1use crate::{
2 auth,
3 db::{User, UserId},
4 AppState, Error, Result,
5};
6use anyhow::anyhow;
7use axum::{
8 body::Body,
9 extract::{Path, Query},
10 http::{self, Request, StatusCode},
11 middleware::{self, Next},
12 response::IntoResponse,
13 routing::{get, post, put},
14 Extension, Json, Router,
15};
16use serde::{Deserialize, Serialize};
17use std::sync::Arc;
18use tower::ServiceBuilder;
19use tracing::instrument;
20
21pub fn routes(state: Arc<AppState>) -> Router<Body> {
22 Router::new()
23 .route("/users", get(get_users).post(create_user))
24 .route(
25 "/users/:id",
26 put(update_user).delete(destroy_user).get(get_user),
27 )
28 .route("/users/:id/access_tokens", post(create_access_token))
29 .route("/panic", post(trace_panic))
30 .layer(
31 ServiceBuilder::new()
32 .layer(Extension(state))
33 .layer(middleware::from_fn(validate_api_token)),
34 )
35 // TODO: Compression on API routes?
36}
37
38pub async fn validate_api_token<B>(req: Request<B>, next: Next<B>) -> impl IntoResponse {
39 let token = req
40 .headers()
41 .get(http::header::AUTHORIZATION)
42 .and_then(|header| header.to_str().ok())
43 .ok_or_else(|| {
44 Error::Http(
45 StatusCode::BAD_REQUEST,
46 "missing authorization header".to_string(),
47 )
48 })?
49 .strip_prefix("token ")
50 .ok_or_else(|| {
51 Error::Http(
52 StatusCode::BAD_REQUEST,
53 "invalid authorization header".to_string(),
54 )
55 })?;
56
57 let state = req.extensions().get::<Arc<AppState>>().unwrap();
58
59 if token != state.api_token {
60 Err(Error::Http(
61 StatusCode::UNAUTHORIZED,
62 "invalid authorization token".to_string(),
63 ))?
64 }
65
66 Ok::<_, Error>(next.run(req).await)
67}
68
69async fn get_users(Extension(app): Extension<Arc<AppState>>) -> Result<Json<Vec<User>>> {
70 let users = app.db.get_all_users().await?;
71 Ok(Json(users))
72}
73
74#[derive(Deserialize)]
75struct CreateUserParams {
76 github_login: String,
77 invite_code: Option<String>,
78 admin: bool,
79}
80
81async fn create_user(
82 Json(params): Json<CreateUserParams>,
83 Extension(app): Extension<Arc<AppState>>,
84) -> Result<Json<User>> {
85 let user_id = if let Some(invite_code) = params.invite_code {
86 app.db
87 .redeem_invite_code(&invite_code, ¶ms.github_login)
88 .await?
89 } else {
90 app.db
91 .create_user(¶ms.github_login, params.admin)
92 .await?
93 };
94
95 let user = app
96 .db
97 .get_user_by_id(user_id)
98 .await?
99 .ok_or_else(|| anyhow!("couldn't find the user we just created"))?;
100
101 Ok(Json(user))
102}
103
104#[derive(Deserialize)]
105struct UpdateUserParams {
106 admin: Option<bool>,
107 invite_count: Option<u32>,
108}
109
110async fn update_user(
111 Path(user_id): Path<i32>,
112 Json(params): Json<UpdateUserParams>,
113 Extension(app): Extension<Arc<AppState>>,
114) -> Result<()> {
115 if let Some(admin) = params.admin {
116 app.db.set_user_is_admin(UserId(user_id), admin).await?;
117 }
118
119 if let Some(invite_count) = params.invite_count {
120 app.db
121 .set_invite_count(UserId(user_id), invite_count)
122 .await?;
123 }
124
125 Ok(())
126}
127
128async fn destroy_user(
129 Path(user_id): Path<i32>,
130 Extension(app): Extension<Arc<AppState>>,
131) -> Result<()> {
132 app.db.destroy_user(UserId(user_id)).await?;
133 Ok(())
134}
135
136async fn get_user(
137 Path(login): Path<String>,
138 Extension(app): Extension<Arc<AppState>>,
139) -> Result<Json<User>> {
140 let user = app
141 .db
142 .get_user_by_github_login(&login)
143 .await?
144 .ok_or_else(|| Error::Http(StatusCode::NOT_FOUND, "User not found".to_string()))?;
145 Ok(Json(user))
146}
147
148#[derive(Debug, Deserialize)]
149struct Panic {
150 version: String,
151 text: String,
152}
153
154#[instrument(skip(panic))]
155async fn trace_panic(panic: Json<Panic>) -> Result<()> {
156 tracing::error!(version = %panic.version, text = %panic.text, "panic report");
157 Ok(())
158}
159
160#[derive(Deserialize)]
161struct CreateAccessTokenQueryParams {
162 public_key: String,
163 impersonate: Option<String>,
164}
165
166#[derive(Serialize)]
167struct CreateAccessTokenResponse {
168 user_id: UserId,
169 encrypted_access_token: String,
170}
171
172async fn create_access_token(
173 Path(login): Path<String>,
174 Query(params): Query<CreateAccessTokenQueryParams>,
175 Extension(app): Extension<Arc<AppState>>,
176) -> Result<Json<CreateAccessTokenResponse>> {
177 // request.require_token().await?;
178
179 let user = app
180 .db
181 .get_user_by_github_login(&login)
182 .await?
183 .ok_or_else(|| anyhow!("user not found"))?;
184
185 let mut user_id = user.id;
186 if let Some(impersonate) = params.impersonate {
187 if user.admin {
188 if let Some(impersonated_user) = app.db.get_user_by_github_login(&impersonate).await? {
189 user_id = impersonated_user.id;
190 } else {
191 return Err(Error::Http(
192 StatusCode::UNPROCESSABLE_ENTITY,
193 format!("user {impersonate} does not exist"),
194 ));
195 }
196 } else {
197 return Err(Error::Http(
198 StatusCode::UNAUTHORIZED,
199 format!("you do not have permission to impersonate other users"),
200 ));
201 }
202 }
203
204 let access_token = auth::create_access_token(app.db.as_ref(), user_id).await?;
205 let encrypted_access_token =
206 auth::encrypt_access_token(&access_token, params.public_key.clone())?;
207
208 Ok(Json(CreateAccessTokenResponse {
209 user_id,
210 encrypted_access_token,
211 }))
212}