use crate::{schema, user, UIDCError}; use microrm::{prelude::*, schema::Stored}; use serde::Deserialize; use tide::http::Cookie; pub(super) struct SessionHelper<'l> { db: &'l schema::UIDCDatabase, tmpl: &'l handlebars::Handlebars<'l>, realm_str: &'l str, } type Request = tide::Request; const SESSION_COOKIE_NAME: &'static str = "uidc_session"; impl<'l> SessionHelper<'l> { pub fn new(req: &'l Request) -> Self { Self { db: &req.state().core.db, tmpl: &req.state().core.templates, realm_str: req.param("realm").expect("no realm param?"), } } pub fn get_realm(&self) -> tide::Result> { self.db .realms .unique(self.realm_str) .get()? .ok_or(tide::Error::from_str(404, "No such realm")) } fn build_session( &self, ) -> tide::Result<(schema::Session, Option>)> { let rng = ring::rand::SystemRandom::new(); let session_id: [u8; 32] = ring::rand::generate(&rng) .map_err(|_| tide::Error::from_str(500, "Failed to generate session ID"))? .expose(); let session_id = base64::encode_config(session_id, base64::URL_SAFE_NO_PAD); // XXX: replace with in-place insertion once support for that is added to microrm let session = self.db.sessions.insert_and_return(schema::Session { session_id: session_id.clone(), auth: Default::default(), expiry: time::OffsetDateTime::now_utc() + time::Duration::minutes(10), })?; let session_cookie = Cookie::build(SESSION_COOKIE_NAME, session_id) .path("/") .finish(); Ok((session.wrapped(), Some(session_cookie))) } pub fn verify_session(&self, req: &Request) -> Option<(Stored, schema::UserID)> { self.get_or_build_session(req) .ok() .zip(self.get_realm().ok()) .and_then(|((sid, _cookie), realm)| { self.get_auth_for_session(realm.id(), &sid) .and_then(|auth| { if let Some(user) = auth.user { Some((realm, user)) } else { None } }) }) } pub fn get_session(&self, req: &Request) -> Option { req.cookie(SESSION_COOKIE_NAME).and_then(|sid| { self.db .sessions .unique(sid.value()) .get() .ok() .flatten() .map(|v| v.wrapped()) }) } pub fn get_or_build_session( &self, req: &Request, ) -> tide::Result<(schema::Session, Option>)> { match self.get_session(&req) { Some(s) => Ok((s, None)), None => self.build_session(), } } pub fn get_auth_for_session( &self, realm: schema::RealmID, session: &schema::Session, ) -> Option> { session .auth .with(schema::SessionAuth::Realm, realm) .first() .get() .ok()? } pub fn destroy_auth( &self, realm: schema::RealmID, session: &schema::Session, ) -> Result<(), UIDCError> { session .auth .with(schema::SessionAuth::Realm, realm) .first() .delete()?; Ok(()) } } impl<'l> SessionHelper<'l> { fn render_login_from_auth( &self, mut response: tide::Response, redirect: String, auth: Option, error_msg: Option, ) -> tide::Response { let to_present: Option = match auth { None => Some(schema::AuthChallengeType::Username), Some(auth) => auth.pending_challenges.as_ref().first().copied(), }; if to_present.is_none() { response.set_status(302); tide::Redirect::new("../..").into() } else { self.render_login_page(response, redirect, to_present.unwrap(), error_msg) } } fn render_login_page( &self, mut response: tide::Response, redirect: String, to_present: schema::AuthChallengeType, error_msg: Option, ) -> tide::Response { let do_challenge = |ty, ch| { self.tmpl .render( "id_v1_login", &serde_json::json!( { "challenge": format!(r#" {} {} "#, to_present, ty, ch), "redirect": redirect, "error_msg": error_msg.iter().collect::>() } ), ) .unwrap() }; response.set_content_type("text/html"); match to_present { schema::AuthChallengeType::Username => { response.set_body(do_challenge( "Username", r#""#, )); } schema::AuthChallengeType::Password => { response.set_body(do_challenge( "Password", r#""#, )); } schema::AuthChallengeType::TOTP => { response.set_body(do_challenge( "Authenticator code", r#""#, )); } _ => todo!(), } response } } async fn v1_login(req: Request) -> tide::Result { let mut response = tide::Response::builder(200).build(); let shelper = SessionHelper::new(&req); let realm = shelper.get_realm()?; let (session, cookie) = shelper.get_or_build_session(&req)?; cookie.map(|c| response.insert_cookie(c)); let auth = shelper.get_auth_for_session(realm.id(), &session); #[derive(serde::Deserialize)] struct LoginQuery { redirect: Option, } let query: LoginQuery = req.query().unwrap(); Ok(shelper.render_login_from_auth( response, query.redirect.unwrap_or_else(|| "../..".to_string()), auth.map(Stored::wrapped), None, )) } async fn v1_login_post(mut req: Request) -> tide::Result { let mut response = tide::Response::builder(200).build(); #[derive(Deserialize)] struct ResponseBody { challenge_type: String, challenge: String, reset: Option, redirect: String, } let body: ResponseBody = req.body_form().await?; let shelper = SessionHelper::new(&req); let realm = shelper.get_realm()?; let (session, cookie) = shelper.get_or_build_session(&req)?; cookie.map(|c| response.insert_cookie(c)); let mut auth = shelper.get_auth_for_session(realm.id(), &session); // check if a login reset was requested; if so, we start again from the top if body.reset.is_some() { shelper.destroy_auth(realm.id(), &session)?; return Ok(tide::Redirect::new("login").into()); } use schema::AuthChallengeType as ChallengeType; let challenge: schema::AuthChallengeType = match body.challenge_type.as_str() { "Username" => ChallengeType::Username, "Password" => ChallengeType::Password, "TOTP" => ChallengeType::TOTP, _ => Err(tide::Error::from_str(400, "Unknown challenge type"))?, }; let mut error = None; // check that the response matches what we're expecting next let to_be_presented: Option = match &auth { None => Some(schema::AuthChallengeType::Username), Some(auth) => auth.pending_challenges.as_ref().first().copied(), }; if to_be_presented != Some(challenge) { Err(tide::Error::from_str(400, "Unexpected challenge type"))? } match challenge { // handle the username challenge specially because this sets up the pending challenges. ChallengeType::Username => { shelper.destroy_auth(realm.id(), &session)?; let user = realm.users.unique(&body.challenge).get()?; if user.is_none() { error = Some(format!("No such user {}", body.challenge)); } else { let user = user.unwrap(); let has_totp = user .auth .with( schema::AuthChallenge::ChallengeType, microrm::schema::Serialized::from(schema::AuthChallengeType::TOTP), ) .count()? > 0; // TODO: support more flows than just username,password[,totp] auth = Some( session.auth.insert_and_return(schema::SessionAuth { realm: realm.id(), user: None, pending_user: Some(user.id()), pending_challenges: if has_totp { vec![ schema::AuthChallengeType::Password, schema::AuthChallengeType::TOTP, ] } else { vec![schema::AuthChallengeType::Password] } .into(), })?, ); // auth = Some(session.auth.with(id, id).first().get()?.expect("can't re-get just-added entity")); } } ct => { if let Some(auth) = auth.as_mut() { // let qi = req.state().core.pool.query_interface(); // let user = qi.get().by_id(&auth.user).one().expect("couldn't query db"); if let Some(user_id) = auth.pending_user { let user = realm .users .with(user_id, user_id) .first() .get()? .ok_or(UIDCError::Abort("session auth refers to nonexistent user"))?; let user = user::User::from_schema(&realm, user); let verification = user.verify_challenge_by_type(ct, body.challenge.as_bytes()); match verification { Ok(true) => { auth.pending_challenges.as_mut().remove(0); // if we're done with the last challenge, mark us as logged in if auth.pending_challenges.as_ref().is_empty() { auth.user = auth.pending_user.take(); } auth.sync()?; } Ok(false) => { error = Some("Incorrect response. Please try again".into()); } Err(_) => { error = Some("Internal error. Please contact an administrator.".into()); } } } else { error = Some(format!("User is not configured correctly: either it was deleted or it lacks a required authentication challenge type. Please contact an administrator.")); } } else { error = Some(format!("Please restart login process.")); } } }; Ok(shelper.render_login_from_auth(response, body.redirect, auth.map(Stored::wrapped), error)) } async fn v1_logout(req: Request) -> tide::Result { let shelper = SessionHelper::new(&req); #[derive(serde::Deserialize)] struct LogoutQuery { redirect: Option, } let query: LogoutQuery = req.query().unwrap(); let realm = shelper.get_realm()?; shelper .get_session(&req) .map(|sid| shelper.destroy_auth(realm.id(), &sid)); Ok(tide::Redirect::new(query.redirect.unwrap_or_else(|| "../..".into())).into()) } pub(super) fn session_v1_server(mut route: tide::Route) { route.at("login").get(v1_login).post(v1_login_post); route.at("logout").get(v1_logout); }