1use crate::{
2 auth,
3 db::{User, UserId},
4 rpc::{self, ResultExt},
5 AppState, Error, Result,
6};
7use anyhow::anyhow;
8use axum::{
9 body::Body,
10 extract::{Path, Query},
11 http::{self, Request, StatusCode},
12 middleware::{self, Next},
13 response::IntoResponse,
14 routing::{get, post, put},
15 Extension, Json, Router,
16};
17use axum_extra::response::ErasedJson;
18use serde::{Deserialize, Serialize};
19use std::sync::Arc;
20use tower::ServiceBuilder;
21use tracing::instrument;
22
23pub fn routes(rpc_server: &Arc<rpc::Server>, state: Arc<AppState>) -> Router<Body> {
24 Router::new()
25 .route("/users", get(get_users).post(create_user))
26 .route(
27 "/users/:id",
28 put(update_user).delete(destroy_user).get(get_user),
29 )
30 .route("/users/:id/access_tokens", post(create_access_token))
31 .route("/bulk_users", post(create_users))
32 .route("/invite_codes/:code", get(get_user_for_invite_code))
33 .route("/panic", post(trace_panic))
34 .route("/rpc_server_snapshot", get(get_rpc_server_snapshot))
35 .layer(
36 ServiceBuilder::new()
37 .layer(Extension(state))
38 .layer(Extension(rpc_server.clone()))
39 .layer(middleware::from_fn(validate_api_token)),
40 )
41}
42
43pub async fn validate_api_token<B>(req: Request<B>, next: Next<B>) -> impl IntoResponse {
44 let token = req
45 .headers()
46 .get(http::header::AUTHORIZATION)
47 .and_then(|header| header.to_str().ok())
48 .ok_or_else(|| {
49 Error::Http(
50 StatusCode::BAD_REQUEST,
51 "missing authorization header".to_string(),
52 )
53 })?
54 .strip_prefix("token ")
55 .ok_or_else(|| {
56 Error::Http(
57 StatusCode::BAD_REQUEST,
58 "invalid authorization header".to_string(),
59 )
60 })?;
61
62 let state = req.extensions().get::<Arc<AppState>>().unwrap();
63
64 if token != state.api_token {
65 Err(Error::Http(
66 StatusCode::UNAUTHORIZED,
67 "invalid authorization token".to_string(),
68 ))?
69 }
70
71 Ok::<_, Error>(next.run(req).await)
72}
73
74async fn get_users(Extension(app): Extension<Arc<AppState>>) -> Result<Json<Vec<User>>> {
75 let users = app.db.get_all_users().await?;
76 Ok(Json(users))
77}
78
79#[derive(Deserialize, Debug)]
80struct CreateUserParams {
81 github_login: String,
82 invite_code: Option<String>,
83 email_address: Option<String>,
84 admin: bool,
85}
86
87async fn create_user(
88 Json(params): Json<CreateUserParams>,
89 Extension(app): Extension<Arc<AppState>>,
90 Extension(rpc_server): Extension<Arc<rpc::Server>>,
91) -> Result<Json<User>> {
92 let user_id = if let Some(invite_code) = params.invite_code {
93 let invitee_id = app
94 .db
95 .redeem_invite_code(
96 &invite_code,
97 ¶ms.github_login,
98 params.email_address.as_deref(),
99 )
100 .await?;
101 rpc_server
102 .invite_code_redeemed(&invite_code, invitee_id)
103 .await
104 .trace_err();
105 invitee_id
106 } else {
107 app.db
108 .create_user(
109 ¶ms.github_login,
110 params.email_address.as_deref(),
111 params.admin,
112 )
113 .await?
114 };
115
116 let user = app
117 .db
118 .get_user_by_id(user_id)
119 .await?
120 .ok_or_else(|| anyhow!("couldn't find the user we just created"))?;
121
122 Ok(Json(user))
123}
124
125#[derive(Deserialize)]
126struct UpdateUserParams {
127 admin: Option<bool>,
128 invite_count: Option<u32>,
129}
130
131async fn update_user(
132 Path(user_id): Path<i32>,
133 Json(params): Json<UpdateUserParams>,
134 Extension(app): Extension<Arc<AppState>>,
135 Extension(rpc_server): Extension<Arc<rpc::Server>>,
136) -> Result<()> {
137 let user_id = UserId(user_id);
138
139 if let Some(admin) = params.admin {
140 app.db.set_user_is_admin(user_id, admin).await?;
141 }
142
143 if let Some(invite_count) = params.invite_count {
144 app.db.set_invite_count(user_id, invite_count).await?;
145 rpc_server.invite_count_updated(user_id).await.trace_err();
146 }
147
148 Ok(())
149}
150
151async fn destroy_user(
152 Path(user_id): Path<i32>,
153 Extension(app): Extension<Arc<AppState>>,
154) -> Result<()> {
155 app.db.destroy_user(UserId(user_id)).await?;
156 Ok(())
157}
158
159async fn get_user(
160 Path(login): Path<String>,
161 Extension(app): Extension<Arc<AppState>>,
162) -> Result<Json<User>> {
163 let user = app
164 .db
165 .get_user_by_github_login(&login)
166 .await?
167 .ok_or_else(|| Error::Http(StatusCode::NOT_FOUND, "User not found".to_string()))?;
168 Ok(Json(user))
169}
170
171#[derive(Deserialize)]
172struct CreateUsersParams {
173 users: Vec<CreateUsersEntry>,
174}
175
176#[derive(Deserialize)]
177struct CreateUsersEntry {
178 github_login: String,
179 email_address: String,
180 invite_count: usize,
181}
182
183async fn create_users(
184 Json(params): Json<CreateUsersParams>,
185 Extension(app): Extension<Arc<AppState>>,
186) -> Result<Json<Vec<User>>> {
187 let user_ids = app
188 .db
189 .create_users(
190 params
191 .users
192 .into_iter()
193 .map(|params| {
194 (
195 params.github_login,
196 params.email_address,
197 params.invite_count,
198 )
199 })
200 .collect(),
201 )
202 .await?;
203 let users = app.db.get_users_by_ids(user_ids).await?;
204 Ok(Json(users))
205}
206
207#[derive(Debug, Deserialize)]
208struct Panic {
209 version: String,
210 text: String,
211}
212
213#[instrument(skip(panic))]
214async fn trace_panic(panic: Json<Panic>) -> Result<()> {
215 tracing::error!(version = %panic.version, text = %panic.text, "panic report");
216 Ok(())
217}
218
219async fn get_rpc_server_snapshot(
220 Extension(rpc_server): Extension<Arc<rpc::Server>>,
221) -> Result<ErasedJson> {
222 Ok(ErasedJson::pretty(rpc_server.snapshot().await))
223}
224
225#[derive(Deserialize)]
226struct CreateAccessTokenQueryParams {
227 public_key: String,
228 impersonate: Option<String>,
229}
230
231#[derive(Serialize)]
232struct CreateAccessTokenResponse {
233 user_id: UserId,
234 encrypted_access_token: String,
235}
236
237async fn create_access_token(
238 Path(login): Path<String>,
239 Query(params): Query<CreateAccessTokenQueryParams>,
240 Extension(app): Extension<Arc<AppState>>,
241) -> Result<Json<CreateAccessTokenResponse>> {
242 // request.require_token().await?;
243
244 let user = app
245 .db
246 .get_user_by_github_login(&login)
247 .await?
248 .ok_or_else(|| anyhow!("user not found"))?;
249
250 let mut user_id = user.id;
251 if let Some(impersonate) = params.impersonate {
252 if user.admin {
253 if let Some(impersonated_user) = app.db.get_user_by_github_login(&impersonate).await? {
254 user_id = impersonated_user.id;
255 } else {
256 return Err(Error::Http(
257 StatusCode::UNPROCESSABLE_ENTITY,
258 format!("user {impersonate} does not exist"),
259 ));
260 }
261 } else {
262 return Err(Error::Http(
263 StatusCode::UNAUTHORIZED,
264 format!("you do not have permission to impersonate other users"),
265 ));
266 }
267 }
268
269 let access_token = auth::create_access_token(app.db.as_ref(), user_id).await?;
270 let encrypted_access_token =
271 auth::encrypt_access_token(&access_token, params.public_key.clone())?;
272
273 Ok(Json(CreateAccessTokenResponse {
274 user_id,
275 encrypted_access_token,
276 }))
277}
278
279async fn get_user_for_invite_code(
280 Path(code): Path<String>,
281 Extension(app): Extension<Arc<AppState>>,
282) -> Result<Json<User>> {
283 Ok(Json(app.db.get_user_for_invite_code(&code).await?))
284}