1use crate::{
  2    auth,
  3    db::{User, UserId},
  4    AppState, Error, Result,
  5};
  6use anyhow::anyhow;
  7use axum::{
  8    body::Body,
  9    extract::{Path, Query},
 10    http::{self, Request, StatusCode},
 11    middleware::{self, Next},
 12    response::IntoResponse,
 13    routing::{get, post, put},
 14    Extension, Json, Router,
 15};
 16use serde::{Deserialize, Serialize};
 17use std::sync::Arc;
 18use tower::ServiceBuilder;
 19
 20pub fn routes(state: Arc<AppState>) -> Router<Body> {
 21    Router::new()
 22        .route("/users", get(get_users).post(create_user))
 23        .route("/users/:id", put(update_user).delete(destroy_user))
 24        .route("/users/:gh_login", get(get_user))
 25        .route("/users/:gh_login/access_tokens", post(create_access_token))
 26        .layer(
 27            ServiceBuilder::new()
 28                .layer(Extension(state))
 29                .layer(middleware::from_fn(validate_api_token)),
 30        )
 31}
 32
 33pub async fn validate_api_token<B>(req: Request<B>, next: Next<B>) -> impl IntoResponse {
 34    let token = req
 35        .headers()
 36        .get(http::header::AUTHORIZATION)
 37        .and_then(|header| header.to_str().ok())
 38        .ok_or_else(|| {
 39            Error::Http(
 40                StatusCode::BAD_REQUEST,
 41                "missing authorization header".to_string(),
 42            )
 43        })?
 44        .strip_prefix("token ")
 45        .ok_or_else(|| {
 46            Error::Http(
 47                StatusCode::BAD_REQUEST,
 48                "invalid authorization header".to_string(),
 49            )
 50        })?;
 51
 52    let state = req.extensions().get::<Arc<AppState>>().unwrap();
 53
 54    if token != state.api_token {
 55        Err(Error::Http(
 56            StatusCode::UNAUTHORIZED,
 57            "invalid authorization token".to_string(),
 58        ))?
 59    }
 60
 61    Ok::<_, Error>(next.run(req).await)
 62}
 63
 64async fn get_users(Extension(app): Extension<Arc<AppState>>) -> Result<Json<Vec<User>>> {
 65    let users = app.db.get_all_users().await?;
 66    Ok(Json(users))
 67}
 68
 69#[derive(Deserialize)]
 70struct CreateUserParams {
 71    github_login: String,
 72    admin: bool,
 73}
 74
 75async fn create_user(
 76    Json(params): Json<CreateUserParams>,
 77    Extension(app): Extension<Arc<AppState>>,
 78) -> Result<Json<User>> {
 79    let user_id = app
 80        .db
 81        .create_user(&params.github_login, params.admin)
 82        .await?;
 83
 84    let user = app
 85        .db
 86        .get_user_by_id(user_id)
 87        .await?
 88        .ok_or_else(|| anyhow!("couldn't find the user we just created"))?;
 89
 90    Ok(Json(user))
 91}
 92
 93#[derive(Deserialize)]
 94struct UpdateUserParams {
 95    admin: bool,
 96}
 97
 98async fn update_user(
 99    Path(user_id): Path<i32>,
100    Json(params): Json<UpdateUserParams>,
101    Extension(app): Extension<Arc<AppState>>,
102) -> Result<()> {
103    app.db
104        .set_user_is_admin(UserId(user_id), params.admin)
105        .await?;
106    Ok(())
107}
108
109async fn destroy_user(
110    Path(user_id): Path<i32>,
111    Extension(app): Extension<Arc<AppState>>,
112) -> Result<()> {
113    app.db.destroy_user(UserId(user_id)).await?;
114    Ok(())
115}
116
117async fn get_user(
118    Path(login): Path<String>,
119    Extension(app): Extension<Arc<AppState>>,
120) -> Result<Json<User>> {
121    let user = app
122        .db
123        .get_user_by_github_login(&login)
124        .await?
125        .ok_or_else(|| anyhow!("user not found"))?;
126    Ok(Json(user))
127}
128
129#[derive(Deserialize)]
130struct CreateAccessTokenQueryParams {
131    public_key: String,
132    impersonate: Option<String>,
133}
134
135#[derive(Serialize)]
136struct CreateAccessTokenResponse {
137    user_id: UserId,
138    encrypted_access_token: String,
139}
140
141async fn create_access_token(
142    Path(login): Path<String>,
143    Query(params): Query<CreateAccessTokenQueryParams>,
144    Extension(app): Extension<Arc<AppState>>,
145) -> Result<Json<CreateAccessTokenResponse>> {
146    //     request.require_token().await?;
147
148    let user = app
149        .db
150        .get_user_by_github_login(&login)
151        .await?
152        .ok_or_else(|| anyhow!("user not found"))?;
153
154    let mut user_id = user.id;
155    if let Some(impersonate) = params.impersonate {
156        if user.admin {
157            if let Some(impersonated_user) = app.db.get_user_by_github_login(&impersonate).await? {
158                user_id = impersonated_user.id;
159            } else {
160                return Err(Error::Http(
161                    StatusCode::UNPROCESSABLE_ENTITY,
162                    format!("user {impersonate} does not exist"),
163                ));
164            }
165        } else {
166            return Err(Error::Http(
167                StatusCode::UNAUTHORIZED,
168                format!("you do not have permission to impersonate other users"),
169            ));
170        }
171    }
172
173    let access_token = auth::create_access_token(app.db.as_ref(), user_id).await?;
174    let encrypted_access_token =
175        auth::encrypt_access_token(&access_token, params.public_key.clone())?;
176
177    Ok(Json(CreateAccessTokenResponse {
178        user_id,
179        encrypted_access_token,
180    }))
181}