Simplify login flow slightly and add reset button.

src/cli.rs

@@ -4,10 +4,12 @@ use crate::{schema,cert,user_management,server};
 #[derive(Debug, Parser)]
 #[clap(author, version, about, long_about = None)]
 struct RootArgs {
-    #[clap(default_value_t = String::from("vogt.db"))]
+    #[clap(short, long, default_value_t = String::from("uauth.db"))]
+    /// Database path
     db: String,
 
     #[clap(short, long, default_value_t = String::from("primary"))]
+    /// Which realm to use, for non-server only
     realm: String,
 
     #[clap(subcommand)]

src/schema.rs

@@ -1,7 +1,7 @@
 pub use microrm::{Schema, Entity, Modelable};
 use serde::{Deserialize, Serialize};
 
-#[derive(Entity, Serialize, Deserialize)]
+#[derive(Debug, Entity, Serialize, Deserialize)]
 pub struct Session {
     pub key: String,
     // TODO: add expiry here
@@ -9,7 +9,7 @@ pub struct Session {
 
 microrm::make_index!(!SessionKeyIndex, Session::Key);
 
-#[derive(Entity, Serialize, Deserialize)]
+#[derive(Debug, Entity, Serialize, Deserialize)]
 pub struct SessionAuthentication {
     #[microrm_foreign]
     pub session: SessionID,
@@ -22,12 +22,12 @@ pub struct SessionAuthentication {
 }
 
 // **** oauth types ****
-#[derive(Entity, Serialize, Deserialize)]
+#[derive(Debug, Entity, Serialize, Deserialize)]
 pub struct Realm {
     pub shortname: String,
 }
 
-#[derive(Entity, Serialize, Deserialize)]
+#[derive(Debug, Entity, Serialize, Deserialize)]
 pub struct Key {
     #[microrm_foreign]
     pub realm: RealmID,
@@ -37,7 +37,7 @@ pub struct Key {
 }
 
 /// End-user representation object
-#[derive(Entity, Serialize, Deserialize)]
+#[derive(Debug, Entity, Serialize, Deserialize)]
 pub struct User {
     #[microrm_foreign]
     pub realm: RealmID,
@@ -53,7 +53,7 @@ pub enum AuthChallengeType {
     WebAuthn,
 }
 
-#[derive(Entity, Serialize, Deserialize)]
+#[derive(Debug, Entity, Serialize, Deserialize)]
 pub struct AuthChallenge {
     #[microrm_foreign]
     pub user: UserID,
@@ -65,7 +65,7 @@ pub struct AuthChallenge {
 }
 
 /// User semantic grouping
-#[derive(Entity, Serialize, Deserialize)]
+#[derive(Debug, Entity, Serialize, Deserialize)]
 pub struct Group {
     #[microrm_foreign]
     pub realm: RealmID,
@@ -73,14 +73,14 @@ pub struct Group {
 }
 
 /// User membership in group
-#[derive(Entity,Serialize,Deserialize)]
+#[derive(Debug, Entity,Serialize,Deserialize)]
 pub struct GroupMembership {
     pub group: GroupID,
     pub user: UserID,
 }
 
 /// OAuth2 client representation
-#[derive(Entity, Serialize, Deserialize)]
+#[derive(Debug, Entity, Serialize, Deserialize)]
 pub struct Client {
     #[microrm_foreign]
     pub realm: RealmID,
@@ -94,7 +94,7 @@ microrm::make_index!(
     Client::Shortname
 );
 
-#[derive(Entity, Serialize, Deserialize)]
+#[derive(Debug, Entity, Serialize, Deserialize)]
 pub struct ClientRedirect {
     #[microrm_foreign]
     pub client: ClientID,
@@ -102,7 +102,7 @@ pub struct ClientRedirect {
 }
 
 /// Requested group of permissions
-#[derive(Entity, Serialize, Deserialize)]
+#[derive(Debug, Entity, Serialize, Deserialize)]
 pub struct Scope {
     #[microrm_foreign]
     pub realm: RealmID,
@@ -110,7 +110,7 @@ pub struct Scope {
 }
 
 /// Specific atomic permission
-#[derive(Entity, Serialize, Deserialize)]
+#[derive(Debug, Entity, Serialize, Deserialize)]
 pub struct Role {
     #[microrm_foreign]
     pub realm: RealmID,
@@ -118,20 +118,20 @@ pub struct Role {
 }
 
 /// Role membership in scope
-#[derive(Entity,Serialize,Deserialize)]
+#[derive(Debug, Entity,Serialize,Deserialize)]
 pub struct ScopeRole {
     pub scope: ScopeID,
     pub role: RoleID,
 }
 
 /// Assigned permissions in group
-#[derive(Entity,Serialize,Deserialize)]
+#[derive(Debug, Entity,Serialize,Deserialize)]
 pub struct GroupRole {
     pub scope: ScopeID,
     pub role: RoleID,
 }
 
-#[derive(Entity,Serialize,Deserialize)]
+#[derive(Debug, Entity,Serialize,Deserialize)]
 pub struct RevokedToken {
     pub user: UserID,
     pub nonce: String,

src/server.rs

@@ -6,7 +6,7 @@ mod oidc;
 
 pub struct ServerCoreState {
     pool: microrm::DBPool<'static>,
-    templates: std::sync::RwLock<handlebars::Handlebars<'static>>,
+    templates: handlebars::Handlebars<'static>,
 }
 
 #[derive(Clone)]
@@ -31,31 +31,32 @@ pub async fn run_server(db: microrm::DB, port: u16) {
     let db: &'static mut microrm::DB = Box::leak(db_box);
     let pool = microrm::DBPool::new(db);
 
-    let core_state = Box::leak(Box::new(ServerCoreState { pool, templates: std::sync::RwLock::new(handlebars::Handlebars::new()) }));
-    let state = ServerState { core: core_state };
+    let core_state = Box::leak(Box::new(ServerCoreState { pool, templates: handlebars::Handlebars::new() }));
 
     // XXX: for development only
-    core_state.templates.write().unwrap().set_dev_mode(true);
+    // core_state.templates.write().unwrap().set_dev_mode(true);
+
+    core_state.templates.register_templates_directory(".tmpl", "tmpl/").expect("Couldn't open templates directory?");
+    println!("registered templates:");
+    for tmpl in core_state.templates.get_templates() {
+        println!("- {}", tmpl.0);
+    }
 
-    core_state.templates.write().unwrap().register_templates_directory("tmpl", "tmpl").expect("Couldn't open templates directory?");
+    core_state.templates.render("id_v1_login", &()).unwrap();
+
+    let state = ServerState { core: core_state };
 
     let mut app = tide::with_state(state);
 
     app.with(tide::log::LogMiddleware::new());
 
-    /*app.at("/:realm/login").get(login); // serve_file("srv/login.html").expect("Can't serve login.html");
-    app.at("/:realm/do_login").post(do_login);
-    app.at("/:realm/logout")
-        .serve_file("srv/logout.html")
-        .expect("Can't serve logout.html");*/
-
     app.at("/static")
         .serve_dir("static/")
         .expect("Can't serve static files");
 
     app.at("/:realm/v1/session/")
         .nest(session::session_v1_server(core_state));
-    app.at("/:realm/v1/oidc")
+    app.at("/:realm/v1/oidc/")
         .nest(oidc::oidc_v1_server(core_state));
 
     app.listen(("127.0.0.1", port)).await.expect("Can listen");

src/server/session.rs

@@ -1,4 +1,4 @@
-use crate::schema;
+use crate::{schema,user};
 use serde::Deserialize;
 use tide::http::Cookie;
 use microrm::prelude::*;
@@ -82,6 +82,8 @@ impl ServerState {
 
 impl ServerState {
     fn render_login_from_auth(&self, mut response: tide::Response, auth: Option<schema::SessionAuthentication>, error_msg: Option<String>) -> tide::Response {
+        log::info!("rendering login response... auth is {:?}", auth);
+
         let to_present: Option<schema::AuthChallengeType> = match auth {
             None => Some(schema::AuthChallengeType::Username),
             Some(auth) => auth.challenges_left.first().copied()
@@ -97,7 +99,7 @@ impl ServerState {
     }
 
     fn render_login_page(&self, mut response: tide::Response, to_present: schema::AuthChallengeType, error_msg: Option<String>) -> tide::Response {
-        let tmpl = self.core.templates.read().unwrap();
+        let tmpl = &self.core.templates;
 
         let do_challenge = |ty,ch| {
             tmpl.render("id_v1_login", &serde_json::json!(
@@ -144,7 +146,7 @@ async fn v1_login(req: tide::Request<ServerState>) -> tide::Result<tide::Respons
     Ok(req.state().render_login_from_auth(response, auth.map(|a| a.wrapped()), None))
 }
 
-async fn v1_login_response(mut req: tide::Request<ServerState>) -> tide::Result<tide::Response> {
+async fn v1_login_post(mut req: tide::Request<ServerState>) -> tide::Result<tide::Response> {
     let mut response = tide::Response::builder(200).build();
 
     let realm = req.state().get_realm(&req).ok_or(tide::Error::from_str(404, "No such realm"))?;
@@ -156,11 +158,21 @@ async fn v1_login_response(mut req: tide::Request<ServerState>) -> tide::Result<
     #[derive(Deserialize)]
     struct ResponseBody {
         challenge_type: String,
-        challenge: String
+        challenge: String,
+        reset: Option<String>,
     }
 
     let body : ResponseBody = req.body_form().await?;
 
+    // check if a login reset was requested; if so, we start again from the top
+    if body.reset.is_some() {
+        if let Some(_) = auth {
+            req.state().destroy_auth(realm, session_id);
+            response.set_status(302);
+            return Ok(tide::Redirect::new("login").into())
+        }
+    }
+
     use schema::AuthChallengeType as ChallengeType;
 
     let challenge: schema::AuthChallengeType = match body.challenge_type.as_str() {
@@ -178,7 +190,7 @@ async fn v1_login_response(mut req: tide::Request<ServerState>) -> tide::Result<
     };
 
     if to_be_presented != Some(challenge) {
-        Err(tide::Error::from_str(400, "Incorrect challenge type"))?
+        Err(tide::Error::from_str(400, "Unexpected challenge type"))?
     }
 
     match challenge {
@@ -193,49 +205,64 @@ async fn v1_login_response(mut req: tide::Request<ServerState>) -> tide::Result<
             else {
                 let user = user.unwrap();
 
+                // TODO: set list of challenges to be whatever else this user has set up
                 let sa = schema::SessionAuthentication { session: session_id, realm: realm, user: user.id(), challenges_left: vec![schema::AuthChallengeType::Password] };
                 let id = qi.add(&sa).unwrap();
                 auth = Some(microrm::WithID::new(sa, id));
             }
         },
-        ChallengeType::Password => {
-            if auth.is_none() {
-                error = Some(format!("Please restart login process."));
-            }
-            else {
+        ct => {
+            if let Some(auth) = &mut auth {
                 let qi = req.state().core.pool.query_interface();
 
-                use schema::AuthChallenge;
-                let challenge = qi.get().by(AuthChallenge::User, &auth.as_ref().unwrap().user).by(AuthChallenge::ChallengeType, &schema::AuthChallengeType::Password).one().expect("couldn't query db");
+                let user = qi.get().by_id(&auth.user).one().expect("couldn't query db");
 
-                if challenge.is_none() {
-                    error = Some(format!("User lacks a password. Please contact an administrator."));
-                }
-                else {
-                    use ring::pbkdf2;
+                if let Some(user) = user {
+                    let user = user::User::from_model(user);
 
-                    let challenge = challenge.unwrap();
+                    let verification = user.verify_challenge(&qi, ct, body.challenge.as_bytes());
 
-                    let verification = pbkdf2::verify(pbkdf2::PBKDF2_HMAC_SHA256, std::num::NonZeroU32::new(20000).unwrap(), challenge.public.as_slice(), body.challenge.as_bytes(), challenge.secret.as_slice());
-
-                    if verification.is_ok() {
-                        auth.as_mut().unwrap().challenges_left.remove(0);
+                    match verification {
+                        Some(true) => {
+                            auth.challenges_left.remove(0);
+                            qi.update().to(auth.as_ref()).by_id(&auth.id()).exec().expect("couldn't update auth status?");
+                        },
+                        Some(false) => {
+                            error = Some("Incorrect response. Please try again".into());
+                        },
+                        None => {
+                            error = Some("User no longer exists. Please contact an administrator.".into());
+                        },
                     }
                 }
+                else {
+                    error = Some(format!("User is not configured correctly: either it was deleted or it lacks a required authentication challenge type. Please contact an administrator."));
+                }
+            }
+            else {
+                error = Some(format!("Please restart login process."));
             }
         },
-        _ => todo!()
     };
 
     Ok(req.state().render_login_from_auth(response, auth.map(|a| a.wrapped()), error))
 }
 
+async fn v1_logout(req: tide::Request<ServerState>) -> tide::Result<tide::Response> {
+    let realm = req.state().get_realm(&req).ok_or(tide::Error::from_str(404, "No such realm"))?;
+    let (session_id, _) = req.state().get_or_build_session(&req)?;
+
+    req.state().destroy_auth(realm, session_id);
+    Ok(tide::Redirect::new("/").into())
+}
+
 pub fn session_v1_server(core: &'static super::ServerCoreState) -> tide::Server<ServerState> {
     let mut srv = tide::with_state(ServerState { core, realm_cache: std::sync::Arc::new(std::sync::RwLock::new(std::collections::HashMap::new())) });
 
     srv.with(tide::log::LogMiddleware::new());
 
-    srv.at("login").get(v1_login).post(v1_login_response);
+    srv.at("login").get(v1_login).post(v1_login_post);
+    srv.at("logout").get(v1_logout);
 
     srv
 }

src/user.rs

@@ -6,7 +6,7 @@ pub struct User {
     model: Option<schema::User>
 }
 
-const PBKDF2_ROUNDS: Option<std::num::NonZeroU32> = std::num::NonZeroU32::new(20000);
+static PBKDF2_ROUNDS: std::num::NonZeroU32 = unsafe { std::num::NonZeroU32::new_unchecked(20000) };
 
 impl User {
     pub fn from_model(model: microrm::WithID<schema::User>) -> Self {
@@ -33,7 +33,7 @@ impl User {
 
         let mut generated = [0u8; ring::digest::SHA256_OUTPUT_LEN];
 
-        ring::pbkdf2::derive(ring::pbkdf2::PBKDF2_HMAC_SHA256, PBKDF2_ROUNDS.unwrap(), &salt, password, &mut generated);
+        ring::pbkdf2::derive(ring::pbkdf2::PBKDF2_HMAC_SHA256, PBKDF2_ROUNDS, &salt, password, &mut generated);
 
         qi.add(&schema::AuthChallenge { user: self.id, challenge_type: schema::AuthChallengeType::Password, public: salt.into(), secret: generated.into()}).expect("couldn't set password");
     }
@@ -41,7 +41,7 @@ impl User {
     fn verify_password_challenge(&self, challenge: schema::AuthChallenge, response: &[u8]) -> Option<bool> {
         use ring::pbkdf2;
 
-        Some(pbkdf2::verify(pbkdf2::PBKDF2_HMAC_SHA256, PBKDF2_ROUNDS.unwrap(), challenge.public.as_slice(), response, challenge.secret.as_slice()).is_ok())
+        Some(pbkdf2::verify(pbkdf2::PBKDF2_HMAC_SHA256, PBKDF2_ROUNDS, challenge.public.as_slice(), response, challenge.secret.as_slice()).is_ok())
     }
 
     fn verify_totp_challenge(&self, challenge: schema::AuthChallenge, response: &[u8]) -> Option<bool> {

tmpl/id_v1_login.tmpl

@@ -19,8 +19,10 @@
                         </div>
                         <div class="login-challenge">
                             {{{ challenge }}}
+                            <input type="submit" value=">" />
                         </div>
                         <div class="spacer">&nbsp;</div>
+                        <input type="submit" name="reset" value="Start over" />
                     </div>
                 </form>
             </div>