1use crate::{
2 db::{self, dev_server, AccessTokenId, Database, DevServerId, UserId},
3 rpc::Principal,
4 AppState, Error, Result,
5};
6use anyhow::{anyhow, Context};
7use axum::{
8 http::{self, Request, StatusCode},
9 middleware::Next,
10 response::IntoResponse,
11};
12use prometheus::{exponential_buckets, register_histogram, Histogram};
13pub use rpc::auth::random_token;
14use scrypt::{
15 password_hash::{PasswordHash, PasswordVerifier},
16 Scrypt,
17};
18use serde::{Deserialize, Serialize};
19use sha2::Digest;
20use std::sync::OnceLock;
21use std::{sync::Arc, time::Instant};
22use subtle::ConstantTimeEq;
23
24/// Validates the authorization header and adds an Extension<Principal> to the request.
25/// Authorization: <user-id> <token>
26/// <token> can be an access_token attached to that user, or an access token of an admin
27/// or (in development) the string ADMIN:<config.api_token>.
28/// Authorization: "dev-server-token" <token>
29pub async fn validate_header<B>(mut req: Request<B>, next: Next<B>) -> impl IntoResponse {
30 let mut auth_header = req
31 .headers()
32 .get(http::header::AUTHORIZATION)
33 .and_then(|header| header.to_str().ok())
34 .ok_or_else(|| {
35 Error::Http(
36 StatusCode::UNAUTHORIZED,
37 "missing authorization header".to_string(),
38 )
39 })?
40 .split_whitespace();
41
42 let state = req.extensions().get::<Arc<AppState>>().unwrap();
43
44 let first = auth_header.next().unwrap_or("");
45 if first == "dev-server-token" {
46 let dev_server_token = auth_header.next().ok_or_else(|| {
47 Error::Http(
48 StatusCode::BAD_REQUEST,
49 "missing dev-server-token token in authorization header".to_string(),
50 )
51 })?;
52 let dev_server = verify_dev_server_token(dev_server_token, &state.db)
53 .await
54 .map_err(|e| Error::Http(StatusCode::UNAUTHORIZED, format!("{}", e)))?;
55
56 req.extensions_mut()
57 .insert(Principal::DevServer(dev_server));
58 return Ok::<_, Error>(next.run(req).await);
59 }
60
61 let user_id = UserId(first.parse().map_err(|_| {
62 Error::Http(
63 StatusCode::BAD_REQUEST,
64 "missing user id in authorization header".to_string(),
65 )
66 })?);
67
68 let access_token = auth_header.next().ok_or_else(|| {
69 Error::Http(
70 StatusCode::BAD_REQUEST,
71 "missing access token in authorization header".to_string(),
72 )
73 })?;
74
75 // In development, allow impersonation using the admin API token.
76 // Don't allow this in production because we can't tell who is doing
77 // the impersonating.
78 let validate_result = if let (Some(admin_token), true) = (
79 access_token.strip_prefix("ADMIN_TOKEN:"),
80 state.config.is_development(),
81 ) {
82 Ok(VerifyAccessTokenResult {
83 is_valid: state.config.api_token == admin_token,
84 impersonator_id: None,
85 })
86 } else {
87 verify_access_token(&access_token, user_id, &state.db).await
88 };
89
90 if let Ok(validate_result) = validate_result {
91 if validate_result.is_valid {
92 let user = state
93 .db
94 .get_user_by_id(user_id)
95 .await?
96 .ok_or_else(|| anyhow!("user {} not found", user_id))?;
97
98 if let Some(impersonator_id) = validate_result.impersonator_id {
99 let admin = state
100 .db
101 .get_user_by_id(impersonator_id)
102 .await?
103 .ok_or_else(|| anyhow!("user {} not found", impersonator_id))?;
104 req.extensions_mut()
105 .insert(Principal::Impersonated { user, admin });
106 } else {
107 req.extensions_mut().insert(Principal::User(user));
108 };
109 return Ok::<_, Error>(next.run(req).await);
110 }
111 }
112
113 Err(Error::Http(
114 StatusCode::UNAUTHORIZED,
115 "invalid credentials".to_string(),
116 ))
117}
118
119const MAX_ACCESS_TOKENS_TO_STORE: usize = 8;
120
121#[derive(Serialize, Deserialize)]
122struct AccessTokenJson {
123 version: usize,
124 id: AccessTokenId,
125 token: String,
126}
127
128/// Creates a new access token to identify the given user. before returning it, you should
129/// encrypt it with the user's public key.
130pub async fn create_access_token(
131 db: &db::Database,
132 user_id: UserId,
133 impersonated_user_id: Option<UserId>,
134) -> Result<String> {
135 const VERSION: usize = 1;
136 let access_token = rpc::auth::random_token();
137 let access_token_hash = hash_access_token(&access_token);
138 let id = db
139 .create_access_token(
140 user_id,
141 impersonated_user_id,
142 &access_token_hash,
143 MAX_ACCESS_TOKENS_TO_STORE,
144 )
145 .await?;
146 Ok(serde_json::to_string(&AccessTokenJson {
147 version: VERSION,
148 id,
149 token: access_token,
150 })?)
151}
152
153/// Hashing prevents anyone with access to the database being able to login.
154/// As the token is randomly generated, we don't need to worry about scrypt-style
155/// protection.
156pub fn hash_access_token(token: &str) -> String {
157 let digest = sha2::Sha256::digest(token);
158 format!(
159 "$sha256${}",
160 base64::encode_config(digest, base64::URL_SAFE)
161 )
162}
163
164/// Encrypts the given access token with the given public key to avoid leaking it on the way
165/// to the client.
166pub fn encrypt_access_token(access_token: &str, public_key: String) -> Result<String> {
167 let native_app_public_key =
168 rpc::auth::PublicKey::try_from(public_key).context("failed to parse app public key")?;
169 let encrypted_access_token = native_app_public_key
170 .encrypt_string(access_token)
171 .context("failed to encrypt access token with public key")?;
172 Ok(encrypted_access_token)
173}
174
175pub struct VerifyAccessTokenResult {
176 pub is_valid: bool,
177 pub impersonator_id: Option<UserId>,
178}
179
180/// Checks that the given access token is valid for the given user.
181pub async fn verify_access_token(
182 token: &str,
183 user_id: UserId,
184 db: &Arc<Database>,
185) -> Result<VerifyAccessTokenResult> {
186 static METRIC_ACCESS_TOKEN_HASHING_TIME: OnceLock<Histogram> = OnceLock::new();
187 let metric_access_token_hashing_time = METRIC_ACCESS_TOKEN_HASHING_TIME.get_or_init(|| {
188 register_histogram!(
189 "access_token_hashing_time",
190 "time spent hashing access tokens",
191 exponential_buckets(10.0, 2.0, 10).unwrap(),
192 )
193 .unwrap()
194 });
195
196 let token: AccessTokenJson = serde_json::from_str(&token)?;
197
198 let db_token = db.get_access_token(token.id).await?;
199 let token_user_id = db_token.impersonated_user_id.unwrap_or(db_token.user_id);
200 if token_user_id != user_id {
201 return Err(anyhow!("no such access token"))?;
202 }
203 let t0 = Instant::now();
204
205 let is_valid = if db_token.hash.starts_with("$scrypt$") {
206 let db_hash = PasswordHash::new(&db_token.hash).map_err(anyhow::Error::new)?;
207 Scrypt
208 .verify_password(token.token.as_bytes(), &db_hash)
209 .is_ok()
210 } else {
211 let token_hash = hash_access_token(&token.token);
212 db_token.hash.as_bytes().ct_eq(token_hash.as_ref()).into()
213 };
214
215 let duration = t0.elapsed();
216 log::info!("hashed access token in {:?}", duration);
217 metric_access_token_hashing_time.observe(duration.as_millis() as f64);
218
219 if is_valid && db_token.hash.starts_with("$scrypt$") {
220 let new_hash = hash_access_token(&token.token);
221 db.update_access_token_hash(db_token.id, &new_hash).await?;
222 }
223
224 Ok(VerifyAccessTokenResult {
225 is_valid,
226 impersonator_id: if db_token.impersonated_user_id.is_some() {
227 Some(db_token.user_id)
228 } else {
229 None
230 },
231 })
232}
233
234pub fn generate_dev_server_token(id: usize, access_token: String) -> String {
235 format!("{}.{}", id, access_token)
236}
237
238pub async fn verify_dev_server_token(
239 dev_server_token: &str,
240 db: &Arc<Database>,
241) -> anyhow::Result<dev_server::Model> {
242 let (id, token) = split_dev_server_token(dev_server_token)?;
243 let token_hash = hash_access_token(&token);
244 let server = db.get_dev_server(id).await?;
245
246 if server
247 .hashed_token
248 .as_bytes()
249 .ct_eq(token_hash.as_ref())
250 .into()
251 {
252 Ok(server)
253 } else {
254 Err(anyhow!("wrong token for dev server"))
255 }
256}
257
258// a dev_server_token has the format <id>.<base64>. This is to make them
259// relatively easy to copy/paste around.
260pub fn split_dev_server_token(dev_server_token: &str) -> anyhow::Result<(DevServerId, &str)> {
261 let mut parts = dev_server_token.splitn(2, '.');
262 let id = DevServerId(parts.next().unwrap_or_default().parse()?);
263 let token = parts
264 .next()
265 .ok_or_else(|| anyhow!("invalid dev server token format"))?;
266 Ok((id, token))
267}
268
269#[cfg(test)]
270mod test {
271 use rand::thread_rng;
272 use scrypt::password_hash::{PasswordHasher, SaltString};
273 use sea_orm::EntityTrait;
274
275 use super::*;
276 use crate::db::{access_token, NewUserParams};
277
278 #[gpui::test]
279 async fn test_verify_access_token(cx: &mut gpui::TestAppContext) {
280 let test_db = crate::db::TestDb::sqlite(cx.executor().clone());
281 let db = test_db.db();
282
283 let user = db
284 .create_user(
285 "example@example.com",
286 false,
287 NewUserParams {
288 github_login: "example".into(),
289 github_user_id: 1,
290 },
291 )
292 .await
293 .unwrap();
294
295 let token = create_access_token(&db, user.user_id, None).await.unwrap();
296 assert!(matches!(
297 verify_access_token(&token, user.user_id, &db)
298 .await
299 .unwrap(),
300 VerifyAccessTokenResult {
301 is_valid: true,
302 impersonator_id: None,
303 }
304 ));
305
306 let old_token = create_previous_access_token(user.user_id, None, &db)
307 .await
308 .unwrap();
309
310 let old_token_id = serde_json::from_str::<AccessTokenJson>(&old_token)
311 .unwrap()
312 .id;
313
314 let hash = db
315 .transaction(|tx| async move {
316 Ok(access_token::Entity::find_by_id(old_token_id)
317 .one(&*tx)
318 .await?)
319 })
320 .await
321 .unwrap()
322 .unwrap()
323 .hash;
324 assert!(hash.starts_with("$scrypt$"));
325
326 assert!(matches!(
327 verify_access_token(&old_token, user.user_id, &db)
328 .await
329 .unwrap(),
330 VerifyAccessTokenResult {
331 is_valid: true,
332 impersonator_id: None,
333 }
334 ));
335
336 let hash = db
337 .transaction(|tx| async move {
338 Ok(access_token::Entity::find_by_id(old_token_id)
339 .one(&*tx)
340 .await?)
341 })
342 .await
343 .unwrap()
344 .unwrap()
345 .hash;
346 assert!(hash.starts_with("$sha256$"));
347
348 assert!(matches!(
349 verify_access_token(&old_token, user.user_id, &db)
350 .await
351 .unwrap(),
352 VerifyAccessTokenResult {
353 is_valid: true,
354 impersonator_id: None,
355 }
356 ));
357
358 assert!(matches!(
359 verify_access_token(&token, user.user_id, &db)
360 .await
361 .unwrap(),
362 VerifyAccessTokenResult {
363 is_valid: true,
364 impersonator_id: None,
365 }
366 ));
367 }
368
369 async fn create_previous_access_token(
370 user_id: UserId,
371 impersonated_user_id: Option<UserId>,
372 db: &Database,
373 ) -> Result<String> {
374 let access_token = rpc::auth::random_token();
375 let access_token_hash = previous_hash_access_token(&access_token)?;
376 let id = db
377 .create_access_token(
378 user_id,
379 impersonated_user_id,
380 &access_token_hash,
381 MAX_ACCESS_TOKENS_TO_STORE,
382 )
383 .await?;
384 Ok(serde_json::to_string(&AccessTokenJson {
385 version: 1,
386 id,
387 token: access_token,
388 })?)
389 }
390
391 fn previous_hash_access_token(token: &str) -> Result<String> {
392 // Avoid slow hashing in debug mode.
393 let params = if cfg!(debug_assertions) {
394 scrypt::Params::new(1, 1, 1).unwrap()
395 } else {
396 scrypt::Params::new(14, 8, 1).unwrap()
397 };
398
399 Ok(Scrypt
400 .hash_password(
401 token.as_bytes(),
402 None,
403 params,
404 &SaltString::generate(thread_rng()),
405 )
406 .map_err(anyhow::Error::new)?
407 .to_string())
408 }
409}