1use crate::{
  2    auth,
  3    db::{User, UserId},
  4    AppState, Error, Result,
  5};
  6use anyhow::anyhow;
  7use axum::{
  8    body::Body,
  9    extract::{Path, Query},
 10    http::{self, Request, StatusCode},
 11    middleware::{self, Next},
 12    response::IntoResponse,
 13    routing::{get, post, put},
 14    Extension, Json, Router,
 15};
 16use serde::{Deserialize, Serialize};
 17use std::sync::Arc;
 18use tower::ServiceBuilder;
 19
 20pub fn routes(state: Arc<AppState>) -> Router<Body> {
 21    Router::new()
 22        .route("/users", get(get_users).post(create_user))
 23        .route("/users/:id", put(update_user).delete(destroy_user))
 24        .route("/users/:gh_login", get(get_user))
 25        .route("/users/:gh_login/access_tokens", post(create_access_token))
 26        .layer(
 27            ServiceBuilder::new()
 28                .layer(Extension(state))
 29                .layer(middleware::from_fn(validate_api_token)),
 30        )
 31    // TODO: Compression on API routes?
 32}
 33
 34pub async fn validate_api_token<B>(req: Request<B>, next: Next<B>) -> impl IntoResponse {
 35    let token = req
 36        .headers()
 37        .get(http::header::AUTHORIZATION)
 38        .and_then(|header| header.to_str().ok())
 39        .ok_or_else(|| {
 40            Error::Http(
 41                StatusCode::BAD_REQUEST,
 42                "missing authorization header".to_string(),
 43            )
 44        })?
 45        .strip_prefix("token ")
 46        .ok_or_else(|| {
 47            Error::Http(
 48                StatusCode::BAD_REQUEST,
 49                "invalid authorization header".to_string(),
 50            )
 51        })?;
 52
 53    let state = req.extensions().get::<Arc<AppState>>().unwrap();
 54
 55    if token != state.api_token {
 56        Err(Error::Http(
 57            StatusCode::UNAUTHORIZED,
 58            "invalid authorization token".to_string(),
 59        ))?
 60    }
 61
 62    Ok::<_, Error>(next.run(req).await)
 63}
 64
 65async fn get_users(Extension(app): Extension<Arc<AppState>>) -> Result<Json<Vec<User>>> {
 66    let users = app.db.get_all_users().await?;
 67    Ok(Json(users))
 68}
 69
 70#[derive(Deserialize)]
 71struct CreateUserParams {
 72    github_login: String,
 73    admin: bool,
 74}
 75
 76async fn create_user(
 77    Json(params): Json<CreateUserParams>,
 78    Extension(app): Extension<Arc<AppState>>,
 79) -> Result<Json<User>> {
 80    let user_id = app
 81        .db
 82        .create_user(&params.github_login, params.admin)
 83        .await?;
 84
 85    let user = app
 86        .db
 87        .get_user_by_id(user_id)
 88        .await?
 89        .ok_or_else(|| anyhow!("couldn't find the user we just created"))?;
 90
 91    Ok(Json(user))
 92}
 93
 94#[derive(Deserialize)]
 95struct UpdateUserParams {
 96    admin: bool,
 97}
 98
 99async fn update_user(
100    Path(user_id): Path<i32>,
101    Json(params): Json<UpdateUserParams>,
102    Extension(app): Extension<Arc<AppState>>,
103) -> Result<()> {
104    app.db
105        .set_user_is_admin(UserId(user_id), params.admin)
106        .await?;
107    Ok(())
108}
109
110async fn destroy_user(
111    Path(user_id): Path<i32>,
112    Extension(app): Extension<Arc<AppState>>,
113) -> Result<()> {
114    app.db.destroy_user(UserId(user_id)).await?;
115    Ok(())
116}
117
118async fn get_user(
119    Path(login): Path<String>,
120    Extension(app): Extension<Arc<AppState>>,
121) -> Result<Json<User>> {
122    let user = app
123        .db
124        .get_user_by_github_login(&login)
125        .await?
126        .ok_or_else(|| anyhow!("user not found"))?;
127    Ok(Json(user))
128}
129
130#[derive(Deserialize)]
131struct CreateAccessTokenQueryParams {
132    public_key: String,
133    impersonate: Option<String>,
134}
135
136#[derive(Serialize)]
137struct CreateAccessTokenResponse {
138    user_id: UserId,
139    encrypted_access_token: String,
140}
141
142async fn create_access_token(
143    Path(login): Path<String>,
144    Query(params): Query<CreateAccessTokenQueryParams>,
145    Extension(app): Extension<Arc<AppState>>,
146) -> Result<Json<CreateAccessTokenResponse>> {
147    //     request.require_token().await?;
148
149    let user = app
150        .db
151        .get_user_by_github_login(&login)
152        .await?
153        .ok_or_else(|| anyhow!("user not found"))?;
154
155    let mut user_id = user.id;
156    if let Some(impersonate) = params.impersonate {
157        if user.admin {
158            if let Some(impersonated_user) = app.db.get_user_by_github_login(&impersonate).await? {
159                user_id = impersonated_user.id;
160            } else {
161                return Err(Error::Http(
162                    StatusCode::UNPROCESSABLE_ENTITY,
163                    format!("user {impersonate} does not exist"),
164                ));
165            }
166        } else {
167            return Err(Error::Http(
168                StatusCode::UNAUTHORIZED,
169                format!("you do not have permission to impersonate other users"),
170            ));
171        }
172    }
173
174    let access_token = auth::create_access_token(app.db.as_ref(), user_id).await?;
175    let encrypted_access_token =
176        auth::encrypt_access_token(&access_token, params.public_key.clone())?;
177
178    Ok(Json(CreateAccessTokenResponse {
179        user_id,
180        encrypted_access_token,
181    }))
182}