From bad54cece35451edeaa16f4a2b45685906cc560e Mon Sep 17 00:00:00 2001
From: Philippe Loctaux <p@philippeloctaux.com>
Date: Sun, 19 Mar 2023 22:52:53 +0100
Subject: [PATCH] ezidam: redirect: dont generate jwt + refresh token if
 already signed in

---
 crates/ezidam/src/routes/oauth/redirect.rs | 105 +++++++++++----------
 1 file changed, 54 insertions(+), 51 deletions(-)

diff --git a/crates/ezidam/src/routes/oauth/redirect.rs b/crates/ezidam/src/routes/oauth/redirect.rs
index 11cf68a..d435976 100644
--- a/crates/ezidam/src/routes/oauth/redirect.rs
+++ b/crates/ezidam/src/routes/oauth/redirect.rs
@@ -21,6 +21,7 @@ pub struct RedirectRequest<'r> {
 #[get("/oauth/redirect?<redirect_request..>")]
 pub async fn redirect_page(
     mut db: Connection<Database>,
+    jwt_user: Option<JwtUser>,
     redirect_request: RedirectRequest<'_>,
     ip_address: &ClientRealAddr,
     cookie_jar: &CookieJar<'_>,
@@ -75,65 +76,67 @@ pub async fn redirect_page(
         .map(String::from)
         .ok_or_else(|| Error::bad_request("Server url is not set"))?;
 
-    // TODO: refactor for "code" route
+    if jwt_user.is_none() {
+        // TODO: refactor for "code" route
 
-    // Generate refresh token
-    let refresh_token = task::spawn_blocking(|| SecretString::new(64)).await?;
+        // Generate refresh token
+        let refresh_token = task::spawn_blocking(|| SecretString::new(64)).await?;
 
-    // Refresh token duration in days
-    let refresh_token_duration = 21;
+        // Refresh token duration in days
+        let refresh_token_duration = 21;
 
-    // Insert refresh token in database
-    RefreshToken::insert(
-        &mut transaction,
-        refresh_token.as_ref(),
-        ip_address.get_ipv6_string().as_str(),
-        user.id(),
-        refresh_token_duration,
-    )
-    .await?;
+        // Insert refresh token in database
+        RefreshToken::insert(
+            &mut transaction,
+            refresh_token.as_ref(),
+            ip_address.get_ipv6_string().as_str(),
+            user.id(),
+            refresh_token_duration,
+        )
+        .await?;
 
-    // Add refresh token as a cookie
-    let mut cookie = Cookie::new("refresh_token", refresh_token.as_ref().to_string());
-    cookie.set_secure(true);
-    cookie.set_http_only(true);
-    cookie.set_same_site(SameSite::Strict);
-    cookie.set_max_age(Duration::days(refresh_token_duration));
-    cookie_jar.add(cookie);
+        // Add refresh token as a cookie
+        let mut cookie = Cookie::new("refresh_token", refresh_token.as_ref().to_string());
+        cookie.set_secure(true);
+        cookie.set_http_only(true);
+        cookie.set_same_site(SameSite::Strict);
+        cookie.set_max_age(Duration::days(refresh_token_duration));
+        cookie_jar.add(cookie);
 
-    // Get latest key from database
-    let key = Key::get_most_recent(&mut transaction)
-        .await?
-        .ok_or_else(|| Error::internal_server_error("Failed to get key to sign JWT"))?;
+        // Get latest key from database
+        let key = Key::get_most_recent(&mut transaction)
+            .await?
+            .ok_or_else(|| Error::internal_server_error("Failed to get key to sign JWT"))?;
 
-    // Make sure key has not been revoked
-    if key.is_revoked() {
-        return Err(Error::forbidden("Signing key has been revoked"));
+        // Make sure key has not been revoked
+        if key.is_revoked() {
+            return Err(Error::forbidden("Signing key has been revoked"));
+        }
+
+        // Import private key
+        let private_key =
+            task::spawn_blocking(move || PrivateKey::from_der(key.private_der(), key.key_id()))
+                .await??;
+
+        // TODO: get user roles
+        let roles = vec![];
+
+        // Access token duration in minutes
+        let access_token_duration = 15;
+
+        // Create jwt, sign and serialize
+        let jwt = JwtClaims::new(home_page.clone(), app.id().as_ref(), &user, roles)
+            .sign_serialize(&private_key, access_token_duration)?;
+
+        // Add jwt as a cookie
+        let mut cookie = Cookie::new("access_token", jwt);
+        cookie.set_secure(true);
+        cookie.set_http_only(true);
+        cookie.set_same_site(SameSite::Strict);
+        cookie.set_max_age(Duration::minutes(access_token_duration));
+        cookie_jar.add(cookie);
     }
 
-    // Import private key
-    let private_key =
-        task::spawn_blocking(move || PrivateKey::from_der(key.private_der(), key.key_id()))
-            .await??;
-
-    // TODO: get user roles
-    let roles = vec![];
-
-    // Access token duration in minutes
-    let access_token_duration = 15;
-
-    // Create jwt, sign and serialize
-    let jwt = JwtClaims::new(home_page.clone(), app.id().as_ref(), &user, roles)
-        .sign_serialize(&private_key, access_token_duration)?;
-
-    // Add jwt as a cookie
-    let mut cookie = Cookie::new("access_token", jwt);
-    cookie.set_secure(true);
-    cookie.set_http_only(true);
-    cookie.set_same_site(SameSite::Strict);
-    cookie.set_max_age(Duration::minutes(access_token_duration));
-    cookie_jar.add(cookie);
-
     transaction.commit().await?;
 
     // HTTP Response