authbeam/api/

me.rs

use crate::database::Database;
use crate::model::{DatabaseError, TokenContext, TokenPermission};
use serde::{Deserialize, Serialize};
use databeam::prelude::DefaultReturn;

use axum::http::{HeaderMap, HeaderValue};
use axum::response::{IntoResponse, Redirect};
use axum::{extract::State, Json};
use axum_extra::extract::cookie::CookieJar;
use pathbufd::pathd;

use crate::avif::{save_avif_buffer, Image};

/// Returns the current user's username
pub async fn get_request(jar: CookieJar, State(database): State<Database>) -> impl IntoResponse {
    // get user from token
    let auth_user = match jar.get("__Secure-Token") {
        Some(c) => match database.get_profile_by_unhashed(c.value_trimmed()).await {
            Ok(ua) => ua,
            Err(e) => return Json(e.to_json()),
        },
        None => return Json(DatabaseError::NotAllowed.to_json()),
    };

    // return
    Json(DefaultReturn {
        success: true,
        message: auth_user.id.to_string(),
        payload: Some(auth_user),
    })
}

#[derive(Serialize, Deserialize)]
pub struct DeleteProfile {
    password: String,
    #[serde(default)]
    totp: String,
}

/// Delete the current user's profile
pub async fn delete_request(
    jar: CookieJar,
    State(database): State<Database>,
    Json(props): Json<DeleteProfile>,
) -> impl IntoResponse {
    // get user from token
    let auth_user = match jar.get("__Secure-Token") {
        Some(c) => match database.get_profile_by_unhashed(c.value_trimmed()).await {
            Ok(ua) => ua,
            Err(e) => return Json(e.to_json()),
        },
        None => return Json(DatabaseError::NotAllowed.to_json()),
    };

    // get profile
    let hashed = rainbeam_shared::hash::hash_salted(props.password, auth_user.salt.clone());

    if hashed != auth_user.password {
        return Json(DefaultReturn {
            success: false,
            message: DatabaseError::NotAllowed.to_string(),
            payload: (),
        });
    }

    // check totp
    if !database.check_totp(&auth_user, &props.totp) {
        return Json(DatabaseError::NotAllowed.to_json());
    }

    // return
    if let Err(e) = database.delete_profile_by_id(&auth_user.id).await {
        return Json(e.to_json());
    }

    Json(DefaultReturn {
        success: true,
        message: "Profile deleted, goodbye!".to_string(),
        payload: (),
    })
}

/// Generate a new token and session (like logging in while already logged in)
pub async fn generate_token_request(
    jar: CookieJar,
    headers: HeaderMap,
    State(database): State<Database>,
    Json(props): Json<TokenContext>,
) -> impl IntoResponse {
    // get user from token
    let mut existing_permissions: Option<Vec<TokenPermission>> = None;
    let mut auth_user = match jar.get("__Secure-Token") {
        Some(c) => {
            let token = c.value_trimmed();

            match database.get_profile_by_unhashed(token).await {
                Ok(ua) => {
                    // check token permission
                    let token = ua.token_context_from_token(&token);

                    if let Some(ref permissions) = token.permissions {
                        existing_permissions = Some(permissions.to_owned())
                    }

                    if !token.can_do(TokenPermission::GenerateTokens) {
                        return Json(DatabaseError::NotAllowed.to_json());
                    }

                    // return
                    ua
                }
                Err(e) => return Json(e.to_json()),
            }
        }
        None => return Json(DatabaseError::NotAllowed.to_json()),
    };

    // for every token that doesn't have a context, insert the default context
    for (i, _) in auth_user.tokens.clone().iter().enumerate() {
        if let None = auth_user.token_context.get(i) {
            auth_user.token_context.insert(i, TokenContext::default())
        }
    }

    // get real ip
    let real_ip = if let Some(ref real_ip_header) = database.config.real_ip_header {
        headers
            .get(real_ip_header.to_owned())
            .unwrap_or(&HeaderValue::from_static(""))
            .to_str()
            .unwrap_or("")
            .to_string()
    } else {
        String::new()
    };

    // check ip
    if database.get_ipban_by_ip(&real_ip).await.is_ok() {
        return Json(DefaultReturn {
            success: false,
            message: DatabaseError::NotAllowed.to_string(),
            payload: None,
        });
    }

    // check given context
    if let Some(ref permissions) = props.permissions {
        // make sure we don't want anything we don't have
        // if our permissions are "None", allow any permission to be granted
        for permission in permissions {
            if let Some(ref existing) = existing_permissions {
                if !existing.contains(permission) {
                    return Json(DefaultReturn {
                        success: false,
                        message: DatabaseError::OutOfScope.to_string(),
                        payload: None,
                    });
                }
            } else {
                break;
            }
        }
    }

    // ...
    let token = databeam::utility::uuid();
    let token_hashed = databeam::utility::hash(token.clone());

    auth_user.tokens.push(token_hashed);
    auth_user.ips.push(String::new()); // don't actually store ip, this endpoint is used by external apps
    auth_user.token_context.push(props);

    database
        .update_profile_tokens(
            &auth_user.id,
            auth_user.tokens,
            auth_user.ips,
            auth_user.token_context,
        )
        .await
        .unwrap();

    // return
    return Json(DefaultReturn {
        success: true,
        message: "Generated token!".to_string(),
        payload: Some(token),
    });
}

#[derive(Serialize, Deserialize)]
pub struct UpdateTokens {
    pub tokens: Vec<String>,
}

/// Update the current user's session tokens
pub async fn update_tokens_request(
    jar: CookieJar,
    State(database): State<Database>,
    Json(req): Json<UpdateTokens>,
) -> impl IntoResponse {
    // get user from token
    let mut auth_user = match jar.get("__Secure-Token") {
        Some(c) => {
            let token = c.value_trimmed();

            match database.get_profile_by_unhashed(token).await {
                Ok(ua) => {
                    // check token permission
                    if !ua
                        .token_context_from_token(&token)
                        .can_do(TokenPermission::ManageAccount)
                    {
                        return Json(DatabaseError::NotAllowed.to_json());
                    }

                    // return
                    ua
                }
                Err(e) => return Json(e.to_json()),
            }
        }
        None => return Json(DatabaseError::NotAllowed.to_json()),
    };

    // for every token that doesn't have a context, insert the default context
    for (i, _) in auth_user.tokens.clone().iter().enumerate() {
        if let None = auth_user.token_context.get(i) {
            auth_user.token_context.insert(i, TokenContext::default())
        }
    }

    // get diff
    let mut removed_indexes = Vec::new();

    for (i, token) in auth_user.tokens.iter().enumerate() {
        if !req.tokens.contains(token) {
            removed_indexes.push(i);
        }
    }

    // edit dependent vecs
    for i in removed_indexes.clone() {
        if (auth_user.ips.len() < i) | (auth_user.ips.len() == 0) {
            break;
        }

        auth_user.ips.remove(i);
    }

    for i in removed_indexes.clone() {
        if (auth_user.token_context.len() < i) | (auth_user.token_context.len() == 0) {
            break;
        }

        auth_user.token_context.remove(i);
    }

    // return
    if let Err(e) = database
        .update_profile_tokens(
            &auth_user.id,
            req.tokens,
            auth_user.ips,
            auth_user.token_context,
        )
        .await
    {
        return Json(e.to_json());
    }

    Json(DefaultReturn {
        success: true,
        message: "Tokens updated!".to_string(),
        payload: (),
    })
}

static MAXIUMUM_FILE_SIZE: usize = 8388608;

/// Upload avatar
pub async fn upload_avatar_request(
    jar: CookieJar,
    State(database): State<Database>,
    img: Image,
) -> impl IntoResponse {
    // get user from token
    let mut auth_user = match jar.get("__Secure-Token") {
        Some(c) => match database.get_profile_by_unhashed(c.value_trimmed()).await {
            Ok(ua) => ua,
            Err(e) => {
                return Redirect::to(&format!(
                    "/settings/profile?ANNC={}&ANNC_TYPE=caution",
                    e.to_string()
                ));
            }
        },
        None => {
            return Redirect::to(&format!(
                "/settings/profile?ANNC={}&ANNC_TYPE=caution",
                DatabaseError::NotFound.to_string()
            ));
        }
    };

    let path = pathd!(
        "{}/avatars/{}.avif",
        database.config.media_dir,
        &auth_user.id
    );

    // check file size
    if img.0.len() > MAXIUMUM_FILE_SIZE {
        return Redirect::to(&format!(
            "/settings/profile?ANNC={}&ANNC_TYPE=caution",
            DatabaseError::TooLong.to_string()
        ));
    }

    // upload image
    let mut bytes = Vec::new();

    for byte in img.0 {
        bytes.push(byte);
    }

    match save_avif_buffer(&path, bytes) {
        Ok(_) => {
            // update profile config
            auth_user
                .metadata
                .kv
                .insert("sparkler:avatar_url".to_string(), "rb://".to_string());

            match database
                .update_profile_metadata(&auth_user.id, auth_user.metadata)
                .await
            {
                Ok(_) => Redirect::to(&format!(
                    "/settings/profile?ANNC={}&ANNC_TYPE=tip",
                    "File uploaded"
                )),
                Err(e) => Redirect::to(&format!(
                    "/settings/profile?ANNC={}&ANNC_TYPE=caution",
                    e.to_string()
                )),
            }
        }
        Err(e) => Redirect::to(&format!(
            "/settings/profile?ANNC={}&ANNC_TYPE=caution",
            e.to_string()
        )),
    }
}

/// Upload banner
pub async fn upload_banner_request(
    jar: CookieJar,
    State(database): State<Database>,
    img: Image,
) -> impl IntoResponse {
    // get user from token
    let mut auth_user = match jar.get("__Secure-Token") {
        Some(c) => match database.get_profile_by_unhashed(c.value_trimmed()).await {
            Ok(ua) => ua,
            Err(e) => {
                return Redirect::to(&format!(
                    "/settings/profile?ANNC={}&ANNC_TYPE=caution",
                    e.to_string()
                ));
            }
        },
        None => {
            return Redirect::to(&format!(
                "/settings/profile?ANNC={}&ANNC_TYPE=caution",
                DatabaseError::NotFound.to_string()
            ));
        }
    };

    let path = pathd!(
        "{}/banners/{}.avif",
        database.config.media_dir,
        &auth_user.id
    );

    // check file size
    if img.0.len() > MAXIUMUM_FILE_SIZE {
        return Redirect::to(&format!(
            "/settings/profile?ANNC={}&ANNC_TYPE=caution",
            DatabaseError::TooLong.to_string()
        ));
    }

    // upload image
    let mut bytes = Vec::new();

    for byte in img.0 {
        bytes.push(byte);
    }

    match save_avif_buffer(&path, bytes) {
        Ok(_) => {
            // update profile config
            auth_user
                .metadata
                .kv
                .insert("sparkler:banner_url".to_string(), "rb://".to_string());

            match database
                .update_profile_metadata(&auth_user.id, auth_user.metadata)
                .await
            {
                Ok(_) => Redirect::to(&format!(
                    "/settings/profile?ANNC={}&ANNC_TYPE=tip",
                    "File uploaded"
                )),
                Err(e) => Redirect::to(&format!(
                    "/settings/profile?ANNC={}&ANNC_TYPE=caution",
                    e.to_string()
                )),
            }
        }
        Err(e) => Redirect::to(&format!(
            "/settings/profile?ANNC={}&ANNC_TYPE=caution",
            e.to_string()
        )),
    }
}