🗝
summary refs log tree commit diff
path: root/src/server/nginx_check.rs
diff options
context:
space:
mode:
authormia <mia@mia.jetzt>2024-04-16 19:05:41 -0700
committermia <mia@mia.jetzt>2024-04-16 19:05:41 -0700
commit796b2cafc798a7faa80a007002831a4c40635fe8 (patch)
treed8e68590524f4adab7ff8ff6e2cb3dfbb0c64b37 /src/server/nginx_check.rs
downloaddissociate-0.1.0.tar.gz
dissociate-0.1.0.zip
initial commit v0.1.0
Diffstat (limited to 'src/server/nginx_check.rs')
-rw-r--r--src/server/nginx_check.rs41
1 files changed, 41 insertions, 0 deletions
diff --git a/src/server/nginx_check.rs b/src/server/nginx_check.rs
new file mode 100644
index 0000000..7b67f26
--- /dev/null
+++ b/src/server/nginx_check.rs
@@ -0,0 +1,41 @@
+// for ngx_http_auth_request_module authentication
+// make sure you have cookie_domain set properly
+// depends on https://git.mia.jetzt/sysconf/tree/patches/nginx_auth_redirect.patch
+
+use axum::{
+    extract::{Path, State},
+    http::StatusCode,
+    response::{IntoResponse, Redirect, Response},
+    routing::get,
+    Router,
+};
+use axum_extra::extract::CookieJar;
+
+use crate::server::{account_auth, store::Store};
+
+use super::{ApiState, WebBase};
+
+pub fn bind(app: Router<ApiState>) -> Router<ApiState> {
+    app.route("/nginx_check/:scope", get(nginx_check))
+}
+
+#[axum::debug_handler(state = ApiState)]
+async fn nginx_check(
+    jar: CookieJar,
+    Path(scope): Path<String>,
+    State(store): State<Store>,
+    State(WebBase(web_base)): State<WebBase>,
+) -> Response {
+    let nevermind = || Redirect::to(&format!("{web_base}/logout")).into_response();
+    let Some(name) = account_auth(&jar, &store).await else {
+        return nevermind();
+    };
+    let Some(account) = store.get_account(&name).await else {
+        return nevermind();
+    };
+    if account.scopes.contains(&scope) {
+        StatusCode::OK.into_response()
+    } else {
+        StatusCode::FORBIDDEN.into_response()
+    }
+}