1use super::{
  2    db::{self, UserId},
  3    errors::TideResultExt,
  4};
  5use crate::Request;
  6use anyhow::{anyhow, Context};
  7use rand::thread_rng;
  8use rpc::auth as zed_auth;
  9use scrypt::{
 10    password_hash::{PasswordHash, PasswordHasher, PasswordVerifier, SaltString},
 11    Scrypt,
 12};
 13use std::convert::TryFrom;
 14use surf::StatusCode;
 15use tide::Error;
 16
 17pub async fn process_auth_header(request: &Request) -> tide::Result<UserId> {
 18    let mut auth_header = request
 19        .header("Authorization")
 20        .ok_or_else(|| {
 21            Error::new(
 22                StatusCode::BadRequest,
 23                anyhow!("missing authorization header"),
 24            )
 25        })?
 26        .last()
 27        .as_str()
 28        .split_whitespace();
 29    let user_id = UserId(auth_header.next().unwrap_or("").parse().map_err(|_| {
 30        Error::new(
 31            StatusCode::BadRequest,
 32            anyhow!("missing user id in authorization header"),
 33        )
 34    })?);
 35    let access_token = auth_header.next().ok_or_else(|| {
 36        Error::new(
 37            StatusCode::BadRequest,
 38            anyhow!("missing access token in authorization header"),
 39        )
 40    })?;
 41
 42    let state = request.state().clone();
 43    let mut credentials_valid = false;
 44    for password_hash in state.db.get_access_token_hashes(user_id).await? {
 45        if verify_access_token(&access_token, &password_hash)? {
 46            credentials_valid = true;
 47            break;
 48        }
 49    }
 50
 51    if !credentials_valid {
 52        Err(Error::new(
 53            StatusCode::Unauthorized,
 54            anyhow!("invalid credentials"),
 55        ))?;
 56    }
 57
 58    Ok(user_id)
 59}
 60
 61const MAX_ACCESS_TOKENS_TO_STORE: usize = 8;
 62
 63pub async fn create_access_token(db: &dyn db::Db, user_id: UserId) -> tide::Result<String> {
 64    let access_token = zed_auth::random_token();
 65    let access_token_hash =
 66        hash_access_token(&access_token).context("failed to hash access token")?;
 67    db.create_access_token_hash(user_id, &access_token_hash, MAX_ACCESS_TOKENS_TO_STORE)
 68        .await?;
 69    Ok(access_token)
 70}
 71
 72fn hash_access_token(token: &str) -> tide::Result<String> {
 73    // Avoid slow hashing in debug mode.
 74    let params = if cfg!(debug_assertions) {
 75        scrypt::Params::new(1, 1, 1).unwrap()
 76    } else {
 77        scrypt::Params::recommended()
 78    };
 79
 80    Ok(Scrypt
 81        .hash_password(
 82            token.as_bytes(),
 83            None,
 84            params,
 85            &SaltString::generate(thread_rng()),
 86        )?
 87        .to_string())
 88}
 89
 90pub fn encrypt_access_token(access_token: &str, public_key: String) -> tide::Result<String> {
 91    let native_app_public_key =
 92        zed_auth::PublicKey::try_from(public_key).context("failed to parse app public key")?;
 93    let encrypted_access_token = native_app_public_key
 94        .encrypt_string(&access_token)
 95        .context("failed to encrypt access token with public key")?;
 96    Ok(encrypted_access_token)
 97}
 98
 99pub fn verify_access_token(token: &str, hash: &str) -> tide::Result<bool> {
100    let hash = PasswordHash::new(hash)?;
101    Ok(Scrypt.verify_password(token.as_bytes(), &hash).is_ok())
102}