1pub mod events;
2pub mod extensions;
3
4use crate::{
5 auth,
6 db::{ContributorSelector, User, UserId},
7 rpc, AppState, Error, Result,
8};
9use anyhow::anyhow;
10use axum::{
11 body::Body,
12 extract::{Path, Query},
13 http::{self, Request, StatusCode},
14 middleware::{self, Next},
15 response::IntoResponse,
16 routing::{get, post},
17 Extension, Json, Router,
18};
19use axum_extra::response::ErasedJson;
20use chrono::SecondsFormat;
21use serde::{Deserialize, Serialize};
22use std::sync::Arc;
23use tower::ServiceBuilder;
24use tracing::instrument;
25
26pub use extensions::fetch_extensions_from_blob_store_periodically;
27
28pub fn routes(rpc_server: Option<Arc<rpc::Server>>, state: Arc<AppState>) -> Router<Body> {
29 Router::new()
30 .route("/user", get(get_authenticated_user))
31 .route("/users/:id/access_tokens", post(create_access_token))
32 .route("/panic", post(trace_panic))
33 .route("/rpc_server_snapshot", get(get_rpc_server_snapshot))
34 .route("/contributors", get(get_contributors).post(add_contributor))
35 .route("/contributor", get(check_is_contributor))
36 .layer(
37 ServiceBuilder::new()
38 .layer(Extension(state))
39 .layer(Extension(rpc_server))
40 .layer(middleware::from_fn(validate_api_token)),
41 )
42}
43
44pub async fn validate_api_token<B>(req: Request<B>, next: Next<B>) -> impl IntoResponse {
45 let token = req
46 .headers()
47 .get(http::header::AUTHORIZATION)
48 .and_then(|header| header.to_str().ok())
49 .ok_or_else(|| {
50 Error::Http(
51 StatusCode::BAD_REQUEST,
52 "missing authorization header".to_string(),
53 )
54 })?
55 .strip_prefix("token ")
56 .ok_or_else(|| {
57 Error::Http(
58 StatusCode::BAD_REQUEST,
59 "invalid authorization header".to_string(),
60 )
61 })?;
62
63 let state = req.extensions().get::<Arc<AppState>>().unwrap();
64
65 if token != state.config.api_token {
66 Err(Error::Http(
67 StatusCode::UNAUTHORIZED,
68 "invalid authorization token".to_string(),
69 ))?
70 }
71
72 Ok::<_, Error>(next.run(req).await)
73}
74
75#[derive(Debug, Deserialize)]
76struct AuthenticatedUserParams {
77 github_user_id: Option<i32>,
78 github_login: String,
79 github_email: Option<String>,
80}
81
82#[derive(Debug, Serialize)]
83struct AuthenticatedUserResponse {
84 user: User,
85 metrics_id: String,
86}
87
88async fn get_authenticated_user(
89 Query(params): Query<AuthenticatedUserParams>,
90 Extension(app): Extension<Arc<AppState>>,
91) -> Result<Json<AuthenticatedUserResponse>> {
92 let user = app
93 .db
94 .get_or_create_user_by_github_account(
95 ¶ms.github_login,
96 params.github_user_id,
97 params.github_email.as_deref(),
98 )
99 .await?;
100 let metrics_id = app.db.get_user_metrics_id(user.id).await?;
101 return Ok(Json(AuthenticatedUserResponse { user, metrics_id }));
102}
103
104#[derive(Deserialize, Debug)]
105struct CreateUserParams {
106 github_user_id: i32,
107 github_login: String,
108 email_address: String,
109 email_confirmation_code: Option<String>,
110 #[serde(default)]
111 admin: bool,
112 #[serde(default)]
113 invite_count: i32,
114}
115
116#[derive(Serialize, Debug)]
117struct CreateUserResponse {
118 user: User,
119 signup_device_id: Option<String>,
120 metrics_id: String,
121}
122
123#[derive(Debug, Deserialize)]
124struct Panic {
125 version: String,
126 release_channel: String,
127 backtrace_hash: String,
128 text: String,
129}
130
131#[instrument(skip(panic))]
132async fn trace_panic(panic: Json<Panic>) -> Result<()> {
133 tracing::error!(version = %panic.version, release_channel = %panic.release_channel, backtrace_hash = %panic.backtrace_hash, text = %panic.text, "panic report");
134 Ok(())
135}
136
137async fn get_rpc_server_snapshot(
138 Extension(rpc_server): Extension<Option<Arc<rpc::Server>>>,
139) -> Result<ErasedJson> {
140 let Some(rpc_server) = rpc_server else {
141 return Err(Error::Internal(anyhow!("rpc server is not available")));
142 };
143
144 Ok(ErasedJson::pretty(rpc_server.snapshot().await))
145}
146
147async fn get_contributors(Extension(app): Extension<Arc<AppState>>) -> Result<Json<Vec<String>>> {
148 Ok(Json(app.db.get_contributors().await?))
149}
150
151#[derive(Debug, Deserialize)]
152struct CheckIsContributorParams {
153 github_user_id: Option<i32>,
154 github_login: Option<String>,
155}
156
157impl CheckIsContributorParams {
158 fn as_contributor_selector(self) -> Result<ContributorSelector> {
159 if let Some(github_user_id) = self.github_user_id {
160 return Ok(ContributorSelector::GitHubUserId { github_user_id });
161 }
162
163 if let Some(github_login) = self.github_login {
164 return Ok(ContributorSelector::GitHubLogin { github_login });
165 }
166
167 Err(anyhow!(
168 "must be one of `github_user_id` or `github_login`."
169 ))?
170 }
171}
172
173#[derive(Debug, Serialize)]
174struct CheckIsContributorResponse {
175 signed_at: Option<String>,
176}
177
178async fn check_is_contributor(
179 Extension(app): Extension<Arc<AppState>>,
180 Query(params): Query<CheckIsContributorParams>,
181) -> Result<Json<CheckIsContributorResponse>> {
182 let params = params.as_contributor_selector()?;
183 Ok(Json(CheckIsContributorResponse {
184 signed_at: app
185 .db
186 .get_contributor_sign_timestamp(¶ms)
187 .await?
188 .map(|ts| ts.and_utc().to_rfc3339_opts(SecondsFormat::Millis, true)),
189 }))
190}
191
192async fn add_contributor(
193 Json(params): Json<AuthenticatedUserParams>,
194 Extension(app): Extension<Arc<AppState>>,
195) -> Result<()> {
196 Ok(app
197 .db
198 .add_contributor(
199 ¶ms.github_login,
200 params.github_user_id,
201 params.github_email.as_deref(),
202 )
203 .await?)
204}
205
206#[derive(Deserialize)]
207struct CreateAccessTokenQueryParams {
208 public_key: String,
209 impersonate: Option<String>,
210}
211
212#[derive(Serialize)]
213struct CreateAccessTokenResponse {
214 user_id: UserId,
215 encrypted_access_token: String,
216}
217
218async fn create_access_token(
219 Path(user_id): Path<UserId>,
220 Query(params): Query<CreateAccessTokenQueryParams>,
221 Extension(app): Extension<Arc<AppState>>,
222) -> Result<Json<CreateAccessTokenResponse>> {
223 let user = app
224 .db
225 .get_user_by_id(user_id)
226 .await?
227 .ok_or_else(|| anyhow!("user not found"))?;
228
229 let mut impersonated_user_id = None;
230 if let Some(impersonate) = params.impersonate {
231 if user.admin {
232 if let Some(impersonated_user) = app.db.get_user_by_github_login(&impersonate).await? {
233 impersonated_user_id = Some(impersonated_user.id);
234 } else {
235 return Err(Error::Http(
236 StatusCode::UNPROCESSABLE_ENTITY,
237 format!("user {impersonate} does not exist"),
238 ));
239 }
240 } else {
241 return Err(Error::Http(
242 StatusCode::UNAUTHORIZED,
243 "you do not have permission to impersonate other users".to_string(),
244 ));
245 }
246 }
247
248 let access_token =
249 auth::create_access_token(app.db.as_ref(), user_id, impersonated_user_id).await?;
250 let encrypted_access_token =
251 auth::encrypt_access_token(&access_token, params.public_key.clone())?;
252
253 Ok(Json(CreateAccessTokenResponse {
254 user_id: impersonated_user_id.unwrap_or(user_id),
255 encrypted_access_token,
256 }))
257}