1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
|
use axum::{
extract::{Path, State},
http::{HeaderMap, StatusCode, Uri},
response::{IntoResponse, Response},
routing::get,
Router,
};
use axum_extra::extract::CookieJar;
use crate::server::store::Store;
use super::{ApiState, Handoffs};
pub fn bind(app: Router<ApiState>) -> Router<ApiState> {
app.route("/check/:token/:scope", get(check_))
.route("/handoff", get(handoff))
}
#[axum::debug_handler(state = ApiState)]
async fn check_(
Path((token, scope)): Path<(String, String)>,
State(store): State<Store>,
) -> Response {
let Some(name) = store.check_token(&token).await else {
return StatusCode::UNAUTHORIZED.into_response();
};
let Some(account) = store.get_account(&name).await else {
return StatusCode::UNAUTHORIZED.into_response();
};
if account.scopes.contains(&scope) {
StatusCode::OK.into_response()
} else {
StatusCode::FORBIDDEN.into_response()
}
}
#[axum::debug_handler(state = ApiState)]
async fn handoff(
jar: CookieJar,
State(Handoffs(handoffs)): State<Handoffs>,
headers: HeaderMap,
) -> Response {
let Some(origin) = headers.get("Origin") else {
return (StatusCode::BAD_REQUEST, "Missing Origin header").into_response();
};
let Some(origin) = origin
.to_str()
.ok()
.and_then(|origin| origin.parse::<Uri>().ok())
.and_then(|origin| origin.host().map(ToString::to_string))
else {
return (StatusCode::BAD_REQUEST, "Malformed Origin header").into_response();
};
if !handoffs.contains(&origin) {
return (StatusCode::FORBIDDEN, "Origin not registered for handoff").into_response();
}
let Some(token) = jar.get("dissociate-token") else {
return (StatusCode::UNAUTHORIZED, "Authenticate cookie missing").into_response();
};
return (StatusCode::OK, token.value().to_string()).into_response();
}
|
