use crate::schema; use serde::{Deserialize, Serialize}; use microrm::prelude::*; #[derive(Clone)] pub struct ServerState { core: &'static super::ServerCoreState, } type Request = tide::Request; #[derive(serde::Serialize)] pub enum OIDCErrorType { InvalidRequest, UnauthorizedClient, AccessDenied, UnsupportedResponseType, InvalidScope, ServerError, TemporarilyUnavailable, } pub struct OIDCError<'a>(OIDCErrorType, String, Option<&'a str>); impl<'a> OIDCError<'a> { fn to_response(self) -> tide::Response { #[derive(Serialize)] struct ErrorOut<'a> { error: OIDCErrorType, error_description: String, state: Option<&'a str>, } let eo = ErrorOut { error: self.0, error_description: self.1, state: self.2, }; tide::Response::builder(400) .body(serde_json::to_vec(&eo).unwrap()) .build() } } #[derive(Deserialize)] struct AuthorizeQueryParams { response_type: String, client_id: String, redirect_uri: String, scope: Option, } fn do_code_authorize( request: Request, qp: AuthorizeQueryParams, state: Option<&str>, client: microrm::WithID, ) -> Result { todo!() } fn do_token_authorize( request: Request, qp: AuthorizeQueryParams, state: Option<&str>, client: microrm::WithID, ) -> Result { todo!() } fn do_authorize(request: Request, state: Option<&str>) -> Result { let qp: AuthorizeQueryParams = request .query() .map_err(|x| OIDCError(OIDCErrorType::InvalidRequest, x.to_string(), state))?; // verify the realm and client_id and redirect_uri let qi = request.state().core.pool.query_interface(); let realm = qi.get().by( schema::Realm::Shortname, &request.param("realm").unwrap(), ).one().expect("couldn't query db"); if realm.is_none() { return Err(OIDCError( OIDCErrorType::InvalidRequest, "No such realm!".to_string(), state, )); } let realm = realm.unwrap(); let client = qi.get().by(schema::Client::Realm, &realm.id()).by(schema::Client::Shortname, &qp.client_id).one().expect("couldn't query db"); if client.is_none() { return Err(OIDCError( OIDCErrorType::UnauthorizedClient, "Client does not exist".to_string(), state, )); } if qp.response_type == "code" { do_code_authorize(request, qp, state, client.unwrap()) } else if qp.response_type == "token" { do_token_authorize(request, qp, state, client.unwrap()) } else { return Err(OIDCError( OIDCErrorType::UnsupportedResponseType, "Only code and token are understood.".to_string(), state, )); } } async fn authorize(request: Request) -> tide::Result { #[derive(Deserialize)] struct State { state: Option, } let state: Option = request.query::().ok().map(|x| x.state).flatten(); let result = do_authorize(request, state.as_ref().map(|x| x.as_str())); if let Err(e) = result { todo!() } todo!() } #[derive(Deserialize)] struct TokenRequestBody { grant_type: String, refresh_token: Option, scope: Option, redirect_uri: Option, code: Option, client_id: Option, // direct grant username: Option, password: Option, } async fn token(mut request: Request) -> tide::Result { let body: Result = request.body_form().await; // let body : TokenRequestBody = request.body_form(); todo!() } pub fn oidc_v1_server(core: &'static super::ServerCoreState) -> tide::Server { let mut srv = tide::with_state(ServerState { core }); srv.at("authorize").get(authorize).post(authorize); srv.at("token").post(token); srv }