1use crate::{
2 auth,
3 db::{User, UserId},
4 rpc, AppState, Error, Result,
5};
6use anyhow::anyhow;
7use axum::{
8 body::Body,
9 extract::{Path, Query},
10 http::{self, Request, StatusCode},
11 middleware::{self, Next},
12 response::IntoResponse,
13 routing::{get, post},
14 Extension, Json, Router,
15};
16use axum_extra::response::ErasedJson;
17use serde::{Deserialize, Serialize};
18use std::sync::Arc;
19use tower::ServiceBuilder;
20use tracing::instrument;
21
22pub fn routes(rpc_server: Arc<rpc::Server>, state: Arc<AppState>) -> Router<Body> {
23 Router::new()
24 .route("/user", get(get_authenticated_user))
25 .route("/users/:id/access_tokens", post(create_access_token))
26 .route("/panic", post(trace_panic))
27 .route("/rpc_server_snapshot", get(get_rpc_server_snapshot))
28 .layer(
29 ServiceBuilder::new()
30 .layer(Extension(state))
31 .layer(Extension(rpc_server))
32 .layer(middleware::from_fn(validate_api_token)),
33 )
34}
35
36pub async fn validate_api_token<B>(req: Request<B>, next: Next<B>) -> impl IntoResponse {
37 let token = req
38 .headers()
39 .get(http::header::AUTHORIZATION)
40 .and_then(|header| header.to_str().ok())
41 .ok_or_else(|| {
42 Error::Http(
43 StatusCode::BAD_REQUEST,
44 "missing authorization header".to_string(),
45 )
46 })?
47 .strip_prefix("token ")
48 .ok_or_else(|| {
49 Error::Http(
50 StatusCode::BAD_REQUEST,
51 "invalid authorization header".to_string(),
52 )
53 })?;
54
55 let state = req.extensions().get::<Arc<AppState>>().unwrap();
56
57 if token != state.config.api_token {
58 Err(Error::Http(
59 StatusCode::UNAUTHORIZED,
60 "invalid authorization token".to_string(),
61 ))?
62 }
63
64 Ok::<_, Error>(next.run(req).await)
65}
66
67#[derive(Debug, Deserialize)]
68struct AuthenticatedUserParams {
69 github_user_id: Option<i32>,
70 github_login: String,
71 github_email: Option<String>,
72}
73
74#[derive(Debug, Serialize)]
75struct AuthenticatedUserResponse {
76 user: User,
77 metrics_id: String,
78}
79
80async fn get_authenticated_user(
81 Query(params): Query<AuthenticatedUserParams>,
82 Extension(app): Extension<Arc<AppState>>,
83) -> Result<Json<AuthenticatedUserResponse>> {
84 let user = app
85 .db
86 .get_or_create_user_by_github_account(
87 ¶ms.github_login,
88 params.github_user_id,
89 params.github_email.as_deref(),
90 )
91 .await?
92 .ok_or_else(|| Error::Http(StatusCode::NOT_FOUND, "user not found".into()))?;
93 let metrics_id = app.db.get_user_metrics_id(user.id).await?;
94 return Ok(Json(AuthenticatedUserResponse { user, metrics_id }));
95}
96
97#[derive(Deserialize, Debug)]
98struct CreateUserParams {
99 github_user_id: i32,
100 github_login: String,
101 email_address: String,
102 email_confirmation_code: Option<String>,
103 #[serde(default)]
104 admin: bool,
105 #[serde(default)]
106 invite_count: i32,
107}
108
109#[derive(Serialize, Debug)]
110struct CreateUserResponse {
111 user: User,
112 signup_device_id: Option<String>,
113 metrics_id: String,
114}
115
116#[derive(Debug, Deserialize)]
117struct Panic {
118 version: String,
119 text: String,
120}
121
122#[instrument(skip(panic))]
123async fn trace_panic(panic: Json<Panic>) -> Result<()> {
124 tracing::error!(version = %panic.version, text = %panic.text, "panic report");
125 Ok(())
126}
127
128async fn get_rpc_server_snapshot(
129 Extension(rpc_server): Extension<Arc<rpc::Server>>,
130) -> Result<ErasedJson> {
131 Ok(ErasedJson::pretty(rpc_server.snapshot().await))
132}
133
134#[derive(Deserialize)]
135struct CreateAccessTokenQueryParams {
136 public_key: String,
137 impersonate: Option<String>,
138}
139
140#[derive(Serialize)]
141struct CreateAccessTokenResponse {
142 user_id: UserId,
143 encrypted_access_token: String,
144}
145
146async fn create_access_token(
147 Path(user_id): Path<UserId>,
148 Query(params): Query<CreateAccessTokenQueryParams>,
149 Extension(app): Extension<Arc<AppState>>,
150) -> Result<Json<CreateAccessTokenResponse>> {
151 let user = app
152 .db
153 .get_user_by_id(user_id)
154 .await?
155 .ok_or_else(|| anyhow!("user not found"))?;
156
157 let mut user_id = user.id;
158 if let Some(impersonate) = params.impersonate {
159 if user.admin {
160 if let Some(impersonated_user) = app.db.get_user_by_github_login(&impersonate).await? {
161 user_id = impersonated_user.id;
162 } else {
163 return Err(Error::Http(
164 StatusCode::UNPROCESSABLE_ENTITY,
165 format!("user {impersonate} does not exist"),
166 ));
167 }
168 } else {
169 return Err(Error::Http(
170 StatusCode::UNAUTHORIZED,
171 "you do not have permission to impersonate other users".to_string(),
172 ));
173 }
174 }
175
176 let access_token = auth::create_access_token(app.db.as_ref(), user_id).await?;
177 let encrypted_access_token =
178 auth::encrypt_access_token(&access_token, params.public_key.clone())?;
179
180 Ok(Json(CreateAccessTokenResponse {
181 user_id,
182 encrypted_access_token,
183 }))
184}