ezidam + refresh tokens: create and insert refresh token

2023-03-18 15:16:15 +01:00 · 2023-03-18 15:16:15 +01:00 · ef8d75ecee
commit ef8d75ecee
parent 609933d98f
14 changed files with 204 additions and 0 deletions
--- a/crates/database/migrations/20230318135414_refresh_tokens.down.sql
+++ b/crates/database/migrations/20230318135414_refresh_tokens.down.sql
@ -0,0 +1 @@
+drop table if exists refresh_tokens;
--- a/crates/database/migrations/20230318135414_refresh_tokens.up.sql
+++ b/crates/database/migrations/20230318135414_refresh_tokens.up.sql
@ -0,0 +1,13 @@
+create table if not exists refresh_tokens
+(
+    -- info
+    token      TEXT not null primary key,
+    ip_address TEXT not null,
+    user       TEXT not null references users (id),
+
+    -- timings
+    created_at TEXT not null default CURRENT_TIMESTAMP,
+    expires_at TEXT not null,
+    used_at    TEXT,
+    revoked_at TEXT
+);
--- a/crates/database/queries/refresh_tokens/insert.sql
+++ b/crates/database/queries/refresh_tokens/insert.sql
@ -0,0 +1,2 @@
+insert into refresh_tokens (token, ip_address, user, expires_at)
+values (?, ?, ?, datetime(?, 'unixepoch'))
--- a/crates/database/sqlx-data.json
+++ b/crates/database/sqlx-data.json
@ -322,6 +322,16 @@
    },
    "query": "insert into authorization_codes (code, app, user, expires_at)\nvalues (?, ?, ?, datetime(?, 'unixepoch'))\n"
  },
+  "aa88eb27d38ba4cfb539e4b4d7a86770c24221109e8fcc188a7d38f41e674817": {
+    "describe": {
+      "columns": [],
+      "nullable": [],
+      "parameters": {
+        "Right": 4
+      }
+    },
+    "query": "insert into refresh_tokens (token, ip_address, user, expires_at)\nvalues (?, ?, ?, datetime(?, 'unixepoch'))\n"
+  },
  "aae93a39c5a9f46235b5ef871b45ba76d7efa1677bfe8291a62b8cbf9cd9e0d5": {
    "describe": {
      "columns": [],
--- a/crates/database/src/tables.rs
+++ b/crates/database/src/tables.rs
@ -1,11 +1,13 @@
 mod apps;
 mod authorization_codes;
 mod keys;
+mod refresh_tokens;
 mod settings;
 mod users;

 pub use apps::Apps;
 pub use authorization_codes::AuthorizationCodes;
 pub use keys::Keys;
+pub use refresh_tokens::RefreshTokens;
 pub use settings::Settings;
 pub use users::Users;
--- a/crates/database/src/tables/refresh_tokens.rs
+++ b/crates/database/src/tables/refresh_tokens.rs
@ -0,0 +1,41 @@
+use crate::error::{handle_error, Error};
+use sqlx::sqlite::SqliteQueryResult;
+use sqlx::types::chrono::{DateTime, Utc};
+use sqlx::{FromRow, SqliteExecutor};
+
+#[derive(FromRow)]
+pub struct RefreshTokens {
+    // Info
+    pub token: String,
+    pub ip_address: String,
+    pub user: String,
+
+    // Timings
+    pub created_at: DateTime<Utc>,
+    pub expires_at: DateTime<Utc>,
+    pub used_at: Option<DateTime<Utc>>,
+    pub revoked_at: Option<DateTime<Utc>>,
+}
+
+impl RefreshTokens {
+    pub async fn insert(
+        conn: impl SqliteExecutor<'_>,
+        token: &str,
+        ip_address: &str,
+        user: &str,
+        expires_at: i64,
+    ) -> Result<Option<()>, Error> {
+        let query: SqliteQueryResult = sqlx::query_file!(
+            "queries/refresh_tokens/insert.sql",
+            token,
+            ip_address,
+            user,
+            expires_at
+        )
+        .execute(conn)
+        .await
+        .map_err(handle_error)?;
+
+        Ok((query.rows_affected() == 1).then_some(()))
+    }
+}
--- a/crates/ezidam/Cargo.toml
+++ b/crates/ezidam/Cargo.toml
@ -12,6 +12,7 @@ erased-serde = "0.3"
 url = { workspace = true }
 identicon-rs = "4.0.1"
 futures = "0.3.26"
+rocket-client-addr = "0.5.2"

 # local crates
 database_pool = { path = "../database_pool" }
@ -23,3 +24,4 @@ openid = { path = "../openid" }
 jwt = { path = "../jwt" }
 apps = { path = "../apps" }
 authorization_codes = { path = "../authorization_codes" }
+refresh_tokens = { path = "../refresh_tokens" }
--- a/crates/ezidam/src/error/conversion.rs
+++ b/crates/ezidam/src/error/conversion.rs
@ -74,3 +74,9 @@ impl From<authorization_codes::Error> for Error {
        Error::internal_server_error(e)
    }
 }
+
+impl From<refresh_tokens::Error> for Error {
+    fn from(e: refresh_tokens::Error) -> Self {
+        Error::internal_server_error(e)
+    }
+}
--- a/crates/ezidam/src/routes/oauth/redirect.rs
+++ b/crates/ezidam/src/routes/oauth/redirect.rs
@ -1,6 +1,9 @@
 use crate::routes::prelude::*;
 use authorization_codes::AuthorizationCode;
+use hash::SecretString;
+use refresh_tokens::RefreshToken;
 use rocket::{get, UriDisplayQuery};
+use rocket_client_addr::ClientRealAddr;
 use settings::Settings;
 use users::User;

@ -14,6 +17,7 @@ pub struct RedirectRequest<'r> {
 pub async fn redirect_page(
    mut db: Connection<Database>,
    redirect_request: RedirectRequest<'_>,
+    ip_address: &ClientRealAddr,
 ) -> Result<Page> {
    let mut transaction = db.begin().await?;

@ -55,6 +59,24 @@ pub async fn redirect_page(
        .map(String::from)
        .ok_or_else(|| Error::bad_request("Server url is not set"))?;

+    // TODO: refactor for "code" route
+
+    // Generate refresh token
+    let refresh_token = task::spawn_blocking(|| SecretString::new(64)).await?;
+
+    // Insert refresh token in database
+    RefreshToken::insert(
+        &mut transaction,
+        refresh_token.as_ref(),
+        ip_address.get_ipv6_string().as_str(),
+        user.id(),
+    )
+    .await?;
+
+    // TODO: generate access token
+
+    // TODO: store tokens in secure, http only cookies
+
    transaction.commit().await?;

    // HTTP Response
--- a/crates/refresh_tokens/Cargo.toml
+++ b/crates/refresh_tokens/Cargo.toml
@ -0,0 +1,12 @@
+[package]
+name = "refresh_tokens"
+version = "0.0.0"
+edition = "2021"
+
+[dependencies]
+thiserror = { workspace = true }
+chrono = { workspace = true }
+
+# local crates
+database = { path = "../database" }
+id = { path = "../id" }
--- a/crates/refresh_tokens/src/database.rs
+++ b/crates/refresh_tokens/src/database.rs
@ -0,0 +1,43 @@
+use crate::error::Error;
+use crate::RefreshToken;
+use chrono::{Duration, Utc};
+use database::sqlx::SqliteExecutor;
+use database::RefreshTokens as DatabaseRefreshTokens;
+use id::UserID;
+
+impl From<DatabaseRefreshTokens> for RefreshToken {
+    fn from(db: DatabaseRefreshTokens) -> Self {
+        Self {
+            // Info
+            token: db.token,
+            ip_address: db.ip_address,
+            user: UserID(db.user),
+
+            // Timings
+            created_at: db.created_at,
+            expires_at: db.expires_at,
+            used_at: db.used_at,
+            revoked_at: db.revoked_at,
+        }
+    }
+}
+
+impl RefreshToken {
+    pub async fn insert(
+        conn: impl SqliteExecutor<'_>,
+        token: &str,
+        ip_address: &str,
+        user: &UserID,
+    ) -> Result<Option<()>, Error> {
+        let expires_at = Utc::now() + Duration::days(21);
+
+        Ok(DatabaseRefreshTokens::insert(
+            conn,
+            token,
+            ip_address,
+            user.as_ref(),
+            expires_at.timestamp(),
+        )
+        .await?)
+    }
+}
--- a/crates/refresh_tokens/src/error.rs
+++ b/crates/refresh_tokens/src/error.rs
@ -0,0 +1,8 @@
+// error
+#[derive(thiserror::Error)]
+// the rest
+#[derive(Debug)]
+pub enum Error {
+    #[error("Database: {0}")]
+    Database(#[from] database::Error),
+}
--- a/crates/refresh_tokens/src/lib.rs
+++ b/crates/refresh_tokens/src/lib.rs
@ -0,0 +1,21 @@
+mod database;
+mod error;
+
+use chrono::{DateTime, Utc};
+use id::UserID;
+
+pub use crate::error::Error;
+
+#[derive(Debug)]
+pub struct RefreshToken {
+    // Info
+    token: String,
+    ip_address: String,
+    user: UserID,
+
+    // Timings
+    created_at: DateTime<Utc>,
+    expires_at: DateTime<Utc>,
+    used_at: Option<DateTime<Utc>>,
+    revoked_at: Option<DateTime<Utc>>,
+}