ezidam: redirect: dont generate jwt + refresh token if already signed in
This commit is contained in:
parent
1dec56ed14
commit
bad54cece3
1 changed files with 54 additions and 51 deletions
|
|
@ -21,6 +21,7 @@ pub struct RedirectRequest<'r> {
|
||||||
#[get("/oauth/redirect?<redirect_request..>")]
|
#[get("/oauth/redirect?<redirect_request..>")]
|
||||||
pub async fn redirect_page(
|
pub async fn redirect_page(
|
||||||
mut db: Connection<Database>,
|
mut db: Connection<Database>,
|
||||||
|
jwt_user: Option<JwtUser>,
|
||||||
redirect_request: RedirectRequest<'_>,
|
redirect_request: RedirectRequest<'_>,
|
||||||
ip_address: &ClientRealAddr,
|
ip_address: &ClientRealAddr,
|
||||||
cookie_jar: &CookieJar<'_>,
|
cookie_jar: &CookieJar<'_>,
|
||||||
|
|
@ -75,65 +76,67 @@ pub async fn redirect_page(
|
||||||
.map(String::from)
|
.map(String::from)
|
||||||
.ok_or_else(|| Error::bad_request("Server url is not set"))?;
|
.ok_or_else(|| Error::bad_request("Server url is not set"))?;
|
||||||
|
|
||||||
// TODO: refactor for "code" route
|
if jwt_user.is_none() {
|
||||||
|
// TODO: refactor for "code" route
|
||||||
|
|
||||||
// Generate refresh token
|
// Generate refresh token
|
||||||
let refresh_token = task::spawn_blocking(|| SecretString::new(64)).await?;
|
let refresh_token = task::spawn_blocking(|| SecretString::new(64)).await?;
|
||||||
|
|
||||||
// Refresh token duration in days
|
// Refresh token duration in days
|
||||||
let refresh_token_duration = 21;
|
let refresh_token_duration = 21;
|
||||||
|
|
||||||
// Insert refresh token in database
|
// Insert refresh token in database
|
||||||
RefreshToken::insert(
|
RefreshToken::insert(
|
||||||
&mut transaction,
|
&mut transaction,
|
||||||
refresh_token.as_ref(),
|
refresh_token.as_ref(),
|
||||||
ip_address.get_ipv6_string().as_str(),
|
ip_address.get_ipv6_string().as_str(),
|
||||||
user.id(),
|
user.id(),
|
||||||
refresh_token_duration,
|
refresh_token_duration,
|
||||||
)
|
)
|
||||||
.await?;
|
.await?;
|
||||||
|
|
||||||
// Add refresh token as a cookie
|
// Add refresh token as a cookie
|
||||||
let mut cookie = Cookie::new("refresh_token", refresh_token.as_ref().to_string());
|
let mut cookie = Cookie::new("refresh_token", refresh_token.as_ref().to_string());
|
||||||
cookie.set_secure(true);
|
cookie.set_secure(true);
|
||||||
cookie.set_http_only(true);
|
cookie.set_http_only(true);
|
||||||
cookie.set_same_site(SameSite::Strict);
|
cookie.set_same_site(SameSite::Strict);
|
||||||
cookie.set_max_age(Duration::days(refresh_token_duration));
|
cookie.set_max_age(Duration::days(refresh_token_duration));
|
||||||
cookie_jar.add(cookie);
|
cookie_jar.add(cookie);
|
||||||
|
|
||||||
// Get latest key from database
|
// Get latest key from database
|
||||||
let key = Key::get_most_recent(&mut transaction)
|
let key = Key::get_most_recent(&mut transaction)
|
||||||
.await?
|
.await?
|
||||||
.ok_or_else(|| Error::internal_server_error("Failed to get key to sign JWT"))?;
|
.ok_or_else(|| Error::internal_server_error("Failed to get key to sign JWT"))?;
|
||||||
|
|
||||||
// Make sure key has not been revoked
|
// Make sure key has not been revoked
|
||||||
if key.is_revoked() {
|
if key.is_revoked() {
|
||||||
return Err(Error::forbidden("Signing key has been revoked"));
|
return Err(Error::forbidden("Signing key has been revoked"));
|
||||||
|
}
|
||||||
|
|
||||||
|
// Import private key
|
||||||
|
let private_key =
|
||||||
|
task::spawn_blocking(move || PrivateKey::from_der(key.private_der(), key.key_id()))
|
||||||
|
.await??;
|
||||||
|
|
||||||
|
// TODO: get user roles
|
||||||
|
let roles = vec![];
|
||||||
|
|
||||||
|
// Access token duration in minutes
|
||||||
|
let access_token_duration = 15;
|
||||||
|
|
||||||
|
// Create jwt, sign and serialize
|
||||||
|
let jwt = JwtClaims::new(home_page.clone(), app.id().as_ref(), &user, roles)
|
||||||
|
.sign_serialize(&private_key, access_token_duration)?;
|
||||||
|
|
||||||
|
// Add jwt as a cookie
|
||||||
|
let mut cookie = Cookie::new("access_token", jwt);
|
||||||
|
cookie.set_secure(true);
|
||||||
|
cookie.set_http_only(true);
|
||||||
|
cookie.set_same_site(SameSite::Strict);
|
||||||
|
cookie.set_max_age(Duration::minutes(access_token_duration));
|
||||||
|
cookie_jar.add(cookie);
|
||||||
}
|
}
|
||||||
|
|
||||||
// Import private key
|
|
||||||
let private_key =
|
|
||||||
task::spawn_blocking(move || PrivateKey::from_der(key.private_der(), key.key_id()))
|
|
||||||
.await??;
|
|
||||||
|
|
||||||
// TODO: get user roles
|
|
||||||
let roles = vec![];
|
|
||||||
|
|
||||||
// Access token duration in minutes
|
|
||||||
let access_token_duration = 15;
|
|
||||||
|
|
||||||
// Create jwt, sign and serialize
|
|
||||||
let jwt = JwtClaims::new(home_page.clone(), app.id().as_ref(), &user, roles)
|
|
||||||
.sign_serialize(&private_key, access_token_duration)?;
|
|
||||||
|
|
||||||
// Add jwt as a cookie
|
|
||||||
let mut cookie = Cookie::new("access_token", jwt);
|
|
||||||
cookie.set_secure(true);
|
|
||||||
cookie.set_http_only(true);
|
|
||||||
cookie.set_same_site(SameSite::Strict);
|
|
||||||
cookie.set_max_age(Duration::minutes(access_token_duration));
|
|
||||||
cookie_jar.add(cookie);
|
|
||||||
|
|
||||||
transaction.commit().await?;
|
transaction.commit().await?;
|
||||||
|
|
||||||
// HTTP Response
|
// HTTP Response
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue