Conduit is a simple, fast and reliable chat server powered by Matrix https://conduit.rs
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
316 lines
10 KiB
316 lines
10 KiB
use std::sync::Arc; |
|
|
|
use super::{DEVICE_ID_LENGTH, TOKEN_LENGTH}; |
|
use crate::{database::DatabaseGuard, utils, ConduitResult, Database, Error, Ruma}; |
|
// use log::info; |
|
use macaroon::Verifier; |
|
use rocket::State; |
|
use ruma::{ |
|
api::client::{ |
|
error::ErrorKind, |
|
r0::{ |
|
session::{get_login_types, login, logout, logout_all}, |
|
uiaa::IncomingUserIdentifier, |
|
}, |
|
}, |
|
events::EventType, |
|
UserId, |
|
}; |
|
use serde::Deserialize; |
|
use tokio::sync::RwLock; |
|
use tracing::info; |
|
|
|
#[derive(Debug, Deserialize)] |
|
struct Claims { |
|
sub: String, |
|
exp: usize, |
|
} |
|
|
|
fn verifier_callback(v: &macaroon::ByteString) -> bool { |
|
// TODO: why convert to string first, maybe ByteString has tailing zeros? |
|
let v0 = v.to_string(); |
|
let v1 = base64::decode(v0.as_bytes()).unwrap(); |
|
|
|
if v1.starts_with(b"time < ") { |
|
// TODO: is utf-8 needed? |
|
let v2 = std::str::from_utf8(&v1).unwrap(); |
|
let v3 = v2.trim_start_matches("time < "); |
|
let v4: i64 = v3.parse().unwrap(); |
|
let now = chrono::Utc::now().timestamp(); |
|
if now < v4 { |
|
println!("OK!!"); |
|
true |
|
} else { |
|
println!("expired, v4={} , now={}, v4-now={}", v4, now, v4 - now); |
|
false |
|
} |
|
} else { |
|
false |
|
} |
|
} |
|
|
|
#[cfg(feature = "conduit_bin")] |
|
use rocket::{get, post}; |
|
|
|
/// # `GET /_matrix/client/r0/login` |
|
/// |
|
/// Get the supported login types of this server. One of these should be used as the `type` field |
|
/// when logging in. |
|
#[cfg_attr(feature = "conduit_bin", get("/_matrix/client/r0/login"))] |
|
// #[tracing::instrument] // TODO: need Debug on Database |
|
pub async fn get_login_types_route( |
|
db: &rocket::State<Arc<RwLock<Database>>>, |
|
) -> ConduitResult<get_login_types::Response> { |
|
let mut flows = vec![get_login_types::LoginType::Password(Default::default())]; |
|
|
|
let db_lock = db.read().await; |
|
|
|
if db_lock.globals.openid_client.is_some() { |
|
flows.push(get_login_types::LoginType::Sso( |
|
get_login_types::SsoLoginType::default(), |
|
)); |
|
} |
|
|
|
Ok(get_login_types::Response { flows }.into()) |
|
} |
|
|
|
/// # `POST /_matrix/client/r0/login` |
|
/// |
|
/// Authenticates the user and returns an access token it can use in subsequent requests. |
|
/// |
|
/// - The user needs to authenticate using their password (or if enabled using a json web token) |
|
/// - If `device_id` is known: invalidates old access token of that device |
|
/// - If `device_id` is unknown: creates a new device |
|
/// - Returns access token that is associated with the user and device |
|
/// |
|
/// Note: You can use [`GET /_matrix/client/r0/login`](fn.get_supported_versions_route.html) to see |
|
/// supported login types. |
|
#[cfg_attr( |
|
feature = "conduit_bin", |
|
post("/_matrix/client/r0/login", data = "<body>") |
|
)] |
|
#[tracing::instrument(skip(db, body))] |
|
pub async fn login_route( |
|
db: DatabaseGuard, |
|
body: Ruma<login::Request<'_>>, |
|
) -> ConduitResult<login::Response> { |
|
// Validate login method |
|
// TODO: Other login methods |
|
let user_id = match &body.login_info { |
|
login::IncomingLoginInfo::Password(login::IncomingPassword { |
|
identifier, |
|
password, |
|
}) => { |
|
let username = if let IncomingUserIdentifier::MatrixId(matrix_id) = identifier { |
|
matrix_id |
|
} else { |
|
return Err(Error::BadRequest(ErrorKind::Forbidden, "Bad login type.")); |
|
}; |
|
let user_id = |
|
UserId::parse_with_server_name(username.to_owned(), db.globals.server_name()) |
|
.map_err(|_| { |
|
Error::BadRequest(ErrorKind::InvalidUsername, "Username is invalid.") |
|
})?; |
|
let hash = db.users.password_hash(&user_id)?.ok_or(Error::BadRequest( |
|
ErrorKind::Forbidden, |
|
"Wrong username or password.", |
|
))?; |
|
|
|
if hash.is_empty() { |
|
return Err(Error::BadRequest( |
|
ErrorKind::UserDeactivated, |
|
"The user has been deactivated", |
|
)); |
|
} |
|
|
|
let hash_matches = argon2::verify_encoded(&hash, password.as_bytes()).unwrap_or(false); |
|
|
|
if !hash_matches { |
|
return Err(Error::BadRequest( |
|
ErrorKind::Forbidden, |
|
"Wrong username or password.", |
|
)); |
|
} |
|
|
|
user_id |
|
} |
|
login::IncomingLoginInfo::Token(login::IncomingToken { token }) => { |
|
if let Some(jwt_decoding_key) = db.globals.jwt_decoding_key() { |
|
let token = jsonwebtoken::decode::<Claims>( |
|
token, |
|
jwt_decoding_key, |
|
&jsonwebtoken::Validation::default(), |
|
) |
|
.map_err(|_| Error::BadRequest(ErrorKind::InvalidUsername, "Token is invalid."))?; |
|
let username = token.claims.sub; |
|
UserId::parse_with_server_name(username, db.globals.server_name()).map_err( |
|
|_| Error::BadRequest(ErrorKind::InvalidUsername, "Username is invalid."), |
|
)? |
|
} else if macaroon::Macaroon::deserialize( |
|
&base64::decode_config(token, base64::URL_SAFE_NO_PAD).unwrap(), |
|
) |
|
.is_ok() |
|
{ |
|
println!("TOKEN! {}", token); |
|
|
|
let macaroon = macaroon::Macaroon::deserialize( |
|
&base64::decode_config(token, base64::URL_SAFE_NO_PAD).unwrap(), |
|
) |
|
.unwrap(); |
|
|
|
let v0 = macaroon.identifier().to_string(); |
|
let v1 = base64::decode(v0.as_bytes()).unwrap(); |
|
let user_id = std::str::from_utf8(&v1).unwrap(); |
|
println!("identifier: {}", user_id); |
|
|
|
println!("location: {:?}", macaroon.location()); |
|
println!("sig: {:?}", macaroon.signature()); |
|
|
|
let mut verifier = Verifier::default(); |
|
verifier.satisfy_general(verifier_callback); |
|
|
|
let (key, _) = &db.globals.openid_client.as_ref().unwrap(); |
|
|
|
match verifier.verify(&macaroon, &key, Default::default()) { |
|
Ok(()) => println!("Macaroon verified!"), |
|
Err(error) => println!("Error validating macaroon: {:?}", error), |
|
} |
|
|
|
let user_id = UserId::parse_with_server_name(user_id, db.globals.server_name()) |
|
.map_err(|_| { |
|
Error::BadRequest(ErrorKind::InvalidUsername, "Username is invalid.") |
|
})?; |
|
|
|
println!("user_id: {}", user_id); |
|
|
|
if !db.users.exists(&user_id)? { |
|
// TODO None? |
|
db.users |
|
.create(&user_id, Some("00000000000000000000000000000000000000000"))?; // TODO |
|
db.account_data.update( |
|
None, |
|
&user_id, |
|
EventType::PushRules, |
|
&ruma::events::push_rules::PushRulesEvent { |
|
content: ruma::events::push_rules::PushRulesEventContent { |
|
global: ruma::push::Ruleset::server_default(&user_id), |
|
}, |
|
}, |
|
&db.globals, |
|
)?; |
|
} |
|
|
|
user_id |
|
} else { |
|
return Err(Error::BadRequest( |
|
ErrorKind::Unknown, |
|
"Token login is not supported (server has no jwt decoding key).", |
|
)); |
|
} |
|
} |
|
_ => { |
|
return Err(Error::BadRequest( |
|
ErrorKind::Unknown, |
|
"Unsupported login type.", |
|
)); |
|
} |
|
}; |
|
|
|
// Generate new device id if the user didn't specify one |
|
let device_id = body |
|
.device_id |
|
.clone() |
|
.unwrap_or_else(|| utils::random_string(DEVICE_ID_LENGTH).into()); |
|
|
|
// Generate a new token for the device |
|
let token = utils::random_string(TOKEN_LENGTH); |
|
|
|
// Determine if device_id was provided and exists in the db for this user |
|
let device_exists = body.device_id.as_ref().map_or(false, |device_id| { |
|
db.users |
|
.all_device_ids(&user_id) |
|
.any(|x| x.as_ref().map_or(false, |v| v == device_id)) |
|
}); |
|
|
|
if device_exists { |
|
db.users.set_token(&user_id, &device_id, &token)?; |
|
} else { |
|
db.users.create_device( |
|
&user_id, |
|
&device_id, |
|
&token, |
|
body.initial_device_display_name.clone(), |
|
)?; |
|
} |
|
|
|
info!("{} logged in", user_id); |
|
|
|
db.flush()?; |
|
|
|
Ok(login::Response { |
|
user_id, |
|
access_token: token, |
|
home_server: Some(db.globals.server_name().to_owned()), |
|
device_id, |
|
well_known: None, |
|
} |
|
.into()) |
|
} |
|
|
|
/// # `POST /_matrix/client/r0/logout` |
|
/// |
|
/// Log out the current device. |
|
/// |
|
/// - Invalidates access token |
|
/// - Deletes device metadata (device id, device display name, last seen ip, last seen ts) |
|
/// - Forgets to-device events |
|
/// - Triggers device list updates |
|
#[cfg_attr( |
|
feature = "conduit_bin", |
|
post("/_matrix/client/r0/logout", data = "<body>") |
|
)] |
|
#[tracing::instrument(skip(db, body))] |
|
pub async fn logout_route( |
|
db: DatabaseGuard, |
|
body: Ruma<logout::Request>, |
|
) -> ConduitResult<logout::Response> { |
|
let sender_user = body.sender_user.as_ref().expect("user is authenticated"); |
|
let sender_device = body.sender_device.as_ref().expect("user is authenticated"); |
|
|
|
db.users.remove_device(sender_user, sender_device)?; |
|
|
|
db.flush()?; |
|
|
|
Ok(logout::Response::new().into()) |
|
} |
|
|
|
/// # `POST /_matrix/client/r0/logout/all` |
|
/// |
|
/// Log out all devices of this user. |
|
/// |
|
/// - Invalidates all access tokens |
|
/// - Deletes all device metadata (device id, device display name, last seen ip, last seen ts) |
|
/// - Forgets all to-device events |
|
/// - Triggers device list updates |
|
/// |
|
/// Note: This is equivalent to calling [`GET /_matrix/client/r0/logout`](fn.logout_route.html) |
|
/// from each device of this user. |
|
#[cfg_attr( |
|
feature = "conduit_bin", |
|
post("/_matrix/client/r0/logout/all", data = "<body>") |
|
)] |
|
#[tracing::instrument(skip(db, body))] |
|
pub async fn logout_all_route( |
|
db: DatabaseGuard, |
|
body: Ruma<logout_all::Request>, |
|
) -> ConduitResult<logout_all::Response> { |
|
let sender_user = body.sender_user.as_ref().expect("user is authenticated"); |
|
|
|
for device_id in db.users.all_device_ids(sender_user).flatten() { |
|
db.users.remove_device(sender_user, &device_id)?; |
|
} |
|
|
|
db.flush()?; |
|
|
|
Ok(logout_all::Response::new().into()) |
|
}
|
|
|