)).await?? {
-        return Ok(Either::Right(invalid_credentials(form.login, auth_request)));
-    }
-
     // Generate authorization code
     let code = task::spawn_blocking(|| SecretString::new(35)).await?;
 
     // Save authorization code
     let mut transaction = db.begin().await?;
-    AuthorizationCode::insert(&mut transaction, code.as_ref(), app.id(), user.id()).await?;
+    AuthorizationCode::insert(&mut transaction, code.as_ref(), app.id(), &user_id).await?;
     transaction.commit().await?;
 
     // Construct uri to redirect to
diff --git a/crates/ezidam/templates/pages/oauth/authorize.html.tera b/crates/ezidam/templates/pages/oauth/authorize.html.tera
index a471bff..438c41e 100644
--- a/crates/ezidam/templates/pages/oauth/authorize.html.tera
+++ b/crates/ezidam/templates/pages/oauth/authorize.html.tera
@@ -24,6 +24,19 @@
                         <p class="text-muted">With your {{ business_name }} account</p>
                     </div>
                     <form action="" method="post" autocomplete="off" novalidate class="mt-4">
+                        {% if user %}
+                        <div class="mb-4 text-center">
+                            <span class="avatar avatar-xl mb-3"
+                                  style="background-image: url(/avatar/{{ user.sub }}?size=250)"></span>
+                            <h3>
+                                {% if user.name %}
+                                {{ user.name }}
+                                {% else %}
+                                {{ user.username }}
+                                {% endif %}
+                            </h3>
+                        </div>
+                        {% else %}
                         <div class="mb-3">
                             <label class="form-label">Login</label>
                             <input name="login" type="text" class="form-control" placeholder="Email or username"
@@ -36,15 +49,20 @@
                                        autocomplete="off">
                             </div>
                         </div>
+                        {% endif %}
+
                         <div class="form-footer">
-                            <button type="submit" class="btn btn-primary w-100">Sign in</button>
+                            <button type="submit" class="btn btn-primary w-100">Authorize</button>
                         </div>
                     </form>
                 </div>
             </div>
+            {% if user %}
+            {% else %}
             <div class="text-center text-muted mt-3">
                 <a href="./sign-up.html" tabindex="-1">Reset password</a>
             </div>
+            {% endif %}
         </div>
         {% include "shell/footer" %}
     </div>