1use crate::{
2 auth,
3 db::{User, UserId},
4 AppState, Error, Result,
5};
6use anyhow::anyhow;
7use axum::{
8 body::Body,
9 extract::{Path, Query},
10 http::{self, Request, StatusCode},
11 middleware::{self, Next},
12 response::IntoResponse,
13 routing::{get, post, put},
14 Extension, Json, Router,
15};
16use serde::{Deserialize, Serialize};
17use std::sync::Arc;
18use tower::ServiceBuilder;
19use tracing::instrument;
20
21pub fn routes(state: Arc<AppState>) -> Router<Body> {
22 Router::new()
23 .route("/users", get(get_users).post(create_user))
24 .route(
25 "/users/:id",
26 put(update_user).delete(destroy_user).get(get_user),
27 )
28 .route("/users/:id/access_tokens", post(create_access_token))
29 .route("/panic", post(trace_panic))
30 .layer(
31 ServiceBuilder::new()
32 .layer(Extension(state))
33 .layer(middleware::from_fn(validate_api_token)),
34 )
35 // TODO: Compression on API routes?
36}
37
38pub async fn validate_api_token<B>(req: Request<B>, next: Next<B>) -> impl IntoResponse {
39 let token = req
40 .headers()
41 .get(http::header::AUTHORIZATION)
42 .and_then(|header| header.to_str().ok())
43 .ok_or_else(|| {
44 Error::Http(
45 StatusCode::BAD_REQUEST,
46 "missing authorization header".to_string(),
47 )
48 })?
49 .strip_prefix("token ")
50 .ok_or_else(|| {
51 Error::Http(
52 StatusCode::BAD_REQUEST,
53 "invalid authorization header".to_string(),
54 )
55 })?;
56
57 let state = req.extensions().get::<Arc<AppState>>().unwrap();
58
59 if token != state.api_token {
60 Err(Error::Http(
61 StatusCode::UNAUTHORIZED,
62 "invalid authorization token".to_string(),
63 ))?
64 }
65
66 Ok::<_, Error>(next.run(req).await)
67}
68
69async fn get_users(Extension(app): Extension<Arc<AppState>>) -> Result<Json<Vec<User>>> {
70 let users = app.db.get_all_users().await?;
71 Ok(Json(users))
72}
73
74#[derive(Deserialize)]
75struct CreateUserParams {
76 github_login: String,
77 admin: bool,
78}
79
80async fn create_user(
81 Json(params): Json<CreateUserParams>,
82 Extension(app): Extension<Arc<AppState>>,
83) -> Result<Json<User>> {
84 let user_id = app
85 .db
86 .create_user(¶ms.github_login, params.admin)
87 .await?;
88
89 let user = app
90 .db
91 .get_user_by_id(user_id)
92 .await?
93 .ok_or_else(|| anyhow!("couldn't find the user we just created"))?;
94
95 Ok(Json(user))
96}
97
98#[derive(Deserialize)]
99struct UpdateUserParams {
100 admin: Option<bool>,
101 invite_count: Option<u32>,
102}
103
104async fn update_user(
105 Path(user_id): Path<i32>,
106 Json(params): Json<UpdateUserParams>,
107 Extension(app): Extension<Arc<AppState>>,
108) -> Result<()> {
109 if let Some(admin) = params.admin {
110 app.db.set_user_is_admin(UserId(user_id), admin).await?;
111 }
112
113 if let Some(invite_count) = params.invite_count {
114 app.db
115 .set_invite_count(UserId(user_id), invite_count)
116 .await?;
117 }
118
119 Ok(())
120}
121
122async fn destroy_user(
123 Path(user_id): Path<i32>,
124 Extension(app): Extension<Arc<AppState>>,
125) -> Result<()> {
126 app.db.destroy_user(UserId(user_id)).await?;
127 Ok(())
128}
129
130async fn get_user(
131 Path(login): Path<String>,
132 Extension(app): Extension<Arc<AppState>>,
133) -> Result<Json<User>> {
134 let user = app
135 .db
136 .get_user_by_github_login(&login)
137 .await?
138 .ok_or_else(|| anyhow!("user not found"))?;
139 Ok(Json(user))
140}
141
142#[derive(Debug, Deserialize)]
143struct Panic {
144 version: String,
145 text: String,
146}
147
148#[instrument(skip(panic))]
149async fn trace_panic(panic: Json<Panic>) -> Result<()> {
150 tracing::error!(version = %panic.version, text = %panic.text, "panic report");
151 Ok(())
152}
153
154#[derive(Deserialize)]
155struct CreateAccessTokenQueryParams {
156 public_key: String,
157 impersonate: Option<String>,
158}
159
160#[derive(Serialize)]
161struct CreateAccessTokenResponse {
162 user_id: UserId,
163 encrypted_access_token: String,
164}
165
166async fn create_access_token(
167 Path(login): Path<String>,
168 Query(params): Query<CreateAccessTokenQueryParams>,
169 Extension(app): Extension<Arc<AppState>>,
170) -> Result<Json<CreateAccessTokenResponse>> {
171 // request.require_token().await?;
172
173 let user = app
174 .db
175 .get_user_by_github_login(&login)
176 .await?
177 .ok_or_else(|| anyhow!("user not found"))?;
178
179 let mut user_id = user.id;
180 if let Some(impersonate) = params.impersonate {
181 if user.admin {
182 if let Some(impersonated_user) = app.db.get_user_by_github_login(&impersonate).await? {
183 user_id = impersonated_user.id;
184 } else {
185 return Err(Error::Http(
186 StatusCode::UNPROCESSABLE_ENTITY,
187 format!("user {impersonate} does not exist"),
188 ));
189 }
190 } else {
191 return Err(Error::Http(
192 StatusCode::UNAUTHORIZED,
193 format!("you do not have permission to impersonate other users"),
194 ));
195 }
196 }
197
198 let access_token = auth::create_access_token(app.db.as_ref(), user_id).await?;
199 let encrypted_access_token =
200 auth::encrypt_access_token(&access_token, params.public_key.clone())?;
201
202 Ok(Json(CreateAccessTokenResponse {
203 user_id,
204 encrypted_access_token,
205 }))
206}