phil/ezidam
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

if access token expired, use refresh token, and get new access + refresh tokens

Browse source
This commit is contained in:
Philippe Loctaux 2023-03-19 20:03:30 +01:00
parent 9172155893
commit 8db0bbb874
12 changed files with 462 additions and 41 deletions
Download patch file Download diff file Expand all files Collapse all files

5
crates/database/queries/refresh_tokens/use_token.sql Normal file
View file

@ -0,0 +1,5 @@
update refresh_tokens
set used_at = CURRENT_TIMESTAMP
where token is ?

16
crates/database/queries/users/get_one_from_refresh_token.sql Normal file
View file

@ -0,0 +1,16 @@
select u.id,
u.created_at as "created_at: DateTime<Utc>",
u.updated_at as "updated_at: DateTime<Utc>",
u.is_admin as "is_admin: bool",
u.username,
u.name,
u.email,
u.password,
u.password_recover,
u.paper_key,
u.is_archived as "is_archived: bool"
from users u
inner join refresh_tokens rt on u.id = rt.user
where rt.token is ?

88
crates/database/sqlx-data.json
View file

@ -20,6 +20,94 @@
},
"query": "update settings\n\nset business_name = ?\n\nwhere id is 0\n"
},
"3c8e31ffa5cbfd4dded8a272777cb320fb51fd2e53ed25054d24e9801df0c358": {
"describe": {
"columns": [],
"nullable": [],
"parameters": {
"Right": 1
}
},
"query": "update refresh_tokens\n\nset used_at = CURRENT_TIMESTAMP\n\nwhere token is ?"
},
"4f83a1908a1980ce4bf65eadf24eed2af6c6225972ef7f9f4cf0c702264033a7": {
"describe": {
"columns": [
{
"name": "id",
"ordinal": 0,
"type_info": "Text"
},
{
"name": "created_at: DateTime<Utc>",
"ordinal": 1,
"type_info": "Text"
},
{
"name": "updated_at: DateTime<Utc>",
"ordinal": 2,
"type_info": "Text"
},
{
"name": "is_admin: bool",
"ordinal": 3,
"type_info": "Int64"
},
{
"name": "username",
"ordinal": 4,
"type_info": "Text"
},
{
"name": "name",
"ordinal": 5,
"type_info": "Text"
},
{
"name": "email",
"ordinal": 6,
"type_info": "Text"
},
{
"name": "password",
"ordinal": 7,
"type_info": "Text"
},
{
"name": "password_recover",
"ordinal": 8,
"type_info": "Text"
},
{
"name": "paper_key",
"ordinal": 9,
"type_info": "Text"
},
{
"name": "is_archived: bool",
"ordinal": 10,
"type_info": "Int64"
}
],
"nullable": [
false,
false,
false,
false,
false,
true,
true,
true,
true,
true,
false
],
"parameters": {
"Right": 1
}
},
"query": "select u.id,\n u.created_at as \"created_at: DateTime<Utc>\",\n u.updated_at as \"updated_at: DateTime<Utc>\",\n u.is_admin as \"is_admin: bool\",\n u.username,\n u.name,\n u.email,\n u.password,\n u.password_recover,\n u.paper_key,\n u.is_archived as \"is_archived: bool\"\nfrom users u\n\n inner join refresh_tokens rt on u.id = rt.user\n\nwhere rt.token is ?\n"
},
"520fe30e21f6b6c4d9a47c457675eebd144cf020e9230d154e9e4d0c8d6e01ca": {
"describe": {
"columns": [],

13
crates/database/src/tables/refresh_tokens.rs
View file

@ -71,4 +71,17 @@ impl RefreshTokens {
Ok((query.rows_affected() >= 1).then_some(()))
}
pub async fn use_token(
conn: impl SqliteExecutor<'_>,
token: &str,
) -> Result<Option<()>, Error> {
let query: SqliteQueryResult =
sqlx::query_file!("queries/refresh_tokens/use_token.sql", token)
.execute(conn)
.await
.map_err(handle_error)?;
Ok((query.rows_affected() == 1).then_some(()))
}
}

10
crates/database/src/tables/users.rs
View file

@ -85,4 +85,14 @@ impl Users {
.await
.map_err(handle_error)
}
pub async fn get_one_from_refresh_token(
conn: impl SqliteExecutor<'_>,
token: &str,
) -> Result<Option<Self>, Error> {
sqlx::query_file_as!(Self, "queries/users/get_one_from_refresh_token.sql", token)
.fetch_optional(conn)
.await
.map_err(handle_error)
}
}

298
crates/ezidam/src/guards/jwt.rs
View file

@ -9,6 +9,7 @@ use rocket::Request;
mod admin;
mod user;
use crate::guards::refresh_token::get_refresh_token_from_cookie;
pub use admin::JwtAdmin;
use id::KeyID;
pub use user::JwtUser;
@ -16,6 +17,26 @@ pub use user::JwtUser;
#[derive(Debug)]
pub enum Error {
GetDatabase,
GetIpAddress,
GetCookies,
StartTransaction,
GetRefreshToken(refresh_tokens::Error),
RefreshTokenNotFound,
UserNotFound,
GetUser(users::Error),
RevokeRefreshTokens(refresh_tokens::Error),
UsedRefreshToken,
RevokedRefreshToken,
ExpiredRefreshToken,
MarkRefreshTokenUsed(refresh_tokens::Error),
GetSettings(settings::Error),
ServerUrlNotSet,
SaveRefreshToken(refresh_tokens::Error),
GetKey(jwt::Error),
MostRecentKeyNotFound,
MostRecentKeyRevoked,
SignJwt(jwt::Error),
CommitTransaction,
Keys(jwt::Error),
JwtParsing(jwt::Error),
NoSigningKey,
@ -26,22 +47,18 @@ pub enum Error {
BlockingTask(String),
}
pub async fn get_jwt<T>(
pub(super) fn get_access_token_from_cookie(request: &Request) -> Option<String> {
request
.cookies()
.get("access_token")
.map(|cookie| cookie.value().to_string())
}
pub async fn validate_jwt<T>(
jwt: String,
request: &Request<'_>,
get_admin: Option<bool>,
) -> Result<Option<JwtClaims>, Outcome<T, Error>> {
// Get jwt
let jwt = match request
.cookies()
.get("access_token")
.map(|cookie| cookie.value())
{
Some(jwt) => jwt,
None => {
return Err(Outcome::Forward(()));
}
};
// Get database
let db = match request.guard::<&Database>().await {
Outcome::Success(database) => database,
@ -60,7 +77,6 @@ pub async fn get_jwt<T>(
}
};
let jwt = jwt.to_string();
match task::spawn_blocking(move || -> Result<Option<JwtClaims>, Error> {
// Parse jwt
let parsed_jwt = jwt::parse(&jwt).map_err(Error::JwtParsing)?;
@ -124,3 +140,257 @@ pub async fn get_jwt<T>(
}
}
}
pub async fn use_refresh_token(
refresh: String,
request: &Request<'_>,
get_admin: Option<bool>,
) -> Outcome<JwtClaims, Error> {
use hash::SecretString;
use refresh_tokens::RefreshToken;
use rocket::http::{Cookie, CookieJar, SameSite};
use rocket::time::Duration;
use rocket_client_addr::ClientRealAddr;
use settings::Settings;
use users::User;
// Get database
let db = match request.guard::<&Database>().await {
Outcome::Success(database) => database,
Outcome::Failure(e) => return Outcome::Failure((e.0, Error::GetDatabase)),
Outcome::Forward(f) => return Outcome::Forward(f),
};
// Get ip address
let ip_address = match request.guard::<&ClientRealAddr>().await {
Outcome::Success(ip_address) => ip_address,
Outcome::Failure(e) => return Outcome::Failure((e.0, Error::GetIpAddress)),
Outcome::Forward(f) => return Outcome::Forward(f),
};
// Get cookies
let cookie_jar = match request.guard::<&CookieJar>().await {
Outcome::Success(cookie_jar) => cookie_jar,
Outcome::Failure(e) => return Outcome::Failure((e.0, Error::GetCookies)),
Outcome::Forward(f) => return Outcome::Forward(f),
};
let mut transaction = match db.begin().await {
Ok(transaction) => transaction,
Err(_e) => {
return Outcome::Failure((Status::InternalServerError, Error::StartTransaction));
}
};
let refresh_token = match RefreshToken::get_one(&mut transaction, &refresh).await {
Ok(refresh_token) => match refresh_token {
Some(refresh_token) => refresh_token,
None => {
return Outcome::Failure((
Status::InternalServerError,
Error::RefreshTokenNotFound,
));
}
},
Err(e) => {
return Outcome::Failure((Status::InternalServerError, Error::GetRefreshToken(e)));
}
};
let user = match User::get_one_from_refresh_token(&mut transaction, &refresh).await {
Ok(user) => match user {
Some(user) => user,
None => {
return Outcome::Failure((Status::InternalServerError, Error::UserNotFound));
}
},
Err(e) => {
return Outcome::Failure((Status::InternalServerError, Error::GetUser(e)));
}
};
// make sure that `get_admin` is respected, dont generate token for unwanted users!
if let Some(get_admin) = get_admin {
if user.is_admin() != get_admin {
return Outcome::Forward(());
}
}
if refresh_token.has_been_used() {
// Revoke all tokens for user
if let Err(e) =
RefreshToken::revoke_all_for_user(&mut transaction, refresh_token.user()).await
{
return Outcome::Failure((Status::InternalServerError, Error::RevokeRefreshTokens(e)));
}
if let Err(_e) = transaction.commit().await {
return Outcome::Failure((Status::InternalServerError, Error::CommitTransaction));
}
return Outcome::Failure((Status::InternalServerError, Error::UsedRefreshToken));
}
if refresh_token.is_revoked() {
return Outcome::Failure((Status::InternalServerError, Error::RevokedRefreshToken));
}
if refresh_token.has_expired() {
return Outcome::Failure((Status::InternalServerError, Error::ExpiredRefreshToken));
}
if let Err(e) = refresh_token.use_token(&mut transaction).await {
return Outcome::Failure((Status::InternalServerError, Error::MarkRefreshTokenUsed(e)));
}
// Get base url
let settings = match Settings::get(&mut transaction).await {
Ok(settings) => settings,
Err(e) => {
return Outcome::Failure((Status::InternalServerError, Error::GetSettings(e)));
}
};
let home_page = match settings.url().map(String::from) {
Some(home_page) => home_page,
None => {
return Outcome::Failure((Status::InternalServerError, Error::ServerUrlNotSet));
}
};
// Generate refresh token
let new_refresh_token = match task::spawn_blocking(|| SecretString::new(64)).await {
Ok(new_refresh_token) => new_refresh_token,
Err(e) => {
return Outcome::Failure((
Status::InternalServerError,
Error::BlockingTask(e.to_string()),
));
}
};
// Refresh token duration in days
let refresh_token_duration = 21;
// Insert refresh token in database
if let Err(e) = RefreshToken::insert(
&mut transaction,
new_refresh_token.as_ref(),
ip_address.get_ipv6_string().as_str(),
user.id(),
refresh_token_duration,
)
.await
{
return Outcome::Failure((Status::InternalServerError, Error::SaveRefreshToken(e)));
}
// Add refresh token as a cookie
let mut cookie = Cookie::new("refresh_token", new_refresh_token.as_ref().to_string());
cookie.set_secure(true);
cookie.set_http_only(true);
cookie.set_same_site(SameSite::Strict);
cookie.set_max_age(Duration::days(refresh_token_duration));
cookie_jar.add(cookie);
// Get latest key from database
let key = match Key::get_most_recent(&mut transaction).await {
Ok(key) => match key {
Some(key) => key,
None => {
return Outcome::Failure((
Status::InternalServerError,
Error::MostRecentKeyNotFound,
));
}
},
Err(e) => {
return Outcome::Failure((Status::InternalServerError, Error::GetKey(e)));
}
};
// Make sure key has not been revoked
if key.is_revoked() {
return Outcome::Failure((Status::InternalServerError, Error::MostRecentKeyRevoked));
}
// Import private key
let private_key =
match task::spawn_blocking(move || PrivateKey::from_der(key.private_der(), key.key_id()))
.await
{
Ok(private_key) => match private_key {
Ok(private_key) => private_key,
Err(e) => {
return Outcome::Failure((Status::InternalServerError, Error::ImportKey(e)));
}
},
Err(e) => {
return Outcome::Failure((
Status::InternalServerError,
Error::BlockingTask(e.to_string()),
));
}
};
// TODO: get user roles
let roles = vec![];
// Access token duration in minutes
let access_token_duration = 1;
// Create jwt, sign and serialize
let jwt_claims = JwtClaims::new(home_page.clone(), "ezidam", &user, roles);
let jwt = match jwt_claims
.clone()
.sign_serialize(&private_key, access_token_duration)
{
Ok(jwt) => jwt,
Err(e) => {
return Outcome::Failure((Status::InternalServerError, Error::SignJwt(e)));
}
};
// Add jwt as a cookie
let mut cookie = Cookie::new("access_token", jwt);
cookie.set_secure(true);
cookie.set_http_only(true);
cookie.set_same_site(SameSite::Strict);
cookie.set_max_age(Duration::minutes(access_token_duration));
cookie_jar.add(cookie);
if let Err(_e) = transaction.commit().await {
return Outcome::Failure((Status::InternalServerError, Error::CommitTransaction));
}
Outcome::Success(jwt_claims)
}
pub async fn use_access_token_or_refresh_token(
request: &Request<'_>,
get_admin: Option<bool>,
) -> Outcome<JwtClaims, Error> {
let access_token = get_access_token_from_cookie(request);
let refresh_token = get_refresh_token_from_cookie(request);
match (access_token, refresh_token) {
(Some(access), _) => {
// If there is an access token, attempt to validate it
match validate_jwt(access, request, get_admin).await {
Ok(jwt_claims) => match jwt_claims {
Some(jwt_claims) => Outcome::Success(jwt_claims),
None => Outcome::Forward(()),
},
Err(e) => e,
}
}
(None, Some(refresh)) => {
// Use refresh token to get new access token
use_refresh_token(refresh, request, get_admin).await
}
(None, None) => {
// Nothing to do
Outcome::Forward(())
}
}
}

16
crates/ezidam/src/guards/jwt/admin.rs
View file

@ -1,3 +1,5 @@
use super::use_access_token_or_refresh_token;
use super::Error;
use jwt::JwtClaims;
use rocket::request::{FromRequest, Outcome};
use rocket::Request;
@ -6,15 +8,13 @@ pub struct JwtAdmin(pub JwtClaims);
#[rocket::async_trait]
impl<'r> FromRequest<'r> for JwtAdmin {
type Error = super::Error;
type Error = Error;
async fn from_request(request: &'r Request<'_>) -> Outcome<Self, Self::Error> {
match super::get_jwt(request, Some(true)).await {
Ok(jwt_claims) => match jwt_claims {
Some(jwt_claims) => Outcome::Success(JwtAdmin(jwt_claims)),
None => Outcome::Forward(()),
},
Err(e) => return e,
}
let get_admin: Option<bool> = Some(true);
use_access_token_or_refresh_token(request, get_admin)
.await
.map(Self)
}
}

13
crates/ezidam/src/guards/jwt/user.rs
View file

@ -1,3 +1,4 @@
use super::use_access_token_or_refresh_token;
use jwt::JwtClaims;
use rocket::request::{FromRequest, Outcome};
use rocket::Request;
@ -9,12 +10,10 @@ impl<'r> FromRequest<'r> for JwtUser {
type Error = super::Error;
async fn from_request(request: &'r Request<'_>) -> Outcome<Self, Self::Error> {
match super::get_jwt(request, None).await {
Ok(jwt_claims) => match jwt_claims {
Some(jwt_claims) => Outcome::Success(JwtUser(jwt_claims)),
None => Outcome::Forward(()),
},
Err(e) => return e,
}
let get_admin: Option<bool> = None;
use_access_token_or_refresh_token(request, get_admin)
.await
.map(Self)
}
}

27
crates/ezidam/src/guards/refresh_token.rs
View file

@ -3,21 +3,28 @@ use rocket::Request;
pub struct RefreshToken(pub String);
pub fn get_refresh_token_from_cookie(request: &Request) -> Option<String> {
match request.cookies().get("refresh_token") {
Some(cookie) => {
let value = cookie.value();
if value.len() == 64 {
Some(value.to_string())
} else {
None
}
}
None => None,
}
}
#[rocket::async_trait]
impl<'r> FromRequest<'r> for RefreshToken {
type Error = std::convert::Infallible;
async fn from_request(request: &'r Request<'_>) -> Outcome<Self, Self::Error> {
match request.cookies().get("refresh_token") {
Some(cookie) => {
let value = cookie.value();
if value.len() == 64 {
Outcome::Success(Self(value.to_string()))
} else {
Outcome::Forward(())
}
}
match get_refresh_token_from_cookie(request) {
Some(refresh_token) => Outcome::Success(Self(refresh_token)),
None => Outcome::Forward(()),
}
}

4
crates/ezidam/src/routes/root.rs
View file

@ -12,7 +12,7 @@ pub fn routes() -> Vec<Route> {
homepage_user,
homepage_redirect,
redirect_to_setup,
logout
logout,
]
}
@ -57,7 +57,7 @@ async fn avatar(
size: Option<u32>,
) -> Result<FileFromBytes> {
// Verify existence of user
let _user = User::get_by_login(&mut *db, user_id.0.as_ref())
User::get_by_login(&mut *db, user_id.0.as_ref())
.await?
.ok_or_else(|| Error::not_found(user_id.0.to_string()))?;

4
crates/refresh_tokens/src/database.rs
View file

@ -61,4 +61,8 @@ impl RefreshToken {
) -> Result<Option<()>, Error> {
Ok(DatabaseRefreshTokens::revoke_all_for_user(conn, user.as_ref()).await?)
}
pub async fn use_token(&self, conn: impl SqliteExecutor<'_>) -> Result<Option<()>, Error> {
Ok(DatabaseRefreshTokens::use_token(conn, &self.token).await?)
}
}

9
crates/users/src/database.rs
View file

@ -96,4 +96,13 @@ impl User {
.await?
.map(Self::from))
}
pub async fn get_one_from_refresh_token(
conn: impl SqliteExecutor<'_>,
token: &str,
) -> Result<Option<Self>, Error> {
Ok(DatabaseUsers::get_one_from_refresh_token(conn, token)
.await?
.map(Self::from))
}
}