src/server/falx.rs


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88

use std::time::SystemTime;

use axum::{
    body::Body,
    extract::{Path, State},
    http::{HeaderMap, StatusCode, Uri},
    response::{IntoResponse, Response},
    routing::get,
    Router,
};
use axum_extra::extract::CookieJar;

use crate::server::store::Store;

use super::{ApiState, Handoffs};

pub fn bind(app: Router<ApiState>) -> Router<ApiState> {
    app.route("/check/:token/:scope", get(check_))
        .route("/handoff", get(handoff))
}

#[axum::debug_handler(state = ApiState)]
async fn check_(
    Path((token, scope)): Path<(String, String)>,
    State(store): State<Store>,
) -> Response {
    let Some((name, _)) = store.check_token(&token).await else {
        return StatusCode::UNAUTHORIZED.into_response();
    };
    let Some(account) = store.get_account(&name).await else {
        return StatusCode::UNAUTHORIZED.into_response();
    };
    if account.scopes.contains(&scope) {
        StatusCode::OK.into_response()
    } else {
        StatusCode::FORBIDDEN.into_response()
    }
}

#[axum::debug_handler(state = ApiState)]
async fn handoff(
    jar: CookieJar,
    State(Handoffs(handoffs)): State<Handoffs>,
    State(store): State<Store>,
    headers: HeaderMap,
) -> Response {
    let Some(origin_header) = headers.get("Origin") else {
        return (StatusCode::BAD_REQUEST, "Missing Origin header").into_response();
    };
    let Some(origin) = origin_header
        .to_str()
        .ok()
        .and_then(|origin| origin.parse::<Uri>().ok())
        .and_then(|origin| origin.host().map(ToString::to_string))
    else {
        return (StatusCode::BAD_REQUEST, "Malformed Origin header").into_response();
    };
    if !handoffs.contains(&origin) {
        return (StatusCode::FORBIDDEN, "Origin not registered for handoff").into_response();
    }

    let builder = Response::builder()
        .header("Access-Control-Allow-Credentials", "true")
        .header("Access-Control-Allow-Origin", origin_header);

    if let Some(token) = jar.get("dissociate-token") {
        if let Some((_, expires)) = store.check_token(token.value()).await {
            let expires_in = expires
                .duration_since(SystemTime::now())
                .unwrap_or_default()
                .as_secs();

            return builder
                .status(StatusCode::OK)
                .body(Body::from(format!(
                    r#"{{"token":"{}","expiresIn":{}}}"#,
                    token.value().to_string(),
                    expires_in,
                )))
                .unwrap();
        }
    }

    builder
        .status(StatusCode::UNAUTHORIZED)
        .body(Body::empty())
        .unwrap()
}