Add support for one-time authentication links.

Cargo.lock

@@ -1536,9 +1536,9 @@ checksum = "78ca9ab1a0babb1e7d5695e3530886289c18cf2f87ec19a575a0abdce112e3a3"
 
 [[package]]
 name = "microrm"
-version = "0.4.1"
+version = "0.4.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "54994d17404c1d372b867d24a60f455dc1cfd9a80cb938016ddc9a96365f64c9"
+checksum = "db4126053877d00d90eb5bf850ac87b72094d9eff4a5d76dcecbd1c7ea161814"
 dependencies = [
  "clap",
  "itertools",

Cargo.toml

@@ -29,7 +29,7 @@ bincode = "1.3"
 toml = "0.8.2"
 
 # Data storage dependencies
-microrm = { version = "0.4.1", features = ["clap", "bundled_sqlite"] }
+microrm = { version = "0.4.2", features = ["clap", "bundled_sqlite"] }
 serde_bytes = { version = "0.11.6" }
 
 # Public API/server dependencies

src/cli.rs

@@ -78,10 +78,10 @@ enum Command {
     },
 }
 
-struct RunArgs {
-    config: Config,
-    db: UIDCDatabase,
-    realm: Stored<schema::Realm>,
+pub struct RunArgs {
+    pub config: Config,
+    pub db: UIDCDatabase,
+    pub realm: Stored<schema::Realm>,
 }
 
 impl RootArgs {
@@ -116,7 +116,7 @@ impl RootArgs {
             Command::Serve(v) => v.run(ra).await,
             Command::Token { cmd } => cmd.run(ra).await,
             Command::Role { cmd } => cmd.perform(&ra.realm, &ra.realm.roles),
-            Command::User { cmd } => cmd.perform(&ra.realm, &ra.realm.users),
+            Command::User { cmd } => cmd.perform(&ra, &ra.realm.users),
         }
     }
 

src/cli/user.rs

@@ -1,5 +1,6 @@
 use crate::{schema, user::UserExt, UIDCError};
 use microrm::{cli::CLIError, prelude::*, schema::entity::EntityID};
+use ring::rand::SecureRandom;
 
 #[derive(Debug)]
 pub struct UserInterface;
@@ -20,12 +21,19 @@ pub enum UserCommands {
         username: String,
         provider: schema::ExternalAuthProvider,
     },
+    OnetimeLink {
+        username: String,
+        #[clap(long)]
+        endpoint: Option<String>,
+        #[clap(long)]
+        expiry: Option<String>,
+    },
 }
 
 impl microrm::cli::EntityInterface for UserInterface {
     type Error = UIDCError;
     type Entity = schema::User;
-    type Context = microrm::schema::Stored<schema::Realm>;
+    type Context = super::RunArgs; // microrm::schema::Stored<schema::Realm>;
     type CustomCommand = UserCommands;
 
     fn run_custom(
@@ -36,7 +44,7 @@ impl microrm::cli::EntityInterface for UserInterface {
         match cmd {
             UserCommands::Create { username } => {
                 query_ctx.insert(schema::User {
-                    realm: ctx.id(),
+                    realm: ctx.realm.id(),
                     username,
                     pending_external_auths: Default::default(),
                     auth: Default::default(),
@@ -96,6 +104,53 @@ impl microrm::cli::EntityInterface for UserInterface {
                 user.pending_external_auths.as_mut().dedup();
                 user.sync().expect("couldn't sync user model");
             }
+            UserCommands::OnetimeLink {
+                username,
+                endpoint,
+                expiry,
+            } => {
+                let user = query_ctx
+                    .with(schema::User::Username, &username)
+                    .first()
+                    .get_ids()?
+                    .ok_or(Self::Error::no_such_entity("user", username))?;
+
+                let rng = ring::rand::SystemRandom::new();
+                let mut code = [0u8; 16];
+                rng.fill(&mut code)
+                    .map_err(|_| UIDCError::Abort("couldn't generate random values"))?;
+
+                let code = base64::encode_config(code, base64::URL_SAFE_NO_PAD);
+
+                let expiry = time::OffsetDateTime::now_utc()
+                    .checked_add(time::Duration::days(7))
+                    .unwrap();
+
+                ctx.realm
+                    .single_use_auth
+                    .insert(schema::SingleUseAuth {
+                        code: code.clone(),
+                        user,
+                        expiry,
+                    })
+                    .expect("couldn't insert single-use authentication code?");
+
+                let target = tide::http::Url::parse_with_params(
+                    format!(
+                        "{base}/{realm}/v1/session/onetime",
+                        base = ctx.config.base_url,
+                        realm = ctx.realm.shortname
+                    )
+                    .as_str(),
+                    &[
+                        ("code", code.as_str()),
+                        ("redirect", endpoint.as_deref().unwrap_or("")),
+                    ],
+                )
+                .expect("couldn't generate URL");
+
+                println!("target URL: {target}");
+            }
         }
 
         Ok(())
@@ -116,7 +171,7 @@ impl microrm::cli::EntityInterface for UserInterface {
         _role: microrm::cli::ValueRole,
     ) -> String {
         if field == "realm" {
-            format!("{}", ctx.id().into_raw())
+            format!("{}", ctx.realm.id().into_raw())
         } else {
             unreachable!()
         }

src/ext.rs

@@ -19,6 +19,10 @@ pub trait ExternalAuthenticator {
     fn generate_registration_url(&self, realm: &str, redirect: &str) -> String;
     fn extract_login_state(&self, req: UIDCRequest) -> impl Future<Output = tide::Response>;
 
+    fn handle_registration(&self, req: UIDCRequest) -> tide::Response {
+        todo!()
+    }
+
     fn handle_matching_login(
         &self,
         req: UIDCRequest,

src/ext/github.rs

@@ -194,18 +194,10 @@ impl super::ExternalAuthenticator for GithubAuthenticator {
 
             match (query.mode, external_auth_map) {
                 (CallbackRequestType::Login, Some(map)) => {
-                    return self.handle_matching_login(
-                        req,
-                        map.internal_user_id,
-                        query.redirect.as_str(),
-                    );
-                }
-                (CallbackRequestType::Login, None) => {
-                    return self.handle_no_mapping(req, query.redirect);
-                }
-                (CallbackRequestType::Register, _) => {
-                    todo!()
+                    self.handle_matching_login(req, map.internal_user_id, query.redirect.as_str())
                 }
+                (CallbackRequestType::Login, None) => self.handle_no_mapping(req, query.redirect),
+                (CallbackRequestType::Register, _) => self.handle_registration(req),
             }
         }
     }

src/schema.rs

@@ -18,7 +18,6 @@ pub struct Session {
 
 #[derive(Entity)]
 pub struct SessionAuth {
-    #[key]
     pub realm: RealmID,
 
     pub user: Option<UserID>,
@@ -49,6 +48,14 @@ pub struct AuthChallenge {
     pub enabled: bool,
 }
 
+#[derive(Entity)]
+pub struct SingleUseAuth {
+    #[key]
+    pub code: String,
+    pub user: UserID,
+    pub expiry: time::OffsetDateTime,
+}
+
 // ----------------------------------------------------------------------
 // OIDC types
 // ----------------------------------------------------------------------
@@ -213,6 +220,7 @@ pub struct Realm {
     pub auth_codes: microrm::RelationMap<AuthCode>,
 
     pub external_auth: microrm::RelationMap<ExternalAuthMap>,
+    pub single_use_auth: microrm::RelationMap<SingleUseAuth>,
 }
 
 #[derive(Clone, Database)]

src/server/session.rs

@@ -194,6 +194,76 @@ impl<'l> SessionHelper<'l> {
     }
 }
 
+async fn v1_onetime(req: Request) -> tide::Result<tide::Response> {
+    let mut response = tide::Response::builder(200).build();
+
+    let shelper = SessionHelper::new(&req);
+
+    let realm = shelper.get_realm()?;
+    let (session, cookie) = shelper.get_or_build_session(&req)?;
+    if let Some(c) = cookie {
+        response.insert_cookie(c)
+    }
+
+    #[derive(serde::Deserialize)]
+    struct OnetimeQuery {
+        code: String,
+        redirect: String,
+    }
+    let Ok(otq): Result<OnetimeQuery, _> = req.query() else {
+        response.set_status(400);
+        response.set_body("invalid query string for onetime endpoint");
+        return Ok(response);
+    };
+
+    println!("looking for single_use_auth with code {}", otq.code);
+
+    let Some(authinfo) = realm.single_use_auth.keyed(otq.code).first().remove()? else {
+        return Ok(shelper.render_login_from_auth(
+            response,
+            otq.redirect,
+            None,
+            Some(format!(
+                "Single-use authentication code does not exist or has already been used!"
+            )),
+        ));
+    };
+
+    if authinfo.expiry < time::OffsetDateTime::now_utc() {
+        return Ok(shelper.render_login_from_auth(
+            response,
+            otq.redirect,
+            None,
+            Some(format!(
+                "Single-use authentication code expired at {}",
+                authinfo.expiry
+            )),
+        ));
+    }
+
+    match shelper.get_auth_for_session(realm.id(), &session) {
+        Some(mut sauth) => {
+            sauth.user = Some(authinfo.user);
+            sauth.pending_user = None;
+            sauth.pending_challenges = vec![].into_serialized();
+            sauth.sync()?;
+        }
+        None => {
+            session.auth.insert(schema::SessionAuth {
+                realm: realm.id(),
+                user: Some(authinfo.user),
+                pending_user: None,
+                pending_challenges: vec![].into_serialized(),
+            })?;
+        }
+    }
+
+    response.insert_header("Location", otq.redirect);
+    response.set_status(tide::http::StatusCode::Found);
+
+    Ok(response)
+}
+
 async fn v1_login(req: Request) -> tide::Result<tide::Response> {
     log::info!("in v1_login");
     let mut response = tide::Response::builder(200).build();
@@ -377,6 +447,7 @@ async fn v1_logout(req: Request) -> tide::Result<tide::Response> {
 }
 
 pub(super) fn session_v1_server(mut route: tide::Route<super::ServerStateWrapper>) {
+    route.at("onetime").get(v1_onetime);
     route.at("login").get(v1_login).post(v1_login_post);
     route.at("logout").get(v1_logout);
 }