1use crate::{
  2    auth,
  3    db::{User, UserId},
  4    AppState, Error, Result,
  5};
  6use anyhow::anyhow;
  7use axum::{
  8    body::Body,
  9    extract::{Path, Query},
 10    http::{self, Request, StatusCode},
 11    middleware::{self, Next},
 12    response::IntoResponse,
 13    routing::{get, post, put},
 14    Extension, Json, Router,
 15};
 16use serde::{Deserialize, Serialize};
 17use std::sync::Arc;
 18use tower::ServiceBuilder;
 19use tracing::instrument;
 20
 21pub fn routes(state: Arc<AppState>) -> Router<Body> {
 22    Router::new()
 23        .route("/users", get(get_users).post(create_user))
 24        .route(
 25            "/users/:id",
 26            put(update_user).delete(destroy_user).get(get_user),
 27        )
 28        .route("/users/:id/access_tokens", post(create_access_token))
 29        .route("/panic", post(trace_panic))
 30        .layer(
 31            ServiceBuilder::new()
 32                .layer(Extension(state))
 33                .layer(middleware::from_fn(validate_api_token)),
 34        )
 35    // TODO: Compression on API routes?
 36}
 37
 38pub async fn validate_api_token<B>(req: Request<B>, next: Next<B>) -> impl IntoResponse {
 39    let token = req
 40        .headers()
 41        .get(http::header::AUTHORIZATION)
 42        .and_then(|header| header.to_str().ok())
 43        .ok_or_else(|| {
 44            Error::Http(
 45                StatusCode::BAD_REQUEST,
 46                "missing authorization header".to_string(),
 47            )
 48        })?
 49        .strip_prefix("token ")
 50        .ok_or_else(|| {
 51            Error::Http(
 52                StatusCode::BAD_REQUEST,
 53                "invalid authorization header".to_string(),
 54            )
 55        })?;
 56
 57    let state = req.extensions().get::<Arc<AppState>>().unwrap();
 58
 59    if token != state.api_token {
 60        Err(Error::Http(
 61            StatusCode::UNAUTHORIZED,
 62            "invalid authorization token".to_string(),
 63        ))?
 64    }
 65
 66    Ok::<_, Error>(next.run(req).await)
 67}
 68
 69async fn get_users(Extension(app): Extension<Arc<AppState>>) -> Result<Json<Vec<User>>> {
 70    let users = app.db.get_all_users().await?;
 71    Ok(Json(users))
 72}
 73
 74#[derive(Deserialize)]
 75struct CreateUserParams {
 76    github_login: String,
 77    admin: bool,
 78}
 79
 80async fn create_user(
 81    Json(params): Json<CreateUserParams>,
 82    Extension(app): Extension<Arc<AppState>>,
 83) -> Result<Json<User>> {
 84    let user_id = app
 85        .db
 86        .create_user(&params.github_login, params.admin)
 87        .await?;
 88
 89    let user = app
 90        .db
 91        .get_user_by_id(user_id)
 92        .await?
 93        .ok_or_else(|| anyhow!("couldn't find the user we just created"))?;
 94
 95    Ok(Json(user))
 96}
 97
 98#[derive(Deserialize)]
 99struct UpdateUserParams {
100    admin: bool,
101}
102
103async fn update_user(
104    Path(user_id): Path<i32>,
105    Json(params): Json<UpdateUserParams>,
106    Extension(app): Extension<Arc<AppState>>,
107) -> Result<()> {
108    app.db
109        .set_user_is_admin(UserId(user_id), params.admin)
110        .await?;
111    Ok(())
112}
113
114async fn destroy_user(
115    Path(user_id): Path<i32>,
116    Extension(app): Extension<Arc<AppState>>,
117) -> Result<()> {
118    app.db.destroy_user(UserId(user_id)).await?;
119    Ok(())
120}
121
122async fn get_user(
123    Path(login): Path<String>,
124    Extension(app): Extension<Arc<AppState>>,
125) -> Result<Json<User>> {
126    let user = app
127        .db
128        .get_user_by_github_login(&login)
129        .await?
130        .ok_or_else(|| anyhow!("user not found"))?;
131    Ok(Json(user))
132}
133
134#[derive(Debug, Deserialize)]
135struct Panic {
136    version: String,
137    text: String,
138}
139
140#[instrument(skip(panic))]
141async fn trace_panic(panic: Json<Panic>) -> Result<()> {
142    tracing::error!(version = %panic.version, text = %panic.text, "panic report");
143    Ok(())
144}
145
146#[derive(Deserialize)]
147struct CreateAccessTokenQueryParams {
148    public_key: String,
149    impersonate: Option<String>,
150}
151
152#[derive(Serialize)]
153struct CreateAccessTokenResponse {
154    user_id: UserId,
155    encrypted_access_token: String,
156}
157
158async fn create_access_token(
159    Path(login): Path<String>,
160    Query(params): Query<CreateAccessTokenQueryParams>,
161    Extension(app): Extension<Arc<AppState>>,
162) -> Result<Json<CreateAccessTokenResponse>> {
163    //     request.require_token().await?;
164
165    let user = app
166        .db
167        .get_user_by_github_login(&login)
168        .await?
169        .ok_or_else(|| anyhow!("user not found"))?;
170
171    let mut user_id = user.id;
172    if let Some(impersonate) = params.impersonate {
173        if user.admin {
174            if let Some(impersonated_user) = app.db.get_user_by_github_login(&impersonate).await? {
175                user_id = impersonated_user.id;
176            } else {
177                return Err(Error::Http(
178                    StatusCode::UNPROCESSABLE_ENTITY,
179                    format!("user {impersonate} does not exist"),
180                ));
181            }
182        } else {
183            return Err(Error::Http(
184                StatusCode::UNAUTHORIZED,
185                format!("you do not have permission to impersonate other users"),
186            ));
187        }
188    }
189
190    let access_token = auth::create_access_token(app.db.as_ref(), user_id).await?;
191    let encrypted_access_token =
192        auth::encrypt_access_token(&access_token, params.public_key.clone())?;
193
194    Ok(Json(CreateAccessTokenResponse {
195        user_id,
196        encrypted_access_token,
197    }))
198}