1use crate::{
2 auth,
3 db::{User, UserId},
4 AppState, Error, Result,
5};
6use anyhow::anyhow;
7use axum::{
8 body::Body,
9 extract::{Path, Query},
10 http::{self, Request, StatusCode},
11 middleware::{self, Next},
12 response::IntoResponse,
13 routing::{get, post, put},
14 Extension, Json, Router,
15};
16use serde::{Deserialize, Serialize};
17use std::sync::Arc;
18use tower::ServiceBuilder;
19use tracing::instrument;
20
21pub fn routes(state: Arc<AppState>) -> Router<Body> {
22 Router::new()
23 .route("/users", get(get_users).post(create_user))
24 .route(
25 "/users/:id",
26 put(update_user).delete(destroy_user).get(get_user),
27 )
28 .route("/users/:id/access_tokens", post(create_access_token))
29 .route("/panic", post(trace_panic))
30 .layer(
31 ServiceBuilder::new()
32 .layer(Extension(state))
33 .layer(middleware::from_fn(validate_api_token)),
34 )
35 // TODO: Compression on API routes?
36}
37
38pub async fn validate_api_token<B>(req: Request<B>, next: Next<B>) -> impl IntoResponse {
39 let token = req
40 .headers()
41 .get(http::header::AUTHORIZATION)
42 .and_then(|header| header.to_str().ok())
43 .ok_or_else(|| {
44 Error::Http(
45 StatusCode::BAD_REQUEST,
46 "missing authorization header".to_string(),
47 )
48 })?
49 .strip_prefix("token ")
50 .ok_or_else(|| {
51 Error::Http(
52 StatusCode::BAD_REQUEST,
53 "invalid authorization header".to_string(),
54 )
55 })?;
56
57 let state = req.extensions().get::<Arc<AppState>>().unwrap();
58
59 if token != state.api_token {
60 Err(Error::Http(
61 StatusCode::UNAUTHORIZED,
62 "invalid authorization token".to_string(),
63 ))?
64 }
65
66 Ok::<_, Error>(next.run(req).await)
67}
68
69async fn get_users(Extension(app): Extension<Arc<AppState>>) -> Result<Json<Vec<User>>> {
70 let users = app.db.get_all_users().await?;
71 Ok(Json(users))
72}
73
74#[derive(Deserialize)]
75struct CreateUserParams {
76 github_login: String,
77 invite_code: Option<String>,
78 admin: bool,
79}
80
81async fn create_user(
82 Json(params): Json<CreateUserParams>,
83 Extension(app): Extension<Arc<AppState>>,
84) -> Result<Json<User>> {
85 let user = if let Some(invite_code) = params.invite_code {
86 let user_id = app
87 .db
88 .redeem_invite_code(&invite_code, ¶ms.github_login)
89 .await?
90 } else {
91 let user_id = app
92 .db
93 .create_user(¶ms.github_login, params.admin)
94 .await?;
95
96 let user = app
97 .db
98 .get_user_by_id(user_id)
99 .await?
100 .ok_or_else(|| anyhow!("couldn't find the user we just created"))?
101 };
102
103 Ok(Json(user))
104}
105
106#[derive(Deserialize)]
107struct UpdateUserParams {
108 admin: Option<bool>,
109 invite_count: Option<u32>,
110}
111
112async fn update_user(
113 Path(user_id): Path<i32>,
114 Json(params): Json<UpdateUserParams>,
115 Extension(app): Extension<Arc<AppState>>,
116) -> Result<()> {
117 if let Some(admin) = params.admin {
118 app.db.set_user_is_admin(UserId(user_id), admin).await?;
119 }
120
121 if let Some(invite_count) = params.invite_count {
122 app.db
123 .set_invite_count(UserId(user_id), invite_count)
124 .await?;
125 }
126
127 Ok(())
128}
129
130async fn destroy_user(
131 Path(user_id): Path<i32>,
132 Extension(app): Extension<Arc<AppState>>,
133) -> Result<()> {
134 app.db.destroy_user(UserId(user_id)).await?;
135 Ok(())
136}
137
138async fn get_user(
139 Path(login): Path<String>,
140 Extension(app): Extension<Arc<AppState>>,
141) -> Result<Json<User>> {
142 let user = app
143 .db
144 .get_user_by_github_login(&login)
145 .await?
146 .ok_or_else(|| Error::Http(StatusCode::NOT_FOUND, "User not found".to_string()))?;
147 Ok(Json(user))
148}
149
150#[derive(Debug, Deserialize)]
151struct Panic {
152 version: String,
153 text: String,
154}
155
156#[instrument(skip(panic))]
157async fn trace_panic(panic: Json<Panic>) -> Result<()> {
158 tracing::error!(version = %panic.version, text = %panic.text, "panic report");
159 Ok(())
160}
161
162#[derive(Deserialize)]
163struct CreateAccessTokenQueryParams {
164 public_key: String,
165 impersonate: Option<String>,
166}
167
168#[derive(Serialize)]
169struct CreateAccessTokenResponse {
170 user_id: UserId,
171 encrypted_access_token: String,
172}
173
174async fn create_access_token(
175 Path(login): Path<String>,
176 Query(params): Query<CreateAccessTokenQueryParams>,
177 Extension(app): Extension<Arc<AppState>>,
178) -> Result<Json<CreateAccessTokenResponse>> {
179 // request.require_token().await?;
180
181 let user = app
182 .db
183 .get_user_by_github_login(&login)
184 .await?
185 .ok_or_else(|| anyhow!("user not found"))?;
186
187 let mut user_id = user.id;
188 if let Some(impersonate) = params.impersonate {
189 if user.admin {
190 if let Some(impersonated_user) = app.db.get_user_by_github_login(&impersonate).await? {
191 user_id = impersonated_user.id;
192 } else {
193 return Err(Error::Http(
194 StatusCode::UNPROCESSABLE_ENTITY,
195 format!("user {impersonate} does not exist"),
196 ));
197 }
198 } else {
199 return Err(Error::Http(
200 StatusCode::UNAUTHORIZED,
201 format!("you do not have permission to impersonate other users"),
202 ));
203 }
204 }
205
206 let access_token = auth::create_access_token(app.db.as_ref(), user_id).await?;
207 let encrypted_access_token =
208 auth::encrypt_access_token(&access_token, params.public_key.clone())?;
209
210 Ok(Json(CreateAccessTokenResponse {
211 user_id,
212 encrypted_access_token,
213 }))
214}