1use crate::{
2 auth,
3 db::{User, UserId},
4 rpc, AppState, Error, Result,
5};
6use anyhow::anyhow;
7use axum::{
8 body::Body,
9 extract::{Path, Query},
10 http::{self, Request, StatusCode},
11 middleware::{self, Next},
12 response::IntoResponse,
13 routing::{get, post},
14 Extension, Json, Router,
15};
16use axum_extra::response::ErasedJson;
17use serde::{Deserialize, Serialize};
18use std::sync::Arc;
19use tower::ServiceBuilder;
20use tracing::instrument;
21
22pub fn routes(rpc_server: Arc<rpc::Server>, state: Arc<AppState>) -> Router<Body> {
23 Router::new()
24 .route("/user", get(get_authenticated_user))
25 .route("/users/:id/access_tokens", post(create_access_token))
26 .route("/panic", post(trace_panic))
27 .route("/rpc_server_snapshot", get(get_rpc_server_snapshot))
28 .route("/contributors", get(get_contributors).post(add_contributor))
29 .layer(
30 ServiceBuilder::new()
31 .layer(Extension(state))
32 .layer(Extension(rpc_server))
33 .layer(middleware::from_fn(validate_api_token)),
34 )
35}
36
37pub async fn validate_api_token<B>(req: Request<B>, next: Next<B>) -> impl IntoResponse {
38 let token = req
39 .headers()
40 .get(http::header::AUTHORIZATION)
41 .and_then(|header| header.to_str().ok())
42 .ok_or_else(|| {
43 Error::Http(
44 StatusCode::BAD_REQUEST,
45 "missing authorization header".to_string(),
46 )
47 })?
48 .strip_prefix("token ")
49 .ok_or_else(|| {
50 Error::Http(
51 StatusCode::BAD_REQUEST,
52 "invalid authorization header".to_string(),
53 )
54 })?;
55
56 let state = req.extensions().get::<Arc<AppState>>().unwrap();
57
58 if token != state.config.api_token {
59 Err(Error::Http(
60 StatusCode::UNAUTHORIZED,
61 "invalid authorization token".to_string(),
62 ))?
63 }
64
65 Ok::<_, Error>(next.run(req).await)
66}
67
68#[derive(Debug, Deserialize)]
69struct AuthenticatedUserParams {
70 github_user_id: i32,
71 github_login: String,
72 github_email: Option<String>,
73}
74
75#[derive(Debug, Serialize)]
76struct AuthenticatedUserResponse {
77 user: User,
78 metrics_id: String,
79}
80
81async fn get_authenticated_user(
82 Query(params): Query<AuthenticatedUserParams>,
83 Extension(app): Extension<Arc<AppState>>,
84) -> Result<Json<AuthenticatedUserResponse>> {
85 let user = app
86 .db
87 .get_or_create_user_by_github_account(
88 ¶ms.github_login,
89 params.github_user_id,
90 params.github_email.as_deref(),
91 )
92 .await?;
93 let metrics_id = app.db.get_user_metrics_id(user.id).await?;
94 return Ok(Json(AuthenticatedUserResponse { user, metrics_id }));
95}
96
97#[derive(Deserialize, Debug)]
98struct CreateUserParams {
99 github_user_id: i32,
100 github_login: String,
101 email_address: String,
102 email_confirmation_code: Option<String>,
103 #[serde(default)]
104 admin: bool,
105 #[serde(default)]
106 invite_count: i32,
107}
108
109#[derive(Serialize, Debug)]
110struct CreateUserResponse {
111 user: User,
112 signup_device_id: Option<String>,
113 metrics_id: String,
114}
115
116#[derive(Debug, Deserialize)]
117struct Panic {
118 version: String,
119 release_channel: String,
120 backtrace_hash: String,
121 text: String,
122}
123
124#[instrument(skip(panic))]
125async fn trace_panic(panic: Json<Panic>) -> Result<()> {
126 tracing::error!(version = %panic.version, release_channel = %panic.release_channel, backtrace_hash = %panic.backtrace_hash, text = %panic.text, "panic report");
127 Ok(())
128}
129
130async fn get_rpc_server_snapshot(
131 Extension(rpc_server): Extension<Arc<rpc::Server>>,
132) -> Result<ErasedJson> {
133 Ok(ErasedJson::pretty(rpc_server.snapshot().await))
134}
135
136async fn get_contributors(Extension(app): Extension<Arc<AppState>>) -> Result<Json<Vec<String>>> {
137 Ok(Json(app.db.get_contributors().await?))
138}
139
140async fn add_contributor(
141 Json(params): Json<AuthenticatedUserParams>,
142 Extension(app): Extension<Arc<AppState>>,
143) -> Result<()> {
144 Ok(app
145 .db
146 .add_contributor(
147 ¶ms.github_login,
148 params.github_user_id,
149 params.github_email.as_deref(),
150 )
151 .await?)
152}
153
154#[derive(Deserialize)]
155struct CreateAccessTokenQueryParams {
156 public_key: String,
157 impersonate: Option<String>,
158}
159
160#[derive(Serialize)]
161struct CreateAccessTokenResponse {
162 user_id: UserId,
163 encrypted_access_token: String,
164}
165
166async fn create_access_token(
167 Path(user_id): Path<UserId>,
168 Query(params): Query<CreateAccessTokenQueryParams>,
169 Extension(app): Extension<Arc<AppState>>,
170) -> Result<Json<CreateAccessTokenResponse>> {
171 let user = app
172 .db
173 .get_user_by_id(user_id)
174 .await?
175 .ok_or_else(|| anyhow!("user not found"))?;
176
177 let mut impersonated_user_id = None;
178 if let Some(impersonate) = params.impersonate {
179 if user.admin {
180 if let Some(impersonated_user) = app.db.get_user_by_github_login(&impersonate).await? {
181 impersonated_user_id = Some(impersonated_user.id);
182 } else {
183 return Err(Error::Http(
184 StatusCode::UNPROCESSABLE_ENTITY,
185 format!("user {impersonate} does not exist"),
186 ));
187 }
188 } else {
189 return Err(Error::Http(
190 StatusCode::UNAUTHORIZED,
191 "you do not have permission to impersonate other users".to_string(),
192 ));
193 }
194 }
195
196 let access_token =
197 auth::create_access_token(app.db.as_ref(), user_id, impersonated_user_id).await?;
198 let encrypted_access_token =
199 auth::encrypt_access_token(&access_token, params.public_key.clone())?;
200
201 Ok(Json(CreateAccessTokenResponse {
202 user_id: impersonated_user_id.unwrap_or(user_id),
203 encrypted_access_token,
204 }))
205}