Issue tokens on login
This commit is contained in:
parent
3e91d66565
commit
7fc83b6e56
4 changed files with 72 additions and 8 deletions
|
|
@ -12,6 +12,9 @@ const pw_hash_params = PwHash.Params.interactive;
|
|||
const pw_hash_encoding = .phc;
|
||||
const pw_hash_buf_size = 128;
|
||||
|
||||
const token_len = 20;
|
||||
const token_str_len = std.base64.standard.count(token_len);
|
||||
|
||||
// Frees an api struct and its fields allocated from alloc
|
||||
pub fn free(alloc: std.mem.Allocator, val: anytype) void {
|
||||
switch (@typeInfo(@TypeOf(val))) {
|
||||
|
|
@ -165,7 +168,12 @@ pub const ApiServer = struct {
|
|||
return actor;
|
||||
}
|
||||
|
||||
pub fn login(self: *ApiServer, username: []const u8, password: []const u8, alloc: std.mem.Allocator) !?models.Actor {
|
||||
const LoginResult = struct {
|
||||
user_id: Uuid,
|
||||
token: [token_len]u8,
|
||||
issued_at: DateTime,
|
||||
};
|
||||
pub fn login(self: *ApiServer, username: []const u8, password: []const u8, alloc: std.mem.Allocator) !LoginResult {
|
||||
// TODO: This gives away the existence of a user through a timing side channel. is that acceptable?
|
||||
const user_info = (try self.db.getBy(models.LocalUser, .username, username, alloc)) orelse return error.InvalidLogin;
|
||||
defer free(alloc, user_info);
|
||||
|
|
@ -176,8 +184,39 @@ pub const ApiServer = struct {
|
|||
else => return err,
|
||||
};
|
||||
|
||||
// TODO: return token instead
|
||||
return (try self.db.getBy(models.Actor, .id, user_info.actor_id.?, alloc)) orelse unreachable;
|
||||
const token = try self.createToken(user_info);
|
||||
|
||||
return LoginResult{
|
||||
.user_id = user_info.id,
|
||||
.token = token.value,
|
||||
.issued_at = token.info.issued_at,
|
||||
};
|
||||
//return (try self.db.getBy(models.Actor, .id, user_info.actor_id.?, alloc)) orelse unreachable;
|
||||
}
|
||||
|
||||
const TokenResult = struct {
|
||||
info: models.Token,
|
||||
value: [token_len]u8,
|
||||
};
|
||||
fn createToken(self: *ApiServer, user: models.LocalUser) !TokenResult {
|
||||
var token: [token_len]u8 = undefined;
|
||||
std.crypto.random.bytes(&token);
|
||||
|
||||
var hash: [models.Token.hash_len]u8 = undefined;
|
||||
models.Token.HashFn.hash(&token, &hash, .{});
|
||||
|
||||
const db_token = models.Token{
|
||||
.id = Uuid.randV4(self.prng.random()),
|
||||
.hash = .{ .data = hash },
|
||||
.user_id = user.id,
|
||||
.issued_at = DateTime.now(),
|
||||
};
|
||||
|
||||
try self.db.insert(models.Token, db_token);
|
||||
return TokenResult{
|
||||
.info = db_token,
|
||||
.value = token,
|
||||
};
|
||||
}
|
||||
|
||||
pub fn getNote(self: *ApiServer, id: Uuid, alloc: std.mem.Allocator) !?models.Note {
|
||||
|
|
|
|||
|
|
@ -34,11 +34,10 @@ pub fn login(srv: *RequestServer, ctx: *http.server.Context, _: RouteArgs) !void
|
|||
const credentials = try utils.parseRequestBody(struct { username: []const u8, password: []const u8 }, ctx);
|
||||
defer utils.freeRequestBody(credentials, ctx.alloc);
|
||||
|
||||
const actor = srv.api.login(credentials.username, credentials.password, ctx.alloc) catch |err| switch (err) {
|
||||
const token = srv.api.login(credentials.username, credentials.password, ctx.alloc) catch |err| switch (err) {
|
||||
error.PasswordVerificationFailed => return utils.respondError(ctx, .bad_request, "Invalid Login"),
|
||||
else => return err,
|
||||
};
|
||||
defer api.free(ctx.alloc, actor);
|
||||
|
||||
try utils.respondJson(ctx, .ok, actor);
|
||||
try utils.respondJson(ctx, .ok, token);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -48,6 +48,7 @@ fn tableName(comptime T: type) String {
|
|||
models.Actor => "actor",
|
||||
models.Reaction => "reaction",
|
||||
models.LocalUser => "local_user",
|
||||
models.Token => "token",
|
||||
else => unreachable,
|
||||
};
|
||||
}
|
||||
|
|
@ -175,7 +176,7 @@ pub const Database = struct {
|
|||
\\ id TEXT NOT NULL,
|
||||
\\
|
||||
\\ handle TEXT NOT NULL,
|
||||
\\ created_at INTEGER NOT NULL,
|
||||
\\ created_at INTEGER NOT NULL DEFAULT CURRENT_TIMESTAMP,
|
||||
\\
|
||||
\\ PRIMARY KEY(id)
|
||||
\\) STRICT;
|
||||
|
|
@ -189,7 +190,7 @@ pub const Database = struct {
|
|||
\\ email TEXT,
|
||||
\\ hashed_password TEXT NOT NULL,
|
||||
\\
|
||||
\\ created_at INTEGER NOT NULL,
|
||||
\\ created_at INTEGER NOT NULL DEFAULT CURRENT_TIMESTAMP,
|
||||
\\ password_changed_at INTEGER NOT NULL,
|
||||
\\
|
||||
\\ UNIQUE(actor_id),
|
||||
|
|
@ -218,11 +219,24 @@ pub const Database = struct {
|
|||
\\ reactor_id TEXT NOT NULL,
|
||||
\\ note_id TEXT NOT NULL,
|
||||
\\
|
||||
\\ created_at INTEGER NOT NULL DEFAULT CURRENT_TIMESTAMP,
|
||||
\\
|
||||
\\ FOREIGN KEY(reactor_id) REFERENCES actor(id),
|
||||
\\ FOREIGN KEY(note_id) REFERENCES note(id),
|
||||
\\
|
||||
\\ PRIMARY KEY(id)
|
||||
\\) STRICT;
|
||||
,
|
||||
\\CREATE TABLE IF NOT EXISTS
|
||||
\\token(
|
||||
\\ id TEXT NOT NULL,
|
||||
\\
|
||||
\\ hash BLOB UNIQUE NOT NULL,
|
||||
\\ user_id TEXT NOT NULL REFERENCES local_user(id),
|
||||
\\ issued_at INTEGER NOT NULL DEFAULT CURRENT_TIMESTAMP,
|
||||
\\
|
||||
\\ PRIMARY KEY(id)
|
||||
\\) STRICT;
|
||||
};
|
||||
|
||||
pub fn init() !Database {
|
||||
|
|
|
|||
|
|
@ -1,6 +1,7 @@
|
|||
const std = @import("std");
|
||||
const util = @import("util");
|
||||
|
||||
const ByteArray = @import("./db.zig").ByteArray;
|
||||
const Uuid = util.Uuid;
|
||||
const DateTime = util.DateTime;
|
||||
|
||||
|
|
@ -44,3 +45,14 @@ pub const Reaction = struct {
|
|||
|
||||
created_at: DateTime,
|
||||
};
|
||||
|
||||
pub const Token = struct {
|
||||
pub const HashFn = std.crypto.hash.sha2.Sha256;
|
||||
pub const hash_len = HashFn.digest_length;
|
||||
|
||||
id: Uuid,
|
||||
|
||||
hash: ByteArray(hash_len),
|
||||
user_id: Ref(LocalUser),
|
||||
issued_at: DateTime,
|
||||
};
|
||||
|
|
|
|||
Loading…
Reference in a new issue