1pub mod events;
2pub mod extensions;
3pub mod ips_file;
4pub mod slack;
5
6use crate::{
7 auth,
8 db::{ContributorSelector, User, UserId},
9 rpc, AppState, Error, Result,
10};
11use anyhow::anyhow;
12use axum::{
13 body::Body,
14 extract::{self, Path, Query},
15 http::{self, Request, StatusCode},
16 middleware::{self, Next},
17 response::IntoResponse,
18 routing::{get, post},
19 Extension, Json, Router,
20};
21use axum_extra::response::ErasedJson;
22use chrono::SecondsFormat;
23use serde::{Deserialize, Serialize};
24use std::sync::Arc;
25use tower::ServiceBuilder;
26
27pub use extensions::fetch_extensions_from_blob_store_periodically;
28
29pub fn routes(rpc_server: Option<Arc<rpc::Server>>, state: Arc<AppState>) -> Router<(), Body> {
30 Router::new()
31 .route("/user", get(get_authenticated_user))
32 .route("/users/:id/access_tokens", post(create_access_token))
33 .route("/rpc_server_snapshot", get(get_rpc_server_snapshot))
34 .route("/contributors", get(get_contributors).post(add_contributor))
35 .route("/contributor", get(check_is_contributor))
36 .layer(
37 ServiceBuilder::new()
38 .layer(Extension(state))
39 .layer(Extension(rpc_server))
40 .layer(middleware::from_fn(validate_api_token)),
41 )
42}
43
44pub async fn validate_api_token<B>(req: Request<B>, next: Next<B>) -> impl IntoResponse {
45 let token = req
46 .headers()
47 .get(http::header::AUTHORIZATION)
48 .and_then(|header| header.to_str().ok())
49 .ok_or_else(|| {
50 Error::Http(
51 StatusCode::BAD_REQUEST,
52 "missing authorization header".to_string(),
53 )
54 })?
55 .strip_prefix("token ")
56 .ok_or_else(|| {
57 Error::Http(
58 StatusCode::BAD_REQUEST,
59 "invalid authorization header".to_string(),
60 )
61 })?;
62
63 let state = req.extensions().get::<Arc<AppState>>().unwrap();
64
65 if token != state.config.api_token {
66 Err(Error::Http(
67 StatusCode::UNAUTHORIZED,
68 "invalid authorization token".to_string(),
69 ))?
70 }
71
72 Ok::<_, Error>(next.run(req).await)
73}
74
75#[derive(Debug, Deserialize)]
76struct AuthenticatedUserParams {
77 github_user_id: Option<i32>,
78 github_login: String,
79 github_email: Option<String>,
80}
81
82#[derive(Debug, Serialize)]
83struct AuthenticatedUserResponse {
84 user: User,
85 metrics_id: String,
86}
87
88async fn get_authenticated_user(
89 Query(params): Query<AuthenticatedUserParams>,
90 Extension(app): Extension<Arc<AppState>>,
91) -> Result<Json<AuthenticatedUserResponse>> {
92 let initial_channel_id = app.config.auto_join_channel_id;
93
94 let user = app
95 .db
96 .get_or_create_user_by_github_account(
97 ¶ms.github_login,
98 params.github_user_id,
99 params.github_email.as_deref(),
100 initial_channel_id,
101 )
102 .await?;
103 let metrics_id = app.db.get_user_metrics_id(user.id).await?;
104 return Ok(Json(AuthenticatedUserResponse { user, metrics_id }));
105}
106
107#[derive(Deserialize, Debug)]
108struct CreateUserParams {
109 github_user_id: i32,
110 github_login: String,
111 email_address: String,
112 email_confirmation_code: Option<String>,
113 #[serde(default)]
114 admin: bool,
115 #[serde(default)]
116 invite_count: i32,
117}
118
119async fn get_rpc_server_snapshot(
120 Extension(rpc_server): Extension<Option<Arc<rpc::Server>>>,
121) -> Result<ErasedJson> {
122 let Some(rpc_server) = rpc_server else {
123 return Err(Error::Internal(anyhow!("rpc server is not available")));
124 };
125
126 Ok(ErasedJson::pretty(rpc_server.snapshot().await))
127}
128
129async fn get_contributors(Extension(app): Extension<Arc<AppState>>) -> Result<Json<Vec<String>>> {
130 Ok(Json(app.db.get_contributors().await?))
131}
132
133#[derive(Debug, Deserialize)]
134struct CheckIsContributorParams {
135 github_user_id: Option<i32>,
136 github_login: Option<String>,
137}
138
139impl CheckIsContributorParams {
140 fn as_contributor_selector(self) -> Result<ContributorSelector> {
141 if let Some(github_user_id) = self.github_user_id {
142 return Ok(ContributorSelector::GitHubUserId { github_user_id });
143 }
144
145 if let Some(github_login) = self.github_login {
146 return Ok(ContributorSelector::GitHubLogin { github_login });
147 }
148
149 Err(anyhow!(
150 "must be one of `github_user_id` or `github_login`."
151 ))?
152 }
153}
154
155#[derive(Debug, Serialize)]
156struct CheckIsContributorResponse {
157 signed_at: Option<String>,
158}
159
160async fn check_is_contributor(
161 Extension(app): Extension<Arc<AppState>>,
162 Query(params): Query<CheckIsContributorParams>,
163) -> Result<Json<CheckIsContributorResponse>> {
164 let params = params.as_contributor_selector()?;
165 Ok(Json(CheckIsContributorResponse {
166 signed_at: app
167 .db
168 .get_contributor_sign_timestamp(¶ms)
169 .await?
170 .map(|ts| ts.and_utc().to_rfc3339_opts(SecondsFormat::Millis, true)),
171 }))
172}
173
174async fn add_contributor(
175 Extension(app): Extension<Arc<AppState>>,
176 extract::Json(params): extract::Json<AuthenticatedUserParams>,
177) -> Result<()> {
178 let initial_channel_id = app.config.auto_join_channel_id;
179 app.db
180 .add_contributor(
181 ¶ms.github_login,
182 params.github_user_id,
183 params.github_email.as_deref(),
184 initial_channel_id,
185 )
186 .await
187}
188
189#[derive(Deserialize)]
190struct CreateAccessTokenQueryParams {
191 public_key: String,
192 impersonate: Option<String>,
193}
194
195#[derive(Serialize)]
196struct CreateAccessTokenResponse {
197 user_id: UserId,
198 encrypted_access_token: String,
199}
200
201async fn create_access_token(
202 Path(user_id): Path<UserId>,
203 Query(params): Query<CreateAccessTokenQueryParams>,
204 Extension(app): Extension<Arc<AppState>>,
205) -> Result<Json<CreateAccessTokenResponse>> {
206 let user = app
207 .db
208 .get_user_by_id(user_id)
209 .await?
210 .ok_or_else(|| anyhow!("user not found"))?;
211
212 let mut impersonated_user_id = None;
213 if let Some(impersonate) = params.impersonate {
214 if user.admin {
215 if let Some(impersonated_user) = app.db.get_user_by_github_login(&impersonate).await? {
216 impersonated_user_id = Some(impersonated_user.id);
217 } else {
218 return Err(Error::Http(
219 StatusCode::UNPROCESSABLE_ENTITY,
220 format!("user {impersonate} does not exist"),
221 ));
222 }
223 } else {
224 return Err(Error::Http(
225 StatusCode::UNAUTHORIZED,
226 "you do not have permission to impersonate other users".to_string(),
227 ));
228 }
229 }
230
231 let access_token =
232 auth::create_access_token(app.db.as_ref(), user_id, impersonated_user_id).await?;
233 let encrypted_access_token =
234 auth::encrypt_access_token(&access_token, params.public_key.clone())?;
235
236 Ok(Json(CreateAccessTokenResponse {
237 user_id: impersonated_user_id.unwrap_or(user_id),
238 encrypted_access_token,
239 }))
240}