1use crate::{
2 auth,
3 db::{Invite, NewUserParams, ProjectId, Signup, User, UserId, WaitlistSummary},
4 rpc::{self, ResultExt},
5 AppState, Error, Result,
6};
7use anyhow::anyhow;
8use axum::{
9 body::Body,
10 extract::{Path, Query},
11 http::{self, Request, StatusCode},
12 middleware::{self, Next},
13 response::IntoResponse,
14 routing::{get, post, put},
15 Extension, Json, Router,
16};
17use axum_extra::response::ErasedJson;
18use serde::{Deserialize, Serialize};
19use serde_json::json;
20use std::{sync::Arc, time::Duration};
21use time::OffsetDateTime;
22use tower::ServiceBuilder;
23use tracing::instrument;
24
25pub fn routes(rpc_server: &Arc<rpc::Server>, state: Arc<AppState>) -> Router<Body> {
26 Router::new()
27 .route("/user", get(get_authenticated_user))
28 .route("/users", get(get_users).post(create_user))
29 .route("/users/:id", put(update_user).delete(destroy_user))
30 .route("/users/:id/access_tokens", post(create_access_token))
31 .route("/users_with_no_invites", get(get_users_with_no_invites))
32 .route("/invite_codes/:code", get(get_user_for_invite_code))
33 .route("/panic", post(trace_panic))
34 .route("/rpc_server_snapshot", get(get_rpc_server_snapshot))
35 .route(
36 "/user_activity/summary",
37 get(get_top_users_activity_summary),
38 )
39 .route(
40 "/user_activity/timeline/:user_id",
41 get(get_user_activity_timeline),
42 )
43 .route("/user_activity/counts", get(get_active_user_counts))
44 .route("/project_metadata", get(get_project_metadata))
45 .route("/signups", post(create_signup))
46 .route("/signups_summary", get(get_waitlist_summary))
47 .route("/user_invites", post(create_invite_from_code))
48 .route("/unsent_invites", get(get_unsent_invites))
49 .route("/sent_invites", post(record_sent_invites))
50 .layer(
51 ServiceBuilder::new()
52 .layer(Extension(state))
53 .layer(Extension(rpc_server.clone()))
54 .layer(middleware::from_fn(validate_api_token)),
55 )
56}
57
58pub async fn validate_api_token<B>(req: Request<B>, next: Next<B>) -> impl IntoResponse {
59 let token = req
60 .headers()
61 .get(http::header::AUTHORIZATION)
62 .and_then(|header| header.to_str().ok())
63 .ok_or_else(|| {
64 Error::Http(
65 StatusCode::BAD_REQUEST,
66 "missing authorization header".to_string(),
67 )
68 })?
69 .strip_prefix("token ")
70 .ok_or_else(|| {
71 Error::Http(
72 StatusCode::BAD_REQUEST,
73 "invalid authorization header".to_string(),
74 )
75 })?;
76
77 let state = req.extensions().get::<Arc<AppState>>().unwrap();
78
79 if token != state.api_token {
80 Err(Error::Http(
81 StatusCode::UNAUTHORIZED,
82 "invalid authorization token".to_string(),
83 ))?
84 }
85
86 Ok::<_, Error>(next.run(req).await)
87}
88
89#[derive(Debug, Deserialize)]
90struct AuthenticatedUserParams {
91 github_user_id: i32,
92 github_login: String,
93}
94
95#[derive(Debug, Serialize)]
96struct AuthenticatedUserResponse {
97 user: User,
98 metrics_id: String,
99}
100
101async fn get_authenticated_user(
102 Query(params): Query<AuthenticatedUserParams>,
103 Extension(app): Extension<Arc<AppState>>,
104) -> Result<Json<AuthenticatedUserResponse>> {
105 let user = app
106 .db
107 .get_user_by_github_account(¶ms.github_login, Some(params.github_user_id))
108 .await?
109 .ok_or_else(|| Error::Http(StatusCode::NOT_FOUND, "user not found".into()))?;
110 let metrics_id = app.db.get_user_metrics_id(user.id).await?;
111 return Ok(Json(AuthenticatedUserResponse { user, metrics_id }));
112}
113
114#[derive(Debug, Deserialize)]
115struct GetUsersQueryParams {
116 query: Option<String>,
117 page: Option<u32>,
118 limit: Option<u32>,
119}
120
121async fn get_users(
122 Query(params): Query<GetUsersQueryParams>,
123 Extension(app): Extension<Arc<AppState>>,
124) -> Result<Json<Vec<User>>> {
125 let limit = params.limit.unwrap_or(100);
126 let users = if let Some(query) = params.query {
127 app.db.fuzzy_search_users(&query, limit).await?
128 } else {
129 app.db
130 .get_all_users(params.page.unwrap_or(0), limit)
131 .await?
132 };
133 Ok(Json(users))
134}
135
136#[derive(Deserialize, Debug)]
137struct CreateUserParams {
138 github_user_id: i32,
139 github_login: String,
140 email_address: String,
141 email_confirmation_code: Option<String>,
142 #[serde(default)]
143 admin: bool,
144 #[serde(default)]
145 invite_count: i32,
146}
147
148#[derive(Serialize, Debug)]
149struct CreateUserResponse {
150 user: User,
151 signup_device_id: Option<String>,
152 metrics_id: String,
153}
154
155async fn create_user(
156 Json(params): Json<CreateUserParams>,
157 Extension(app): Extension<Arc<AppState>>,
158 Extension(rpc_server): Extension<Arc<rpc::Server>>,
159) -> Result<Json<CreateUserResponse>> {
160 let user = NewUserParams {
161 github_login: params.github_login,
162 github_user_id: params.github_user_id,
163 invite_count: params.invite_count,
164 };
165
166 // Creating a user via the normal signup process
167 let result = if let Some(email_confirmation_code) = params.email_confirmation_code {
168 app.db
169 .create_user_from_invite(
170 &Invite {
171 email_address: params.email_address,
172 email_confirmation_code,
173 },
174 user,
175 )
176 .await?
177 }
178 // Creating a user as an admin
179 else if params.admin {
180 app.db
181 .create_user(¶ms.email_address, false, user)
182 .await?
183 } else {
184 Err(Error::Http(
185 StatusCode::UNPROCESSABLE_ENTITY,
186 "email confirmation code is required".into(),
187 ))?
188 };
189
190 if let Some(inviter_id) = result.inviting_user_id {
191 rpc_server
192 .invite_code_redeemed(inviter_id, result.user_id)
193 .await
194 .trace_err();
195 }
196
197 let user = app
198 .db
199 .get_user_by_id(result.user_id)
200 .await?
201 .ok_or_else(|| anyhow!("couldn't find the user we just created"))?;
202
203 Ok(Json(CreateUserResponse {
204 user,
205 metrics_id: result.metrics_id,
206 signup_device_id: result.signup_device_id,
207 }))
208}
209
210#[derive(Deserialize)]
211struct UpdateUserParams {
212 admin: Option<bool>,
213 invite_count: Option<u32>,
214}
215
216async fn update_user(
217 Path(user_id): Path<i32>,
218 Json(params): Json<UpdateUserParams>,
219 Extension(app): Extension<Arc<AppState>>,
220 Extension(rpc_server): Extension<Arc<rpc::Server>>,
221) -> Result<()> {
222 let user_id = UserId(user_id);
223
224 if let Some(admin) = params.admin {
225 app.db.set_user_is_admin(user_id, admin).await?;
226 }
227
228 if let Some(invite_count) = params.invite_count {
229 app.db
230 .set_invite_count_for_user(user_id, invite_count)
231 .await?;
232 rpc_server.invite_count_updated(user_id).await.trace_err();
233 }
234
235 Ok(())
236}
237
238async fn destroy_user(
239 Path(user_id): Path<i32>,
240 Extension(app): Extension<Arc<AppState>>,
241) -> Result<()> {
242 app.db.destroy_user(UserId(user_id)).await?;
243 Ok(())
244}
245
246#[derive(Debug, Deserialize)]
247struct GetUsersWithNoInvites {
248 invited_by_another_user: bool,
249}
250
251async fn get_users_with_no_invites(
252 Query(params): Query<GetUsersWithNoInvites>,
253 Extension(app): Extension<Arc<AppState>>,
254) -> Result<Json<Vec<User>>> {
255 Ok(Json(
256 app.db
257 .get_users_with_no_invites(params.invited_by_another_user)
258 .await?,
259 ))
260}
261
262#[derive(Debug, Deserialize)]
263struct Panic {
264 version: String,
265 text: String,
266}
267
268#[instrument(skip(panic))]
269async fn trace_panic(panic: Json<Panic>) -> Result<()> {
270 tracing::error!(version = %panic.version, text = %panic.text, "panic report");
271 Ok(())
272}
273
274async fn get_rpc_server_snapshot(
275 Extension(rpc_server): Extension<Arc<rpc::Server>>,
276) -> Result<ErasedJson> {
277 Ok(ErasedJson::pretty(rpc_server.snapshot().await))
278}
279
280#[derive(Deserialize)]
281struct TimePeriodParams {
282 #[serde(with = "time::serde::iso8601")]
283 start: OffsetDateTime,
284 #[serde(with = "time::serde::iso8601")]
285 end: OffsetDateTime,
286}
287
288async fn get_top_users_activity_summary(
289 Query(params): Query<TimePeriodParams>,
290 Extension(app): Extension<Arc<AppState>>,
291) -> Result<ErasedJson> {
292 let summary = app
293 .db
294 .get_top_users_activity_summary(params.start..params.end, 100)
295 .await?;
296 Ok(ErasedJson::pretty(summary))
297}
298
299async fn get_user_activity_timeline(
300 Path(user_id): Path<i32>,
301 Query(params): Query<TimePeriodParams>,
302 Extension(app): Extension<Arc<AppState>>,
303) -> Result<ErasedJson> {
304 let summary = app
305 .db
306 .get_user_activity_timeline(params.start..params.end, UserId(user_id))
307 .await?;
308 Ok(ErasedJson::pretty(summary))
309}
310
311#[derive(Deserialize)]
312struct ActiveUserCountParams {
313 #[serde(flatten)]
314 period: TimePeriodParams,
315 durations_in_minutes: String,
316 #[serde(default)]
317 only_collaborative: bool,
318}
319
320#[derive(Serialize)]
321struct ActiveUserSet {
322 active_time_in_minutes: u64,
323 user_count: usize,
324}
325
326async fn get_active_user_counts(
327 Query(params): Query<ActiveUserCountParams>,
328 Extension(app): Extension<Arc<AppState>>,
329) -> Result<ErasedJson> {
330 let durations_in_minutes = params.durations_in_minutes.split(',');
331 let mut user_sets = Vec::new();
332 for duration in durations_in_minutes {
333 let duration = duration
334 .parse()
335 .map_err(|_| anyhow!("invalid duration: {duration}"))?;
336 user_sets.push(ActiveUserSet {
337 active_time_in_minutes: duration,
338 user_count: app
339 .db
340 .get_active_user_count(
341 params.period.start..params.period.end,
342 Duration::from_secs(duration * 60),
343 params.only_collaborative,
344 )
345 .await?,
346 })
347 }
348 Ok(ErasedJson::pretty(user_sets))
349}
350
351#[derive(Deserialize)]
352struct GetProjectMetadataParams {
353 project_id: u64,
354}
355
356async fn get_project_metadata(
357 Query(params): Query<GetProjectMetadataParams>,
358 Extension(app): Extension<Arc<AppState>>,
359) -> Result<ErasedJson> {
360 let extensions = app
361 .db
362 .get_project_extensions(ProjectId::from_proto(params.project_id))
363 .await?;
364 Ok(ErasedJson::pretty(json!({ "extensions": extensions })))
365}
366
367#[derive(Deserialize)]
368struct CreateAccessTokenQueryParams {
369 public_key: String,
370 impersonate: Option<String>,
371}
372
373#[derive(Serialize)]
374struct CreateAccessTokenResponse {
375 user_id: UserId,
376 encrypted_access_token: String,
377}
378
379async fn create_access_token(
380 Path(user_id): Path<UserId>,
381 Query(params): Query<CreateAccessTokenQueryParams>,
382 Extension(app): Extension<Arc<AppState>>,
383) -> Result<Json<CreateAccessTokenResponse>> {
384 let user = app
385 .db
386 .get_user_by_id(user_id)
387 .await?
388 .ok_or_else(|| anyhow!("user not found"))?;
389
390 let mut user_id = user.id;
391 if let Some(impersonate) = params.impersonate {
392 if user.admin {
393 if let Some(impersonated_user) = app
394 .db
395 .get_user_by_github_account(&impersonate, None)
396 .await?
397 {
398 user_id = impersonated_user.id;
399 } else {
400 return Err(Error::Http(
401 StatusCode::UNPROCESSABLE_ENTITY,
402 format!("user {impersonate} does not exist"),
403 ));
404 }
405 } else {
406 return Err(Error::Http(
407 StatusCode::UNAUTHORIZED,
408 "you do not have permission to impersonate other users".to_string(),
409 ));
410 }
411 }
412
413 let access_token = auth::create_access_token(app.db.as_ref(), user_id).await?;
414 let encrypted_access_token =
415 auth::encrypt_access_token(&access_token, params.public_key.clone())?;
416
417 Ok(Json(CreateAccessTokenResponse {
418 user_id,
419 encrypted_access_token,
420 }))
421}
422
423async fn get_user_for_invite_code(
424 Path(code): Path<String>,
425 Extension(app): Extension<Arc<AppState>>,
426) -> Result<Json<User>> {
427 Ok(Json(app.db.get_user_for_invite_code(&code).await?))
428}
429
430async fn create_signup(
431 Json(params): Json<Signup>,
432 Extension(app): Extension<Arc<AppState>>,
433) -> Result<()> {
434 app.db.create_signup(params).await?;
435 Ok(())
436}
437
438async fn get_waitlist_summary(
439 Extension(app): Extension<Arc<AppState>>,
440) -> Result<Json<WaitlistSummary>> {
441 Ok(Json(app.db.get_waitlist_summary().await?))
442}
443
444#[derive(Deserialize)]
445pub struct CreateInviteFromCodeParams {
446 invite_code: String,
447 email_address: String,
448 device_id: Option<String>,
449}
450
451async fn create_invite_from_code(
452 Json(params): Json<CreateInviteFromCodeParams>,
453 Extension(app): Extension<Arc<AppState>>,
454) -> Result<Json<Invite>> {
455 Ok(Json(
456 app.db
457 .create_invite_from_code(
458 ¶ms.invite_code,
459 ¶ms.email_address,
460 params.device_id.as_deref(),
461 )
462 .await?,
463 ))
464}
465
466#[derive(Deserialize)]
467pub struct GetUnsentInvitesParams {
468 pub count: usize,
469}
470
471async fn get_unsent_invites(
472 Query(params): Query<GetUnsentInvitesParams>,
473 Extension(app): Extension<Arc<AppState>>,
474) -> Result<Json<Vec<Invite>>> {
475 Ok(Json(app.db.get_unsent_invites(params.count).await?))
476}
477
478async fn record_sent_invites(
479 Json(params): Json<Vec<Invite>>,
480 Extension(app): Extension<Arc<AppState>>,
481) -> Result<()> {
482 app.db.record_sent_invites(¶ms).await?;
483 Ok(())
484}