forked from jmug/stoatchat
chore: migrate authifier into codebase (#658)
Co-authored-by: izzy <me@insrt.uk> Signed-off-by: Zomatree <me@zomatree.live> Signed-off-by: izzy <me@insrt.uk>
This commit is contained in:
@@ -56,7 +56,6 @@ lettre = { workspace = true }
|
||||
rocket = { workspace = true, features = ["json"] }
|
||||
rocket_cors = { workspace = true }
|
||||
rocket_empty = { workspace = true, features = ["schema"] }
|
||||
rocket_authifier = { workspace = true }
|
||||
rocket_prometheus = { workspace = true }
|
||||
|
||||
# spec generation
|
||||
@@ -67,7 +66,6 @@ revolt_rocket_okapi = { workspace = true, features = ["swagger"] }
|
||||
lapin = { workspace = true, features = ["tokio"] }
|
||||
|
||||
# core
|
||||
authifier = { workspace = true }
|
||||
revolt-config = { workspace = true }
|
||||
revolt-database = { workspace = true, features = [
|
||||
"rocket-impl",
|
||||
@@ -88,5 +86,8 @@ revolt-ratelimits = { workspace = true, features = ["rocket"] }
|
||||
livekit-api = { workspace = true }
|
||||
livekit-protocol = { workspace = true }
|
||||
|
||||
[dev-dependencies]
|
||||
revolt-config = { workspace = true, features = ["test"] }
|
||||
|
||||
[build-dependencies]
|
||||
vergen = { workspace = true }
|
||||
|
||||
@@ -9,7 +9,7 @@ pub mod routes;
|
||||
pub mod util;
|
||||
|
||||
use revolt_config::config;
|
||||
use revolt_database::{AMQP, events::client::EventV1};
|
||||
use revolt_database::AMQP;
|
||||
use revolt_ratelimits::rocket as ratelimiter;
|
||||
use rocket::{Build, Rocket};
|
||||
use rocket_cors::{AllowedOrigins, CorsOptions};
|
||||
@@ -17,8 +17,6 @@ use rocket_prometheus::PrometheusMetrics;
|
||||
use std::net::Ipv4Addr;
|
||||
use std::str::FromStr;
|
||||
|
||||
use async_std::channel::unbounded;
|
||||
use authifier::AuthifierEvent;
|
||||
use revolt_database::voice::VoiceClient;
|
||||
use rocket::data::ToByteUnit;
|
||||
|
||||
@@ -33,28 +31,6 @@ pub async fn web() -> Rocket<Build> {
|
||||
let db = revolt_database::DatabaseInfo::Auto.connect().await.unwrap();
|
||||
db.migrate_database().await.unwrap();
|
||||
|
||||
// Setup Authifier event channel
|
||||
let (_, receiver) = unbounded();
|
||||
|
||||
// Setup Authifier
|
||||
let authifier = db.clone().to_authifier().await;
|
||||
|
||||
// Launch a listener for Authifier events
|
||||
async_std::task::spawn(async move {
|
||||
while let Ok(event) = receiver.recv().await {
|
||||
match &event {
|
||||
AuthifierEvent::CreateSession { .. } | AuthifierEvent::CreateAccount { .. } => {
|
||||
EventV1::Auth(event).global().await
|
||||
}
|
||||
AuthifierEvent::DeleteSession { user_id, .. }
|
||||
| AuthifierEvent::DeleteAllSessions { user_id, .. } => {
|
||||
let id = user_id.to_string();
|
||||
EventV1::Auth(event).private(id).await
|
||||
}
|
||||
}
|
||||
}
|
||||
});
|
||||
|
||||
// Configure CORS
|
||||
let cors = CorsOptions {
|
||||
allowed_origins: AllowedOrigins::All,
|
||||
@@ -109,7 +85,6 @@ pub async fn web() -> Rocket<Build> {
|
||||
.mount("/", rocket_cors::catch_all_options_routes())
|
||||
.mount("/", ratelimiter::routes())
|
||||
.mount("/swagger/", swagger)
|
||||
.manage(authifier)
|
||||
.manage(db)
|
||||
.manage(amqp)
|
||||
.manage(cors.clone())
|
||||
|
||||
187
crates/delta/src/routes/account/change_email.rs
Normal file
187
crates/delta/src/routes/account/change_email.rs
Normal file
@@ -0,0 +1,187 @@
|
||||
//! Change account email.
|
||||
//! PATCH /account/change/email
|
||||
use revolt_database::util::email::validate_email;
|
||||
use revolt_database::{Account, Database, ValidatedTicket};
|
||||
use revolt_models::v0;
|
||||
use rocket::serde::json::Json;
|
||||
use rocket::State;
|
||||
use rocket_empty::EmptyResponse;
|
||||
use revolt_result::{Result, create_error};
|
||||
|
||||
/// # Change Email
|
||||
///
|
||||
/// Change the associated account email.
|
||||
#[openapi(tag = "Account")]
|
||||
#[patch("/change/email", data = "<data>")]
|
||||
pub async fn change_email(
|
||||
db: &State<Database>,
|
||||
validated_ticket: Option<ValidatedTicket>,
|
||||
mut account: Account,
|
||||
data: Json<v0::DataChangeEmail>,
|
||||
) -> Result<EmptyResponse> {
|
||||
let data = data.into_inner();
|
||||
|
||||
validate_email(&data.email)?;
|
||||
|
||||
if account.mfa.is_active() && validated_ticket.is_none() {
|
||||
return Err(create_error!(InvalidCredentials));
|
||||
}
|
||||
|
||||
// Ensure given password is correct
|
||||
account.verify_password(&data.current_password)?;
|
||||
|
||||
// Send email verification for new email
|
||||
account
|
||||
.start_email_move(db, data.email)
|
||||
.await
|
||||
.map(|_| EmptyResponse)
|
||||
}
|
||||
|
||||
#[cfg(test)]
|
||||
mod tests {
|
||||
use crate::{rocket, util::test::TestHarness};
|
||||
use revolt_config::overwrite_config;
|
||||
use revolt_database::{MFATicket, Totp};
|
||||
use revolt_models::v0;
|
||||
use rocket::http::{ContentType, Header, Status};
|
||||
|
||||
#[rocket::async_test]
|
||||
async fn success() {
|
||||
overwrite_config(|config| config.api.smtp.host = "".to_string()).await;
|
||||
|
||||
let harness = TestHarness::new().await;
|
||||
let (account, session, _) = harness.new_user().await;
|
||||
|
||||
let res = harness.client
|
||||
.patch("/auth/account/change/email")
|
||||
.header(ContentType::JSON)
|
||||
.header(Header::new("X-Session-Token", session.token.clone()))
|
||||
.body(
|
||||
json!({
|
||||
"email": "validexample@valid.com",
|
||||
"current_password": "password_insecure"
|
||||
})
|
||||
.to_string(),
|
||||
)
|
||||
.dispatch()
|
||||
.await;
|
||||
|
||||
assert_eq!(res.status(), Status::NoContent);
|
||||
|
||||
let account = harness.db.fetch_account(&account.id).await.unwrap();
|
||||
|
||||
assert_eq!(account.email, "validexample@valid.com");
|
||||
}
|
||||
|
||||
#[rocket::async_test]
|
||||
async fn success_smtp() {
|
||||
let harness = TestHarness::new().await;
|
||||
let (account, session, _) = harness.new_user().await;
|
||||
|
||||
let res = harness.client
|
||||
.patch("/auth/account/change/email")
|
||||
.header(ContentType::JSON)
|
||||
.header(Header::new("X-Session-Token", session.token.clone()))
|
||||
.body(
|
||||
json!({
|
||||
"email": "change_email@smtp.test",
|
||||
"current_password": "password_insecure"
|
||||
})
|
||||
.to_string(),
|
||||
)
|
||||
.dispatch()
|
||||
.await;
|
||||
|
||||
assert_eq!(res.status(), Status::NoContent);
|
||||
|
||||
let account = harness.db.fetch_account(&account.id).await.unwrap();
|
||||
|
||||
let (_, code) = harness.assert_email("change_email@smtp.test").await;
|
||||
let res = harness.client
|
||||
.post(format!("/auth/account/verify/{}", code))
|
||||
.dispatch()
|
||||
.await;
|
||||
|
||||
assert_eq!(res.status(), Status::Ok);
|
||||
|
||||
let account = harness.db.fetch_account(&account.id).await.unwrap();
|
||||
|
||||
assert_eq!(account.email, "change_email@smtp.test");
|
||||
|
||||
// Ensure that we did not receive a ticket
|
||||
assert_eq!(
|
||||
v0::ResponseVerify::NoTicket,
|
||||
res.into_json().await.expect("`ResponseVerify")
|
||||
)
|
||||
}
|
||||
|
||||
#[rocket::async_test]
|
||||
async fn success_mfa() {
|
||||
overwrite_config(|config| config.api.smtp.host = "".to_string()).await;
|
||||
|
||||
let harness = TestHarness::new().await;
|
||||
let (mut account, session, _) = harness.new_user().await;
|
||||
|
||||
let totp = Totp::Enabled {
|
||||
secret: "secret".to_string(),
|
||||
};
|
||||
|
||||
account.mfa.totp_token = totp.clone();
|
||||
account.save(&harness.db).await.unwrap();
|
||||
|
||||
let ticket = MFATicket::new(account.id.to_string(), true);
|
||||
ticket.save(&harness.db).await.unwrap();
|
||||
|
||||
let res = harness.client
|
||||
.patch("/auth/account/change/email")
|
||||
.header(ContentType::JSON)
|
||||
.header(Header::new("X-Session-Token", session.token.clone()))
|
||||
.header(Header::new("X-MFA-Ticket", ticket.token))
|
||||
.body(
|
||||
json!({
|
||||
"email": "validexample@valid.com",
|
||||
"current_password": "password_insecure"
|
||||
})
|
||||
.to_string(),
|
||||
)
|
||||
.dispatch()
|
||||
.await;
|
||||
|
||||
assert_eq!(res.status(), Status::NoContent);
|
||||
|
||||
let account = harness.db.fetch_account(&account.id).await.unwrap();
|
||||
|
||||
assert_eq!(account.email, "validexample@valid.com");
|
||||
}
|
||||
|
||||
#[rocket::async_test]
|
||||
async fn fail_mfa() {
|
||||
overwrite_config(|config| config.api.smtp.host = "".to_string()).await;
|
||||
|
||||
let harness = TestHarness::new().await;
|
||||
let (mut account, session, _) = harness.new_user().await;
|
||||
|
||||
let totp = Totp::Enabled {
|
||||
secret: "secret".to_string(),
|
||||
};
|
||||
|
||||
account.mfa.totp_token = totp.clone();
|
||||
account.save(&harness.db).await.unwrap();
|
||||
|
||||
let res = harness.client
|
||||
.patch("/auth/account/change/email")
|
||||
.header(ContentType::JSON)
|
||||
.header(Header::new("X-Session-Token", session.token.clone()))
|
||||
.body(
|
||||
json!({
|
||||
"email": "validexample@valid.com",
|
||||
"current_password": "password_insecure"
|
||||
})
|
||||
.to_string(),
|
||||
)
|
||||
.dispatch()
|
||||
.await;
|
||||
|
||||
assert_eq!(res.status(), Status::Unauthorized);
|
||||
}
|
||||
}
|
||||
187
crates/delta/src/routes/account/change_password.rs
Normal file
187
crates/delta/src/routes/account/change_password.rs
Normal file
@@ -0,0 +1,187 @@
|
||||
//! Change account password.
|
||||
//! PATCH /account/change/password
|
||||
use revolt_database::{
|
||||
util::password::{assert_safe, hash_password},
|
||||
Account, Database, ValidatedTicket,
|
||||
};
|
||||
use revolt_models::v0;
|
||||
use revolt_result::{create_error, Result};
|
||||
use rocket::serde::json::Json;
|
||||
use rocket::State;
|
||||
use rocket_empty::EmptyResponse;
|
||||
|
||||
/// # Change Password
|
||||
///
|
||||
/// Change the current account password.
|
||||
#[openapi(tag = "Account")]
|
||||
#[patch("/change/password", data = "<data>")]
|
||||
pub async fn change_password(
|
||||
db: &State<Database>,
|
||||
validated_ticket: Option<ValidatedTicket>,
|
||||
mut account: Account,
|
||||
data: Json<v0::DataChangePassword>,
|
||||
) -> Result<EmptyResponse> {
|
||||
let data = data.into_inner();
|
||||
|
||||
if account.mfa.is_active() && validated_ticket.is_none() {
|
||||
return Err(create_error!(InvalidCredentials));
|
||||
}
|
||||
|
||||
// Verify password can be used
|
||||
assert_safe(&data.password).await?;
|
||||
|
||||
// Ensure given password is correct
|
||||
account.verify_password(&data.current_password)?;
|
||||
|
||||
// Hash and replace password
|
||||
account.password = hash_password(data.password)?;
|
||||
|
||||
// Commit to database
|
||||
account.save(db).await.map(|_| EmptyResponse)
|
||||
}
|
||||
|
||||
#[cfg(test)]
|
||||
mod tests {
|
||||
use crate::{rocket, util::test::TestHarness};
|
||||
use revolt_database::{MFATicket, Totp};
|
||||
use rocket::http::{ContentType, Header, Status};
|
||||
|
||||
#[rocket::async_test]
|
||||
async fn success() {
|
||||
let harness = TestHarness::new().await;
|
||||
let (_, session, _) = harness.new_user().await;
|
||||
|
||||
let res = harness
|
||||
.client
|
||||
.patch("/auth/account/change/password")
|
||||
.header(ContentType::JSON)
|
||||
.header(Header::new("X-Session-Token", session.token.clone()))
|
||||
.body(
|
||||
json!({
|
||||
"password": "new password",
|
||||
"current_password": "password_insecure"
|
||||
})
|
||||
.to_string(),
|
||||
)
|
||||
.dispatch()
|
||||
.await;
|
||||
|
||||
assert_eq!(res.status(), Status::NoContent);
|
||||
|
||||
let res = harness
|
||||
.client
|
||||
.patch("/auth/account/change/password")
|
||||
.header(ContentType::JSON)
|
||||
.header(Header::new("X-Session-Token", session.token))
|
||||
.body(
|
||||
json!({
|
||||
"password": "sussy password",
|
||||
"current_password": "new password"
|
||||
})
|
||||
.to_string(),
|
||||
)
|
||||
.dispatch()
|
||||
.await;
|
||||
|
||||
assert_eq!(res.status(), Status::NoContent);
|
||||
}
|
||||
|
||||
#[rocket::async_test]
|
||||
async fn success_mfa() {
|
||||
let harness = TestHarness::new().await;
|
||||
let (mut account, session, _) = harness.new_user().await;
|
||||
|
||||
let totp = Totp::Enabled {
|
||||
secret: "secret".to_string(),
|
||||
};
|
||||
|
||||
account.mfa.totp_token = totp.clone();
|
||||
account.save(&harness.db).await.unwrap();
|
||||
|
||||
let ticket = MFATicket::new(account.id.to_string(), true);
|
||||
ticket.save(&harness.db).await.unwrap();
|
||||
|
||||
let res = harness
|
||||
.client
|
||||
.patch("/auth/account/change/password")
|
||||
.header(ContentType::JSON)
|
||||
.header(Header::new("X-Session-Token", session.token.clone()))
|
||||
.header(Header::new("X-MFA-Ticket", ticket.token))
|
||||
.body(
|
||||
json!({
|
||||
"password": "new password",
|
||||
"current_password": "password_insecure"
|
||||
})
|
||||
.to_string(),
|
||||
)
|
||||
.dispatch()
|
||||
.await;
|
||||
|
||||
assert_eq!(res.status(), Status::NoContent);
|
||||
}
|
||||
|
||||
#[rocket::async_test]
|
||||
async fn fail_mfa_no_ticket() {
|
||||
let harness = TestHarness::new().await;
|
||||
let (mut account, session, _) = harness.new_user().await;
|
||||
|
||||
let totp = Totp::Enabled {
|
||||
secret: "secret".to_string(),
|
||||
};
|
||||
|
||||
account.mfa.totp_token = totp.clone();
|
||||
account.save(&harness.db).await.unwrap();
|
||||
|
||||
let res = harness
|
||||
.client
|
||||
.patch("/auth/account/change/password")
|
||||
.header(ContentType::JSON)
|
||||
.header(Header::new("X-Session-Token", session.token.clone()))
|
||||
.body(
|
||||
json!({
|
||||
"password": "new password",
|
||||
"current_password": "password_insecure"
|
||||
})
|
||||
.to_string(),
|
||||
)
|
||||
.dispatch()
|
||||
.await;
|
||||
|
||||
assert_eq!(res.status(), Status::Unauthorized);
|
||||
}
|
||||
|
||||
#[rocket::async_test]
|
||||
async fn fail_mfa_invalid_password() {
|
||||
let harness = TestHarness::new().await;
|
||||
let (mut account, session, _) = harness.new_user().await;
|
||||
|
||||
let totp = Totp::Enabled {
|
||||
secret: "secret".to_string(),
|
||||
};
|
||||
|
||||
account.mfa.totp_token = totp.clone();
|
||||
account.save(&harness.db).await.unwrap();
|
||||
|
||||
let mut ticket = MFATicket::new(account.id.to_string(), true);
|
||||
ticket.last_totp_code = Some("token from earlier".into());
|
||||
ticket.save(&harness.db).await.unwrap();
|
||||
|
||||
let res = harness
|
||||
.client
|
||||
.patch("/auth/account/change/password")
|
||||
.header(ContentType::JSON)
|
||||
.header(Header::new("X-Session-Token", session.token.clone()))
|
||||
.header(Header::new("X-MFA-Ticket", ticket.token))
|
||||
.body(
|
||||
json!({
|
||||
"password": "new password",
|
||||
"current_password": "incorrect password"
|
||||
})
|
||||
.to_string(),
|
||||
)
|
||||
.dispatch()
|
||||
.await;
|
||||
|
||||
assert_eq!(res.status(), Status::Unauthorized);
|
||||
}
|
||||
}
|
||||
59
crates/delta/src/routes/account/confirm_deletion.rs
Normal file
59
crates/delta/src/routes/account/confirm_deletion.rs
Normal file
@@ -0,0 +1,59 @@
|
||||
//! Confirm an account deletion.
|
||||
//! PUT /account/delete
|
||||
use revolt_database::Database;
|
||||
use revolt_models::v0;
|
||||
use revolt_result::Result;
|
||||
use rocket::serde::json::Json;
|
||||
use rocket::State;
|
||||
use rocket_empty::EmptyResponse;
|
||||
|
||||
/// # Confirm Account Deletion
|
||||
///
|
||||
/// Schedule an account for deletion by confirming the received token.
|
||||
#[openapi(tag = "Account")]
|
||||
#[put("/delete", data = "<data>")]
|
||||
pub async fn confirm_deletion(
|
||||
db: &State<Database>,
|
||||
data: Json<v0::DataAccountDeletion>,
|
||||
) -> Result<EmptyResponse> {
|
||||
let data = data.into_inner();
|
||||
|
||||
// Find the relevant account
|
||||
let mut account = db.fetch_account_with_deletion_token(&data.token).await?;
|
||||
|
||||
// Schedule the account for deletion
|
||||
account.schedule_deletion(db).await.map(|_| EmptyResponse)
|
||||
}
|
||||
|
||||
#[cfg(test)]
|
||||
mod tests {
|
||||
use crate::{rocket, util::test::TestHarness};
|
||||
use iso8601_timestamp::{Duration, Timestamp};
|
||||
use revolt_database::DeletionInfo;
|
||||
use revolt_models::v0;
|
||||
use rocket::http::Status;
|
||||
|
||||
#[rocket::async_test]
|
||||
async fn success() {
|
||||
let harness = TestHarness::new().await;
|
||||
let (mut account, _, _) = harness.new_user().await;
|
||||
|
||||
account.deletion = Some(DeletionInfo::WaitingForVerification {
|
||||
token: "token".to_string(),
|
||||
expiry: Timestamp::now_utc() + Duration::seconds(100),
|
||||
});
|
||||
|
||||
account.save(&harness.db).await.unwrap();
|
||||
|
||||
let res = harness
|
||||
.client
|
||||
.put("/auth/account/delete")
|
||||
.json(&v0::DataAccountDeletion {
|
||||
token: "token".to_string(),
|
||||
})
|
||||
.dispatch()
|
||||
.await;
|
||||
|
||||
assert_eq!(res.status(), Status::NoContent);
|
||||
}
|
||||
}
|
||||
347
crates/delta/src/routes/account/create_account.rs
Normal file
347
crates/delta/src/routes/account/create_account.rs
Normal file
@@ -0,0 +1,347 @@
|
||||
//! Create a new account
|
||||
//! POST /account/create
|
||||
use std::time::Duration;
|
||||
|
||||
use async_std::task::sleep;
|
||||
use revolt_config::config;
|
||||
use revolt_database::{
|
||||
util::{
|
||||
captcha::check_captcha,
|
||||
email::validate_email,
|
||||
password::assert_safe,
|
||||
shield::{validate_shield, ShieldValidationInput},
|
||||
},
|
||||
Account, Database,
|
||||
};
|
||||
use revolt_models::v0;
|
||||
use revolt_result::{create_error, Result};
|
||||
use rocket::serde::json::Json;
|
||||
use rocket::State;
|
||||
use rocket_empty::EmptyResponse;
|
||||
|
||||
/// # Create Account
|
||||
///
|
||||
/// Create a new account.
|
||||
#[openapi(tag = "Account")]
|
||||
#[post("/create", data = "<data>")]
|
||||
pub async fn create_account(
|
||||
db: &State<Database>,
|
||||
data: Json<v0::DataCreateAccount>,
|
||||
mut shield: ShieldValidationInput,
|
||||
) -> Result<EmptyResponse> {
|
||||
let data = data.into_inner();
|
||||
|
||||
// Random jitter from 0-1000ms
|
||||
sleep(Duration::from_millis((rand::random::<f32>() * 1000.) as u64)).await;
|
||||
|
||||
// Check Captcha token
|
||||
check_captcha(data.captcha.as_deref()).await?;
|
||||
|
||||
// Validate the request
|
||||
shield.email = Some(data.email.to_string());
|
||||
validate_shield(shield).await?;
|
||||
|
||||
// Make sure email is valid and not blocked
|
||||
validate_email(&data.email)?;
|
||||
|
||||
// Ensure password is safe to use
|
||||
assert_safe(&data.password).await?;
|
||||
|
||||
// If required, fetch valid invite
|
||||
let invite = if config().await.api.registration.invite_only {
|
||||
if let Some(invite) = data.invite {
|
||||
Some(db.fetch_account_invite(&invite).await?)
|
||||
} else {
|
||||
return Err(create_error!(MissingInvite));
|
||||
}
|
||||
} else {
|
||||
None
|
||||
};
|
||||
|
||||
// Create account
|
||||
let account = Account::new(db, data.email, data.password, true).await?;
|
||||
|
||||
// Use up the invite
|
||||
if let Some(mut invite) = invite {
|
||||
invite.claimed_by = Some(account.id);
|
||||
invite.used = true;
|
||||
|
||||
db.save_account_invite(&invite).await?;
|
||||
}
|
||||
|
||||
Ok(EmptyResponse)
|
||||
}
|
||||
|
||||
#[cfg(test)]
|
||||
mod tests {
|
||||
use crate::{rocket, util::test::TestHarness};
|
||||
use revolt_config::overwrite_config;
|
||||
use revolt_database::{events::client::EventV1, AccountInvite};
|
||||
use revolt_result::{Error, ErrorType};
|
||||
use rocket::http::{ContentType, Status};
|
||||
|
||||
#[rocket::async_test]
|
||||
async fn success() {
|
||||
let mut harness = TestHarness::new().await;
|
||||
|
||||
let res = harness
|
||||
.client
|
||||
.post("/auth/account/create")
|
||||
.header(ContentType::JSON)
|
||||
.body(
|
||||
json!({
|
||||
"email": "success@validemail.com",
|
||||
"password": "valid password"
|
||||
})
|
||||
.to_string(),
|
||||
)
|
||||
.dispatch()
|
||||
.await;
|
||||
|
||||
assert_eq!(res.status(), Status::NoContent);
|
||||
drop(res);
|
||||
|
||||
harness
|
||||
.wait_for_event("global", |e| matches!(e, EventV1::CreateAccount { .. }))
|
||||
.await;
|
||||
}
|
||||
|
||||
#[rocket::async_test]
|
||||
async fn fail_invalid_email() {
|
||||
let harness = TestHarness::new().await;
|
||||
|
||||
let res = harness
|
||||
.client
|
||||
.post("/auth/account/create")
|
||||
.header(ContentType::JSON)
|
||||
.body(
|
||||
json!({
|
||||
"email": "invalid",
|
||||
"password": "valid password"
|
||||
})
|
||||
.to_string(),
|
||||
)
|
||||
.dispatch()
|
||||
.await;
|
||||
|
||||
assert_eq!(res.status(), Status::BadRequest);
|
||||
assert!(matches!(
|
||||
res.into_json::<Error>().await.unwrap().error_type,
|
||||
ErrorType::IncorrectData { .. },
|
||||
));
|
||||
}
|
||||
|
||||
#[rocket::async_test]
|
||||
async fn fail_invalid_password() {
|
||||
let harness = TestHarness::new().await;
|
||||
|
||||
let res = harness
|
||||
.client
|
||||
.post("/auth/account/create")
|
||||
.header(ContentType::JSON)
|
||||
.body(
|
||||
json!({
|
||||
"email": "fail_invalid_password@validemail.com",
|
||||
"password": "password"
|
||||
})
|
||||
.to_string(),
|
||||
)
|
||||
.dispatch()
|
||||
.await;
|
||||
|
||||
assert_eq!(res.status(), Status::BadRequest);
|
||||
assert!(matches!(
|
||||
res.into_json::<Error>().await.unwrap().error_type,
|
||||
ErrorType::CompromisedPassword,
|
||||
));
|
||||
}
|
||||
|
||||
#[rocket::async_test]
|
||||
async fn fail_invalid_invite() {
|
||||
overwrite_config(|config| config.api.registration.invite_only = true).await;
|
||||
|
||||
let harness = TestHarness::new().await;
|
||||
|
||||
let res = harness
|
||||
.client
|
||||
.post("/auth/account/create")
|
||||
.header(ContentType::JSON)
|
||||
.body(
|
||||
json!({
|
||||
"email": "fail_invalid_invite@validemail.com",
|
||||
"password": "valid password",
|
||||
"invite": "invalid"
|
||||
})
|
||||
.to_string(),
|
||||
)
|
||||
.dispatch()
|
||||
.await;
|
||||
|
||||
assert_eq!(res.status(), Status::BadRequest);
|
||||
assert!(matches!(
|
||||
res.into_json::<Error>().await.unwrap().error_type,
|
||||
ErrorType::InvalidInvite,
|
||||
));
|
||||
}
|
||||
|
||||
#[rocket::async_test]
|
||||
async fn success_valid_invite() {
|
||||
overwrite_config(|config| config.api.registration.invite_only = true).await;
|
||||
|
||||
let harness = TestHarness::new().await;
|
||||
|
||||
let invite = AccountInvite {
|
||||
id: "invite".to_string(),
|
||||
used: false,
|
||||
claimed_by: None,
|
||||
};
|
||||
|
||||
invite.save(&harness.db).await.unwrap();
|
||||
|
||||
let res = harness
|
||||
.client
|
||||
.post("/auth/account/create")
|
||||
.header(ContentType::JSON)
|
||||
.body(
|
||||
json!({
|
||||
"email": "success_valid_invite@validemail.com",
|
||||
"password": "valid password",
|
||||
"invite": "invite"
|
||||
})
|
||||
.to_string(),
|
||||
)
|
||||
.dispatch()
|
||||
.await;
|
||||
|
||||
assert_eq!(res.status(), Status::NoContent);
|
||||
|
||||
let invite = harness
|
||||
.db
|
||||
.fetch_account_invite("invite")
|
||||
.await
|
||||
.expect("`Invite`");
|
||||
|
||||
assert!(invite.used);
|
||||
}
|
||||
|
||||
#[rocket::async_test]
|
||||
async fn fail_missing_captcha() {
|
||||
overwrite_config(|config| {
|
||||
config.api.security.captcha.hcaptcha_key =
|
||||
"0x0000000000000000000000000000000000000000".to_string()
|
||||
})
|
||||
.await;
|
||||
|
||||
let harness = TestHarness::new().await;
|
||||
|
||||
let res = harness
|
||||
.client
|
||||
.post("/auth/account/create")
|
||||
.header(ContentType::JSON)
|
||||
.body(
|
||||
json!({
|
||||
"email": "fail_missing_captcha@validemail.com",
|
||||
"password": "valid password",
|
||||
})
|
||||
.to_string(),
|
||||
)
|
||||
.dispatch()
|
||||
.await;
|
||||
|
||||
assert_eq!(res.status(), Status::BadRequest);
|
||||
assert!(matches!(
|
||||
res.into_json::<Error>().await.unwrap().error_type,
|
||||
ErrorType::CaptchaFailed,
|
||||
));
|
||||
}
|
||||
|
||||
#[rocket::async_test]
|
||||
async fn fail_captcha_invalid() {
|
||||
overwrite_config(|config| {
|
||||
config.api.security.captcha.hcaptcha_key =
|
||||
"0x0000000000000000000000000000000000000000".to_string()
|
||||
})
|
||||
.await;
|
||||
|
||||
let harness = TestHarness::new().await;
|
||||
|
||||
let res = harness
|
||||
.client
|
||||
.post("/auth/account/create")
|
||||
.header(ContentType::JSON)
|
||||
.body(
|
||||
json!({
|
||||
"email": "fail_captcha_invalid@validemail.com",
|
||||
"password": "valid password",
|
||||
"captcha": "00000000-aaaa-bbbb-cccc-000000000000"
|
||||
})
|
||||
.to_string(),
|
||||
)
|
||||
.dispatch()
|
||||
.await;
|
||||
|
||||
assert_eq!(res.status(), Status::BadRequest);
|
||||
assert!(matches!(
|
||||
res.into_json::<Error>().await.unwrap().error_type,
|
||||
ErrorType::CaptchaFailed,
|
||||
));
|
||||
}
|
||||
|
||||
#[rocket::async_test]
|
||||
async fn success_captcha_valid() {
|
||||
overwrite_config(|config| {
|
||||
config.api.security.captcha.hcaptcha_key =
|
||||
"0x0000000000000000000000000000000000000000".to_string()
|
||||
})
|
||||
.await;
|
||||
|
||||
let harness = TestHarness::new().await;
|
||||
|
||||
let res = harness
|
||||
.client
|
||||
.post("/auth/account/create")
|
||||
.header(ContentType::JSON)
|
||||
.body(
|
||||
json!({
|
||||
"email": "success_captcha_valid@validemail.com",
|
||||
"password": "valid password",
|
||||
"captcha": "20000000-aaaa-bbbb-cccc-000000000002"
|
||||
})
|
||||
.to_string(),
|
||||
)
|
||||
.dispatch()
|
||||
.await;
|
||||
|
||||
assert_eq!(res.status(), Status::NoContent);
|
||||
}
|
||||
|
||||
#[rocket::async_test]
|
||||
async fn success_smtp_sent() {
|
||||
let harness = TestHarness::new().await;
|
||||
|
||||
let res = harness
|
||||
.client
|
||||
.post("/auth/account/create")
|
||||
.header(ContentType::JSON)
|
||||
.body(
|
||||
json!({
|
||||
"email": "success_smtp_sent@smtp.test",
|
||||
"password": "valid password",
|
||||
})
|
||||
.to_string(),
|
||||
)
|
||||
.dispatch()
|
||||
.await;
|
||||
|
||||
assert_eq!(res.status(), Status::NoContent);
|
||||
|
||||
let (_, code) = harness.assert_email("success_smtp_sent@smtp.test").await;
|
||||
let res = harness
|
||||
.client
|
||||
.post(format!("/auth/account/verify/{code}"))
|
||||
.dispatch()
|
||||
.await;
|
||||
|
||||
assert_eq!(res.status(), Status::Ok);
|
||||
}
|
||||
}
|
||||
64
crates/delta/src/routes/account/delete_account.rs
Normal file
64
crates/delta/src/routes/account/delete_account.rs
Normal file
@@ -0,0 +1,64 @@
|
||||
//! Delete an account.
|
||||
//! POST /account/delete
|
||||
use rocket::State;
|
||||
use rocket_empty::EmptyResponse;
|
||||
use revolt_result::Result;
|
||||
use revolt_database::{Database, Account, ValidatedTicket};
|
||||
/// # Delete Account
|
||||
///
|
||||
/// Request to have an account deleted.
|
||||
#[openapi(tag = "Account")]
|
||||
#[post("/delete")]
|
||||
pub async fn delete_account(
|
||||
db: &State<Database>,
|
||||
mut account: Account,
|
||||
_ticket: ValidatedTicket,
|
||||
) -> Result<EmptyResponse> {
|
||||
account
|
||||
.start_account_deletion(db)
|
||||
.await
|
||||
.map(|_| EmptyResponse)
|
||||
}
|
||||
|
||||
#[cfg(test)]
|
||||
mod tests {
|
||||
use crate::{rocket, util::test::TestHarness};
|
||||
use revolt_database::MFATicket;
|
||||
use rocket::http::{ContentType, Header, Status};
|
||||
|
||||
#[rocket::async_test]
|
||||
async fn success() {
|
||||
let harness = TestHarness::new().await;
|
||||
let (mut account, session, _) = harness.new_user().await;
|
||||
|
||||
account.email = "delete_account@smtp.test".to_string();
|
||||
account.save(&harness.db).await.unwrap();
|
||||
|
||||
let ticket = MFATicket::new(account.id.to_string(), true);
|
||||
ticket.save(&harness.db).await.unwrap();
|
||||
|
||||
let res = harness.client
|
||||
.post("/auth/account/delete")
|
||||
.header(Header::new("X-Session-Token", session.token))
|
||||
.header(Header::new("X-MFA-Ticket", ticket.token))
|
||||
.dispatch()
|
||||
.await;
|
||||
|
||||
assert_eq!(res.status(), Status::NoContent);
|
||||
|
||||
let (_, code) = harness.assert_email("delete_account@smtp.test").await;
|
||||
let res = harness.client
|
||||
.put("/auth/account/delete")
|
||||
.header(ContentType::JSON)
|
||||
.body(
|
||||
json!({
|
||||
"token": code
|
||||
})
|
||||
.to_string(),
|
||||
)
|
||||
.dispatch()
|
||||
.await;
|
||||
|
||||
assert_eq!(res.status(), Status::NoContent);
|
||||
}
|
||||
}
|
||||
67
crates/delta/src/routes/account/disable_account.rs
Normal file
67
crates/delta/src/routes/account/disable_account.rs
Normal file
@@ -0,0 +1,67 @@
|
||||
//! Disable an account.
|
||||
//! POST /account/disable
|
||||
use revolt_result::Result;
|
||||
use revolt_database::{Database, Account, ValidatedTicket};
|
||||
use rocket::State;
|
||||
use rocket_empty::EmptyResponse;
|
||||
|
||||
/// # Disable Account
|
||||
///
|
||||
/// Disable an account.
|
||||
#[openapi(tag = "Account")]
|
||||
#[post("/disable")]
|
||||
pub async fn disable_account(
|
||||
db: &State<Database>,
|
||||
mut account: Account,
|
||||
_ticket: ValidatedTicket,
|
||||
) -> Result<EmptyResponse> {
|
||||
account.disable(db).await.map(|_| EmptyResponse)
|
||||
}
|
||||
|
||||
#[cfg(test)]
|
||||
mod tests {
|
||||
use crate::{rocket, util::test::TestHarness};
|
||||
use revolt_database::{MFATicket, events::client::EventV1};
|
||||
use revolt_result::ErrorType;
|
||||
use rocket::http::{Header, Status};
|
||||
|
||||
#[rocket::async_test]
|
||||
async fn success() {
|
||||
let mut harness = TestHarness::new().await;
|
||||
let (account, session, _) = harness.new_user().await;
|
||||
|
||||
let ticket = MFATicket::new(account.id.to_string(), true);
|
||||
ticket.save(&harness.db).await.unwrap();
|
||||
|
||||
let res = harness.client
|
||||
.post("/auth/account/disable")
|
||||
.header(Header::new("X-Session-Token", session.token.clone()))
|
||||
.header(Header::new("X-MFA-Ticket", ticket.token))
|
||||
.dispatch()
|
||||
.await;
|
||||
|
||||
assert_eq!(res.status(), Status::NoContent);
|
||||
drop(res);
|
||||
assert!(
|
||||
harness.db
|
||||
.fetch_account(&account.id)
|
||||
.await
|
||||
.unwrap()
|
||||
.disabled
|
||||
);
|
||||
|
||||
assert!(matches!(
|
||||
harness.db
|
||||
.fetch_session(&session.id)
|
||||
.await
|
||||
.unwrap_err().error_type,
|
||||
ErrorType::UnknownUser
|
||||
));
|
||||
|
||||
harness.wait_for_event(&format!("{}!", &account.id), |e| if let EventV1::DeleteAllSessions { user_id, .. } = e {
|
||||
user_id == &account.id
|
||||
} else {
|
||||
false
|
||||
}).await;
|
||||
}
|
||||
}
|
||||
40
crates/delta/src/routes/account/fetch_account.rs
Normal file
40
crates/delta/src/routes/account/fetch_account.rs
Normal file
@@ -0,0 +1,40 @@
|
||||
//! Fetch your account
|
||||
//! GET /account
|
||||
use revolt_database::Account;
|
||||
use rocket::serde::json::Json;
|
||||
use revolt_models::v0;
|
||||
use revolt_result::Result;
|
||||
|
||||
/// # Fetch Account
|
||||
///
|
||||
/// Fetch account information from the current session.
|
||||
#[openapi(tag = "Account")]
|
||||
#[get("/")]
|
||||
pub async fn fetch_account(account: Account) -> Result<Json<v0::AccountInfo>> {
|
||||
Ok(Json(account.into()))
|
||||
}
|
||||
|
||||
#[cfg(test)]
|
||||
mod tests {
|
||||
use crate::{rocket, util::test::TestHarness};
|
||||
use revolt_models::v0;
|
||||
use rocket::http::{Header, Status};
|
||||
|
||||
#[rocket::async_test]
|
||||
async fn success() {
|
||||
let harness = TestHarness::new().await;
|
||||
let (account, session, _) = harness.new_user().await;
|
||||
|
||||
let res = harness.client
|
||||
.get("/auth/account")
|
||||
.header(Header::new("X-Session-Token", session.token))
|
||||
.dispatch()
|
||||
.await;
|
||||
|
||||
assert_eq!(res.status(), Status::Ok);
|
||||
assert_eq!(
|
||||
&res.into_json::<v0::AccountInfo>().await.unwrap().id,
|
||||
&account.id
|
||||
);
|
||||
}
|
||||
}
|
||||
30
crates/delta/src/routes/account/mod.rs
Normal file
30
crates/delta/src/routes/account/mod.rs
Normal file
@@ -0,0 +1,30 @@
|
||||
use rocket::Route;
|
||||
use revolt_rocket_okapi::revolt_okapi::openapi3::OpenApi;
|
||||
|
||||
pub mod change_email;
|
||||
pub mod change_password;
|
||||
pub mod confirm_deletion;
|
||||
pub mod create_account;
|
||||
pub mod delete_account;
|
||||
pub mod disable_account;
|
||||
pub mod fetch_account;
|
||||
pub mod password_reset;
|
||||
pub mod resend_verification;
|
||||
pub mod send_password_reset;
|
||||
pub mod verify_email;
|
||||
|
||||
pub fn routes() -> (Vec<Route>, OpenApi) {
|
||||
openapi_get_routes_spec![
|
||||
create_account::create_account,
|
||||
resend_verification::resend_verification,
|
||||
confirm_deletion::confirm_deletion,
|
||||
fetch_account::fetch_account,
|
||||
delete_account::delete_account,
|
||||
disable_account::disable_account,
|
||||
change_password::change_password,
|
||||
change_email::change_email,
|
||||
verify_email::verify_email,
|
||||
password_reset::password_reset,
|
||||
send_password_reset::send_password_reset
|
||||
]
|
||||
}
|
||||
140
crates/delta/src/routes/account/password_reset.rs
Normal file
140
crates/delta/src/routes/account/password_reset.rs
Normal file
@@ -0,0 +1,140 @@
|
||||
//! Confirm a password reset.
|
||||
//! PATCH /account/reset_password
|
||||
use rocket::serde::json::Json;
|
||||
use rocket::State;
|
||||
use rocket_empty::EmptyResponse;
|
||||
use revolt_database::util::password::{hash_password, assert_safe};
|
||||
use revolt_database::{Database};
|
||||
use revolt_models::v0;
|
||||
use revolt_result::Result;
|
||||
|
||||
/// # Password Reset
|
||||
///
|
||||
/// Confirm password reset and change the password.
|
||||
#[openapi(tag = "Account")]
|
||||
#[patch("/reset_password", data = "<data>")]
|
||||
pub async fn password_reset(
|
||||
db: &State<Database>,
|
||||
data: Json<v0::DataPasswordReset>,
|
||||
) -> Result<EmptyResponse> {
|
||||
let data = data.into_inner();
|
||||
|
||||
// Find the relevant account
|
||||
let mut account = db
|
||||
.fetch_account_with_password_reset(&data.token)
|
||||
.await?;
|
||||
|
||||
// Verify password can be used
|
||||
assert_safe(&data.password)
|
||||
.await?;
|
||||
|
||||
// Update the account
|
||||
account.password = hash_password(data.password)?;
|
||||
account.password_reset = None;
|
||||
account.lockout = None;
|
||||
|
||||
// Commit to database
|
||||
account.save(db).await?;
|
||||
|
||||
// Delete all sessions if required
|
||||
if data.remove_sessions {
|
||||
account.delete_all_sessions(db, None).await?;
|
||||
}
|
||||
|
||||
Ok(EmptyResponse)
|
||||
}
|
||||
|
||||
#[cfg(test)]
|
||||
mod tests {
|
||||
use iso8601_timestamp::{Timestamp, Duration};
|
||||
use revolt_database::PasswordReset;
|
||||
use revolt_models::v0;
|
||||
use revolt_result::{ErrorType, Error};
|
||||
use crate::{rocket, util::test::TestHarness};
|
||||
use rocket::http::{ContentType, Status};
|
||||
|
||||
#[rocket::async_test]
|
||||
async fn success() {
|
||||
let harness = TestHarness::new().await;
|
||||
let (mut account, session, _) = harness.new_user().await;
|
||||
|
||||
account.password_reset = Some(PasswordReset {
|
||||
token: "token".into(),
|
||||
expiry: Timestamp::now_utc() + Duration::seconds(100),
|
||||
});
|
||||
|
||||
account.save(&harness.db).await.unwrap();
|
||||
|
||||
let res = harness.client
|
||||
.patch("/auth/account/reset_password")
|
||||
.header(ContentType::JSON)
|
||||
.body(
|
||||
json!({
|
||||
"token": "token",
|
||||
"password": "valid-password",
|
||||
"remove_sessions": true
|
||||
})
|
||||
.to_string(),
|
||||
)
|
||||
.dispatch()
|
||||
.await;
|
||||
|
||||
assert_eq!(res.status(), Status::NoContent);
|
||||
|
||||
// Make sure it was used and can't be used again
|
||||
assert!(harness.db
|
||||
.fetch_account_with_password_reset("token")
|
||||
.await
|
||||
.is_err());
|
||||
|
||||
let res = harness.client
|
||||
.post("/auth/session/login")
|
||||
.header(ContentType::JSON)
|
||||
.body(
|
||||
json!({
|
||||
"email": account.email.clone(),
|
||||
"password": "valid-password"
|
||||
})
|
||||
.to_string(),
|
||||
)
|
||||
.dispatch()
|
||||
.await;
|
||||
|
||||
assert_eq!(res.status(), Status::Ok);
|
||||
assert!(res.into_json::<v0::Session>().await.is_some());
|
||||
|
||||
// Ensure sessions were deleted
|
||||
assert!(matches!(
|
||||
harness
|
||||
.db
|
||||
.fetch_session(&session.id)
|
||||
.await
|
||||
.unwrap_err().error_type,
|
||||
ErrorType::UnknownUser
|
||||
));
|
||||
}
|
||||
|
||||
#[rocket::async_test]
|
||||
async fn fail_invalid_token() {
|
||||
let harness = TestHarness::new().await;
|
||||
|
||||
let res = harness.client
|
||||
.patch("/auth/account/reset_password")
|
||||
.header(ContentType::JSON)
|
||||
.body(
|
||||
json!({
|
||||
"token": "invalid",
|
||||
"password": "valid password"
|
||||
})
|
||||
.to_string(),
|
||||
)
|
||||
.dispatch()
|
||||
.await;
|
||||
|
||||
assert_eq!(res.status(), Status::Unauthorized);
|
||||
assert!(matches!(
|
||||
res.into_json::<Error>().await.unwrap().error_type,
|
||||
ErrorType::InvalidToken
|
||||
));
|
||||
}
|
||||
}
|
||||
155
crates/delta/src/routes/account/resend_verification.rs
Normal file
155
crates/delta/src/routes/account/resend_verification.rs
Normal file
@@ -0,0 +1,155 @@
|
||||
//! Resend account verification email
|
||||
//! POST /account/reverify
|
||||
use std::time::Duration;
|
||||
|
||||
use async_std::task::sleep;
|
||||
use rocket::{serde::json::Json, State};
|
||||
use rocket_empty::EmptyResponse;
|
||||
use revolt_result::Result;
|
||||
use revolt_database::{Database, util::{email::{normalise_email, validate_email}, captcha::check_captcha}, EmailVerification};
|
||||
use revolt_models::v0;
|
||||
|
||||
/// # Resend Verification
|
||||
///
|
||||
/// Resend account creation verification email.
|
||||
#[openapi(tag = "Account")]
|
||||
#[post("/reverify", data = "<data>")]
|
||||
pub async fn resend_verification(
|
||||
db: &State<Database>,
|
||||
data: Json<v0::DataResendVerification>,
|
||||
) -> Result<EmptyResponse> {
|
||||
let data = data.into_inner();
|
||||
|
||||
// Random jitter from 0-1000ms
|
||||
sleep(Duration::from_millis((rand::random::<f32>() * 1000.) as u64)).await;
|
||||
|
||||
// Check Captcha token
|
||||
check_captcha(data.captcha.as_deref()).await?;
|
||||
|
||||
// Make sure email is valid and not blocked
|
||||
validate_email(&data.email)?;
|
||||
|
||||
// From this point on, do not report failure to the
|
||||
// remote client, as this will open us up to user enumeration.
|
||||
|
||||
// Normalise the email
|
||||
let email_normalised = normalise_email(data.email);
|
||||
|
||||
// Try to find the relevant account
|
||||
if let Ok(Some(mut account)) = db
|
||||
.fetch_account_by_normalised_email(&email_normalised)
|
||||
.await
|
||||
{
|
||||
match account.verification {
|
||||
EmailVerification::Verified => {
|
||||
// Send password reset if already verified
|
||||
account.start_password_reset(db, true).await?;
|
||||
}
|
||||
EmailVerification::Pending { .. } => {
|
||||
// Resend if not verified yet
|
||||
account.start_email_verification(db).await?;
|
||||
}
|
||||
// Ignore if pending for another email,
|
||||
// this should be re-initiated from settings.
|
||||
EmailVerification::Moving { .. } => {}
|
||||
}
|
||||
}
|
||||
|
||||
// Never fail this route,
|
||||
// You may open the application to email enumeration otherwise.
|
||||
Ok(EmptyResponse)
|
||||
}
|
||||
|
||||
#[cfg(test)]
|
||||
mod tests {
|
||||
use iso8601_timestamp::Timestamp;
|
||||
use revolt_database::{Account, EmailVerification};
|
||||
use crate::{rocket, util::test::TestHarness};
|
||||
use rocket::http::{ContentType, Status};
|
||||
use revolt_result::{Error, ErrorType};
|
||||
|
||||
#[rocket::async_test]
|
||||
async fn success() {
|
||||
let harness = TestHarness::new().await;
|
||||
|
||||
let mut account = Account::new(
|
||||
&harness.db,
|
||||
"resend_verification@smtp.test".into(),
|
||||
"password".into(),
|
||||
false,
|
||||
)
|
||||
.await
|
||||
.unwrap();
|
||||
|
||||
account.verification = EmailVerification::Pending {
|
||||
token: "".into(),
|
||||
expiry: Timestamp::now_utc(),
|
||||
};
|
||||
|
||||
account.save(&harness.db).await.unwrap();
|
||||
|
||||
let res = harness.client
|
||||
.post("/auth/account/reverify")
|
||||
.header(ContentType::JSON)
|
||||
.body(
|
||||
json!({
|
||||
"email": "resend_verification@smtp.test",
|
||||
})
|
||||
.to_string(),
|
||||
)
|
||||
.dispatch()
|
||||
.await;
|
||||
|
||||
assert_eq!(res.status(), Status::NoContent);
|
||||
|
||||
let (_, code) = harness.assert_email("resend_verification@smtp.test").await;
|
||||
let res = harness.client
|
||||
.post(format!("/auth/account/verify/{code}"))
|
||||
.dispatch()
|
||||
.await;
|
||||
|
||||
assert_eq!(res.status(), Status::Ok);
|
||||
}
|
||||
|
||||
#[rocket::async_test]
|
||||
async fn success_unknown() {
|
||||
let harness = TestHarness::new().await;
|
||||
|
||||
let res = harness.client
|
||||
.post("/auth/account/reverify")
|
||||
.header(ContentType::JSON)
|
||||
.body(
|
||||
json!({
|
||||
"email": "smtptest1@insrt.uk",
|
||||
})
|
||||
.to_string(),
|
||||
)
|
||||
.dispatch()
|
||||
.await;
|
||||
|
||||
assert_eq!(res.status(), Status::NoContent);
|
||||
}
|
||||
|
||||
#[rocket::async_test]
|
||||
async fn fail_bad_email() {
|
||||
let harness = TestHarness::new().await;
|
||||
|
||||
let res = harness.client
|
||||
.post("/auth/account/reverify")
|
||||
.header(ContentType::JSON)
|
||||
.body(
|
||||
json!({
|
||||
"email": "invalid",
|
||||
})
|
||||
.to_string(),
|
||||
)
|
||||
.dispatch()
|
||||
.await;
|
||||
|
||||
assert_eq!(res.status(), Status::BadRequest);
|
||||
assert!(matches!(
|
||||
res.into_json::<Error>().await.unwrap().error_type,
|
||||
ErrorType::IncorrectData { .. },
|
||||
));
|
||||
}
|
||||
}
|
||||
122
crates/delta/src/routes/account/send_password_reset.rs
Normal file
122
crates/delta/src/routes/account/send_password_reset.rs
Normal file
@@ -0,0 +1,122 @@
|
||||
//! Send a password reset email
|
||||
//! POST /account/reset_password
|
||||
use std::time::Duration;
|
||||
|
||||
use async_std::task::sleep;
|
||||
use rocket::serde::json::Json;
|
||||
use rocket::State;
|
||||
use rocket_empty::EmptyResponse;
|
||||
use revolt_result::Result;
|
||||
use revolt_database::{Database, EmailVerification, util::{email::{normalise_email, validate_email}, captcha::check_captcha}};
|
||||
use revolt_models::v0;
|
||||
|
||||
/// # Send Password Reset
|
||||
///
|
||||
/// Send an email to reset account password.
|
||||
#[openapi(tag = "Account")]
|
||||
#[post("/reset_password", data = "<data>")]
|
||||
pub async fn send_password_reset(
|
||||
db: &State<Database>,
|
||||
data: Json<v0::DataSendPasswordReset>,
|
||||
) -> Result<EmptyResponse> {
|
||||
let data = data.into_inner();
|
||||
|
||||
// Random jitter from 0-1000ms
|
||||
sleep(Duration::from_millis((rand::random::<f32>() * 1000.) as u64)).await;
|
||||
|
||||
// Check Captcha token
|
||||
check_captcha(data.captcha.as_deref()).await?;
|
||||
|
||||
// Make sure email is valid and not blocked
|
||||
validate_email(&data.email)?;
|
||||
|
||||
// From this point on, do not report failure to the
|
||||
// remote client, as this will open us up to user enumeration.
|
||||
|
||||
// Normalise the email
|
||||
let email_normalised = normalise_email(data.email);
|
||||
|
||||
// Try to find the relevant account
|
||||
if let Ok(Some(mut account)) = db
|
||||
.fetch_account_by_normalised_email(&email_normalised)
|
||||
.await
|
||||
{
|
||||
if !matches!(account.verification, EmailVerification::Pending { .. }) {
|
||||
if let Err(e) = account.start_password_reset(db, false).await {
|
||||
revolt_config::capture_error(&e);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// Never fail this route, (except for db error)
|
||||
// You may open the application to email enumeration otherwise.
|
||||
Ok(EmptyResponse)
|
||||
}
|
||||
|
||||
#[cfg(test)]
|
||||
mod tests {
|
||||
use crate::{rocket, util::test::TestHarness};
|
||||
use revolt_database::Account;
|
||||
use revolt_models::v0;
|
||||
use rocket::http::{ContentType, Status};
|
||||
|
||||
#[rocket::async_test]
|
||||
async fn success() {
|
||||
let harness = TestHarness::new().await;
|
||||
|
||||
Account::new(
|
||||
&harness.db,
|
||||
"password_reset@smtp.test".into(),
|
||||
"password".into(),
|
||||
false,
|
||||
)
|
||||
.await
|
||||
.unwrap();
|
||||
|
||||
let res = harness.client
|
||||
.post("/auth/account/reset_password")
|
||||
.header(ContentType::JSON)
|
||||
.body(
|
||||
json!({
|
||||
"email": "password_reset@smtp.test",
|
||||
})
|
||||
.to_string(),
|
||||
)
|
||||
.dispatch()
|
||||
.await;
|
||||
|
||||
assert_eq!(res.status(), Status::NoContent);
|
||||
|
||||
let (_, code) = harness.assert_email("password_reset@smtp.test").await;
|
||||
let res = harness.client
|
||||
.patch("/auth/account/reset_password")
|
||||
.header(ContentType::JSON)
|
||||
.body(
|
||||
json!({
|
||||
"token": code,
|
||||
"password": "valid password"
|
||||
})
|
||||
.to_string(),
|
||||
)
|
||||
.dispatch()
|
||||
.await;
|
||||
|
||||
assert_eq!(res.status(), Status::NoContent);
|
||||
|
||||
let res = harness.client
|
||||
.post("/auth/session/login")
|
||||
.header(ContentType::JSON)
|
||||
.body(
|
||||
json!({
|
||||
"email": "password_reset@smtp.test",
|
||||
"password": "valid password"
|
||||
})
|
||||
.to_string(),
|
||||
)
|
||||
.dispatch()
|
||||
.await;
|
||||
|
||||
assert_eq!(res.status(), Status::Ok);
|
||||
assert!(serde_json::from_str::<v0::Session>(&res.into_string().await.unwrap()).is_ok());
|
||||
}
|
||||
}
|
||||
104
crates/delta/src/routes/account/verify_email.rs
Normal file
104
crates/delta/src/routes/account/verify_email.rs
Normal file
@@ -0,0 +1,104 @@
|
||||
//! Verify an account
|
||||
//! POST /verify/<code>
|
||||
use rocket::{serde::json::Json, State};
|
||||
use revolt_database::{Database, EmailVerification, MFATicket, util::email::normalise_email};
|
||||
use revolt_result::Result;
|
||||
use revolt_models::v0;
|
||||
|
||||
/// # Verify Email
|
||||
///
|
||||
/// Verify an email address.
|
||||
#[openapi(tag = "Account")]
|
||||
#[post("/verify/<code>")]
|
||||
pub async fn verify_email(
|
||||
db: &State<Database>,
|
||||
code: String,
|
||||
) -> Result<Json<v0::ResponseVerify>> {
|
||||
// Find the account
|
||||
let mut account = db
|
||||
.fetch_account_with_email_verification(&code)
|
||||
.await?;
|
||||
|
||||
// Update account email
|
||||
let response = if let EmailVerification::Moving { new_email, .. } = &account.verification {
|
||||
account.email = new_email.clone();
|
||||
account.email_normalised = normalise_email(new_email.clone());
|
||||
v0::ResponseVerify::NoTicket
|
||||
} else {
|
||||
let mut ticket = MFATicket::new(account.id.to_string(), false);
|
||||
ticket.authorised = true;
|
||||
ticket.save(db).await?;
|
||||
v0::ResponseVerify::WithTicket { ticket: ticket.into() }
|
||||
};
|
||||
|
||||
// Mark as verified
|
||||
account.verification = EmailVerification::Verified;
|
||||
|
||||
// Save to database
|
||||
account.save(db).await?;
|
||||
Ok(Json(response))
|
||||
}
|
||||
|
||||
#[cfg(test)]
|
||||
mod tests {
|
||||
use iso8601_timestamp::{Timestamp, Duration};
|
||||
use revolt_database::EmailVerification;
|
||||
use crate::{rocket, util::test::TestHarness};
|
||||
use rocket::http::{ContentType, Status};
|
||||
use revolt_models::v0;
|
||||
use revolt_result::{Error, ErrorType};
|
||||
|
||||
#[rocket::async_test]
|
||||
async fn success() {
|
||||
let harness = TestHarness::new().await;
|
||||
let (mut account, _, _) = harness.new_user().await;
|
||||
|
||||
account.verification = EmailVerification::Pending {
|
||||
token: "token".into(),
|
||||
expiry: Timestamp::now_utc() + Duration::seconds(100),
|
||||
};
|
||||
|
||||
account.save(&harness.db).await.unwrap();
|
||||
|
||||
let res = harness.client.post("/auth/account/verify/token").dispatch().await;
|
||||
|
||||
assert_eq!(res.status(), Status::Ok);
|
||||
|
||||
// Make sure it was used and can't be used again
|
||||
assert!(harness.db
|
||||
.fetch_account_with_email_verification("token")
|
||||
.await
|
||||
.is_err());
|
||||
|
||||
// Check that we can login using the received MFA ticket
|
||||
let response = res.into_json::<v0::ResponseVerify>().await
|
||||
.expect("`ResponseVerify`");
|
||||
|
||||
if let v0::ResponseVerify::WithTicket { ticket } = response {
|
||||
let res = harness.client
|
||||
.post("/auth/session/login")
|
||||
.header(ContentType::JSON)
|
||||
.body(json!({ "mfa_ticket": ticket.token }).to_string())
|
||||
.dispatch()
|
||||
.await;
|
||||
|
||||
assert_eq!(res.status(), Status::Ok);
|
||||
assert!(res.into_json::<v0::Session>().await.is_some());
|
||||
} else {
|
||||
panic!("Expected `ResponseVerify::WithTicket`");
|
||||
}
|
||||
}
|
||||
|
||||
#[rocket::async_test]
|
||||
async fn fail_invalid_token() {
|
||||
let harness = TestHarness::new().await;
|
||||
|
||||
let res = harness.client.post("/auth/account/verify/token").dispatch().await;
|
||||
|
||||
assert_eq!(res.status(), Status::Unauthorized);
|
||||
assert!(matches!(
|
||||
res.into_json::<Error>().await.unwrap().error_type,
|
||||
ErrorType::InvalidToken,
|
||||
));
|
||||
}
|
||||
}
|
||||
157
crates/delta/src/routes/mfa/create_ticket.rs
Normal file
157
crates/delta/src/routes/mfa/create_ticket.rs
Normal file
@@ -0,0 +1,157 @@
|
||||
//! Create a new MFA ticket or validate an existing one.
|
||||
//! PUT /mfa/ticket
|
||||
use revolt_result::{Result, create_error};
|
||||
use revolt_database::{Account, Database, MFATicket, UnvalidatedTicket};
|
||||
use revolt_models::v0;
|
||||
use rocket::serde::json::Json;
|
||||
use rocket::State;
|
||||
|
||||
|
||||
/// # Create MFA ticket
|
||||
///
|
||||
/// Create a new MFA ticket or validate an existing one.
|
||||
#[openapi(tag = "MFA")]
|
||||
#[put("/ticket", data = "<data>")]
|
||||
pub async fn create_ticket(
|
||||
db: &State<Database>,
|
||||
account: Option<Account>,
|
||||
existing_ticket: Option<UnvalidatedTicket>,
|
||||
data: Json<v0::MFAResponse>,
|
||||
) -> Result<Json<v0::MFATicket>> {
|
||||
// Find the relevant account
|
||||
let mut account = match (account, existing_ticket) {
|
||||
(Some(_), Some(_)) => return Err(create_error!(OperationFailed)),
|
||||
(Some(account), _) => account,
|
||||
(_, Some(ticket)) => {
|
||||
db.delete_ticket(&ticket.id).await?;
|
||||
db.fetch_account(&ticket.account_id).await?
|
||||
}
|
||||
_ => return Err(create_error!(InvalidToken)),
|
||||
};
|
||||
|
||||
// Validate the MFA response
|
||||
account
|
||||
.consume_mfa_response(db, data.into_inner(), None)
|
||||
.await?;
|
||||
|
||||
// Create a new ticket for this account
|
||||
let ticket = MFATicket::new(account.id, true);
|
||||
ticket.save(db).await?;
|
||||
Ok(Json(ticket.into()))
|
||||
}
|
||||
|
||||
#[cfg(test)]
|
||||
mod tests {
|
||||
use crate::{rocket, util::test::TestHarness};
|
||||
use revolt_database::Totp;
|
||||
use rocket::http::{Header, Status};
|
||||
use revolt_models::v0;
|
||||
use revolt_result::{Error, ErrorType};
|
||||
|
||||
#[rocket::async_test]
|
||||
async fn success() {
|
||||
let harness = TestHarness::new().await;
|
||||
let (_, session, _) = harness.new_user().await;
|
||||
|
||||
let res = harness.client
|
||||
.put("/auth/mfa/ticket")
|
||||
.header(Header::new("X-Session-Token", session.token.clone()))
|
||||
.body(
|
||||
json!({
|
||||
"password": "password_insecure"
|
||||
})
|
||||
.to_string(),
|
||||
)
|
||||
.dispatch()
|
||||
.await;
|
||||
|
||||
assert_eq!(res.status(), Status::Ok);
|
||||
assert!(res.into_json::<v0::MFATicket>().await.unwrap().validated);
|
||||
}
|
||||
|
||||
#[rocket::async_test]
|
||||
async fn success_totp() {
|
||||
let harness = TestHarness::new().await;
|
||||
let (mut account, session, _) = harness.new_user().await;
|
||||
|
||||
account.mfa.totp_token = Totp::Enabled {
|
||||
secret: "secret".to_string(),
|
||||
};
|
||||
account.save(&harness.db).await.unwrap();
|
||||
|
||||
let res = harness.client
|
||||
.put("/auth/mfa/ticket")
|
||||
.header(Header::new("X-Session-Token", session.token.clone()))
|
||||
.body(
|
||||
json!({
|
||||
"totp_code": Totp::Enabled {
|
||||
secret: "secret".to_string(),
|
||||
}.generate_code().unwrap()
|
||||
})
|
||||
.to_string(),
|
||||
)
|
||||
.dispatch()
|
||||
.await;
|
||||
|
||||
assert_eq!(res.status(), Status::Ok);
|
||||
assert!(res.into_json::<v0::MFATicket>().await.is_some());
|
||||
}
|
||||
|
||||
#[rocket::async_test]
|
||||
async fn failure_totp() {
|
||||
let harness = TestHarness::new().await;
|
||||
let (mut account, session, _) = harness.new_user().await;
|
||||
|
||||
account.mfa.totp_token = Totp::Enabled {
|
||||
secret: "secret".to_string(),
|
||||
};
|
||||
account.save(&harness.db).await.unwrap();
|
||||
|
||||
let res = harness.client
|
||||
.put("/auth/mfa/ticket")
|
||||
.header(Header::new("X-Session-Token", session.token.clone()))
|
||||
.body(
|
||||
json!({
|
||||
"totp_code": "000000"
|
||||
})
|
||||
.to_string(),
|
||||
)
|
||||
.dispatch()
|
||||
.await;
|
||||
|
||||
assert_eq!(res.status(), Status::Unauthorized);
|
||||
assert!(matches!(
|
||||
res.into_json::<Error>().await.unwrap().error_type,
|
||||
ErrorType::InvalidToken,
|
||||
));
|
||||
}
|
||||
|
||||
#[rocket::async_test]
|
||||
async fn failure_no_totp() {
|
||||
let harness = TestHarness::new().await;
|
||||
let (mut account, session, _) = harness.new_user().await;
|
||||
|
||||
account.mfa.totp_token = Totp::Enabled {
|
||||
secret: "secret".to_string(),
|
||||
};
|
||||
account.save(&harness.db).await.unwrap();
|
||||
|
||||
let res = harness.client
|
||||
.put("/auth/mfa/ticket")
|
||||
.header(Header::new("X-Session-Token", session.token.clone()))
|
||||
.body(
|
||||
json!({
|
||||
"password": "this is the wrong mfa method"
|
||||
})
|
||||
.to_string(),
|
||||
)
|
||||
.dispatch()
|
||||
.await;
|
||||
|
||||
assert_eq!(res.status(), Status::BadRequest);
|
||||
assert!(matches!(
|
||||
res.into_json::<Error>().await.unwrap().error_type,
|
||||
ErrorType::DisallowedMFAMethod,
|
||||
));
|
||||
}
|
||||
}
|
||||
45
crates/delta/src/routes/mfa/fetch_recovery.rs
Normal file
45
crates/delta/src/routes/mfa/fetch_recovery.rs
Normal file
@@ -0,0 +1,45 @@
|
||||
//! Fetch recovery codes for an account.
|
||||
//! POST /mfa/recovery
|
||||
use rocket::serde::json::Json;
|
||||
use revolt_database::{Account, ValidatedTicket};
|
||||
use revolt_result::Result;
|
||||
|
||||
/// # Fetch Recovery Codes
|
||||
///
|
||||
/// Fetch recovery codes for an account.
|
||||
#[openapi(tag = "MFA")]
|
||||
#[post("/recovery")]
|
||||
pub async fn fetch_recovery(
|
||||
account: Account,
|
||||
_ticket: ValidatedTicket,
|
||||
) -> Result<Json<Vec<String>>> {
|
||||
Ok(Json(account.mfa.recovery_codes))
|
||||
}
|
||||
|
||||
#[cfg(test)]
|
||||
mod tests {
|
||||
use crate::{rocket, util::test::TestHarness};
|
||||
use revolt_database::MFATicket;
|
||||
use rocket::http::{ContentType, Header, Status};
|
||||
|
||||
|
||||
#[rocket::async_test]
|
||||
async fn success() {
|
||||
let harness = TestHarness::new().await;
|
||||
let (account, session, _) = harness.new_user().await;
|
||||
|
||||
let ticket = MFATicket::new(account.id, true);
|
||||
ticket.save(&harness.db).await.unwrap();
|
||||
|
||||
let res = harness.client
|
||||
.post("/auth/mfa/recovery")
|
||||
.header(Header::new("X-Session-Token", session.token))
|
||||
.header(Header::new("X-MFA-Ticket", ticket.token))
|
||||
.header(ContentType::JSON)
|
||||
.dispatch()
|
||||
.await;
|
||||
|
||||
assert_eq!(res.status(), Status::Ok);
|
||||
assert!(res.into_json::<Vec<String>>().await.unwrap().is_empty());
|
||||
}
|
||||
}
|
||||
37
crates/delta/src/routes/mfa/fetch_status.rs
Normal file
37
crates/delta/src/routes/mfa/fetch_status.rs
Normal file
@@ -0,0 +1,37 @@
|
||||
//! Fetch MFA status of an account.
|
||||
//! GET /mfa
|
||||
use revolt_database::Account;
|
||||
use revolt_result::Result;
|
||||
use revolt_models::v0;
|
||||
use rocket::serde::json::Json;
|
||||
|
||||
/// # MFA Status
|
||||
///
|
||||
/// Fetch MFA status of an account.
|
||||
#[openapi(tag = "MFA")]
|
||||
#[get("/")]
|
||||
pub async fn fetch_status(account: Account) -> Result<Json<v0::MultiFactorStatus>> {
|
||||
Ok(Json(account.mfa.into()))
|
||||
}
|
||||
|
||||
#[cfg(test)]
|
||||
mod tests {
|
||||
use crate::{rocket, util::test::TestHarness};
|
||||
use rocket::http::{Header, Status};
|
||||
use revolt_models::v0;
|
||||
|
||||
#[rocket::async_test]
|
||||
async fn success() {
|
||||
let harness = TestHarness::new().await;
|
||||
let (_, session, _) = harness.new_user().await;
|
||||
|
||||
let res = harness.client
|
||||
.get("/auth/mfa")
|
||||
.header(Header::new("X-Session-Token", session.token))
|
||||
.dispatch()
|
||||
.await;
|
||||
|
||||
assert_eq!(res.status(), Status::Ok);
|
||||
assert!(res.into_json::<v0::MultiFactorStatus>().await.is_some());
|
||||
}
|
||||
}
|
||||
66
crates/delta/src/routes/mfa/generate_recovery.rs
Normal file
66
crates/delta/src/routes/mfa/generate_recovery.rs
Normal file
@@ -0,0 +1,66 @@
|
||||
//! Re-generate recovery codes for an account.
|
||||
//! PATCH /mfa/recovery
|
||||
use revolt_database::{Account, ValidatedTicket, Database};
|
||||
use revolt_result::Result;
|
||||
use rocket::serde::json::Json;
|
||||
use rocket::State;
|
||||
|
||||
/// # Generate Recovery Codes
|
||||
///
|
||||
/// Re-generate recovery codes for an account.
|
||||
#[openapi(tag = "MFA")]
|
||||
#[patch("/recovery")]
|
||||
pub async fn generate_recovery(
|
||||
db: &State<Database>,
|
||||
mut account: Account,
|
||||
_ticket: ValidatedTicket,
|
||||
) -> Result<Json<Vec<String>>> {
|
||||
// Generate new codes
|
||||
account.mfa.generate_recovery_codes();
|
||||
|
||||
// Save account model
|
||||
account.save(db).await?;
|
||||
|
||||
// Return them to the user
|
||||
Ok(Json(account.mfa.recovery_codes))
|
||||
}
|
||||
|
||||
#[cfg(test)]
|
||||
mod tests {
|
||||
use crate::{rocket, util::test::TestHarness};
|
||||
use revolt_database::MFATicket;
|
||||
use rocket::http::{ContentType, Header, Status};
|
||||
#[rocket::async_test]
|
||||
async fn success() {
|
||||
let harness = TestHarness::new().await;
|
||||
let (account, session, _) = harness.new_user().await;
|
||||
|
||||
let ticket1 = MFATicket::new(account.id.to_string(), true);
|
||||
ticket1.save(&harness.db).await.unwrap();
|
||||
|
||||
let ticket2 = MFATicket::new(account.id, true);
|
||||
ticket2.save(&harness.db).await.unwrap();
|
||||
|
||||
let res = harness.client
|
||||
.patch("/auth/mfa/recovery")
|
||||
.header(Header::new("X-Session-Token", session.token.clone()))
|
||||
.header(Header::new("X-MFA-Ticket", ticket1.token))
|
||||
.header(ContentType::JSON)
|
||||
.dispatch()
|
||||
.await;
|
||||
|
||||
assert_eq!(res.status(), Status::Ok);
|
||||
assert!(res.into_json::<Vec<String>>().await.is_some());
|
||||
|
||||
let res = harness.client
|
||||
.post("/auth/mfa/recovery")
|
||||
.header(Header::new("X-Session-Token", session.token))
|
||||
.header(Header::new("X-MFA-Ticket", ticket2.token))
|
||||
.header(ContentType::JSON)
|
||||
.dispatch()
|
||||
.await;
|
||||
|
||||
assert_eq!(res.status(), Status::Ok);
|
||||
assert_eq!(res.into_json::<Vec<String>>().await.unwrap().len(), 10);
|
||||
}
|
||||
}
|
||||
71
crates/delta/src/routes/mfa/get_mfa_methods.rs
Normal file
71
crates/delta/src/routes/mfa/get_mfa_methods.rs
Normal file
@@ -0,0 +1,71 @@
|
||||
//! Fetch available MFA methods.
|
||||
//! GET /mfa/methods
|
||||
use revolt_database::Account;
|
||||
use revolt_models::v0;
|
||||
use rocket::serde::json::Json;
|
||||
|
||||
/// # Get MFA Methods
|
||||
///
|
||||
/// Fetch available MFA methods.
|
||||
#[openapi(tag = "MFA")]
|
||||
#[get("/methods")]
|
||||
pub async fn get_mfa_methods(account: Account) -> Json<Vec<v0::MFAMethod>> {
|
||||
Json(
|
||||
account
|
||||
.mfa
|
||||
.get_methods()
|
||||
.into_iter()
|
||||
.map(Into::into)
|
||||
.collect(),
|
||||
)
|
||||
}
|
||||
|
||||
#[cfg(test)]
|
||||
mod tests {
|
||||
use crate::{rocket, util::test::TestHarness};
|
||||
use revolt_database::Totp;
|
||||
use rocket::http::{Header, Status};
|
||||
use revolt_models::v0;
|
||||
|
||||
#[rocket::async_test]
|
||||
async fn success() {
|
||||
let harness = TestHarness::new().await;
|
||||
let (_, session, _) = harness.new_user().await;
|
||||
|
||||
let res = harness.client
|
||||
.get("/auth/mfa/methods")
|
||||
.header(Header::new("X-Session-Token", session.token))
|
||||
.dispatch()
|
||||
.await;
|
||||
|
||||
assert_eq!(res.status(), Status::Ok);
|
||||
assert_eq!(
|
||||
res.into_json::<Vec<v0::MFAMethod>>().await.unwrap(),
|
||||
vec![v0::MFAMethod::Password]
|
||||
);
|
||||
}
|
||||
|
||||
#[rocket::async_test]
|
||||
async fn success_has_recovery_and_totp() {
|
||||
let harness = TestHarness::new().await;
|
||||
let (mut account, session, _) = harness.new_user().await;
|
||||
|
||||
account.mfa.totp_token = Totp::Enabled {
|
||||
secret: "some".to_string(),
|
||||
};
|
||||
account.mfa.generate_recovery_codes();
|
||||
account.save(&harness.db).await.unwrap();
|
||||
|
||||
let res = harness.client
|
||||
.get("/auth/mfa/methods")
|
||||
.header(Header::new("X-Session-Token", session.token))
|
||||
.dispatch()
|
||||
.await;
|
||||
|
||||
assert_eq!(res.status(), Status::Ok);
|
||||
assert_eq!(
|
||||
res.into_json::<Vec<v0::MFAMethod>>().await.unwrap(),
|
||||
vec![v0::MFAMethod::Totp, v0::MFAMethod::Recovery]
|
||||
);
|
||||
}
|
||||
}
|
||||
24
crates/delta/src/routes/mfa/mod.rs
Normal file
24
crates/delta/src/routes/mfa/mod.rs
Normal file
@@ -0,0 +1,24 @@
|
||||
use revolt_rocket_okapi::revolt_okapi::openapi3::OpenApi;
|
||||
use rocket::Route;
|
||||
|
||||
pub mod create_ticket;
|
||||
pub mod fetch_recovery;
|
||||
pub mod fetch_status;
|
||||
pub mod generate_recovery;
|
||||
pub mod get_mfa_methods;
|
||||
pub mod totp_disable;
|
||||
pub mod totp_enable;
|
||||
pub mod totp_generate_secret;
|
||||
|
||||
pub fn routes() -> (Vec<Route>, OpenApi) {
|
||||
openapi_get_routes_spec![
|
||||
create_ticket::create_ticket,
|
||||
fetch_status::fetch_status,
|
||||
fetch_recovery::fetch_recovery,
|
||||
generate_recovery::generate_recovery,
|
||||
get_mfa_methods::get_mfa_methods,
|
||||
totp_disable::totp_disable,
|
||||
totp_enable::totp_enable,
|
||||
totp_generate_secret::totp_generate_secret,
|
||||
]
|
||||
}
|
||||
49
crates/delta/src/routes/mfa/totp_disable.rs
Normal file
49
crates/delta/src/routes/mfa/totp_disable.rs
Normal file
@@ -0,0 +1,49 @@
|
||||
//! Disable TOTP 2FA.
|
||||
//! DELETE /mfa/totp
|
||||
use revolt_database::{Database, Account, ValidatedTicket, Totp};
|
||||
use revolt_result::Result;
|
||||
use rocket::State;
|
||||
use rocket_empty::EmptyResponse;
|
||||
|
||||
/// # Disable TOTP 2FA
|
||||
///
|
||||
/// Disable TOTP 2FA for an account.
|
||||
#[openapi(tag = "MFA")]
|
||||
#[delete("/totp")]
|
||||
pub async fn totp_disable(
|
||||
db: &State<Database>,
|
||||
mut account: Account,
|
||||
_ticket: ValidatedTicket,
|
||||
) -> Result<EmptyResponse> {
|
||||
// Disable TOTP
|
||||
account.mfa.totp_token = Totp::Disabled;
|
||||
|
||||
// Save model to database
|
||||
account.save(db).await.map(|_| EmptyResponse)
|
||||
}
|
||||
|
||||
#[cfg(test)]
|
||||
mod tests {
|
||||
use crate::{rocket, util::test::TestHarness};
|
||||
use revolt_database::MFATicket;
|
||||
use rocket::http::{Header, Status};
|
||||
|
||||
#[rocket::async_test]
|
||||
async fn success() {
|
||||
let harness = TestHarness::new().await;
|
||||
let (account, session, _) = harness.new_user().await;
|
||||
|
||||
let ticket = MFATicket::new(account.id, true);
|
||||
ticket.save(&harness.db).await.unwrap();
|
||||
|
||||
|
||||
let res = harness.client
|
||||
.delete("/auth/mfa/totp")
|
||||
.header(Header::new("X-Session-Token", session.token.clone()))
|
||||
.header(Header::new("X-MFA-Ticket", ticket.token))
|
||||
.dispatch()
|
||||
.await;
|
||||
|
||||
assert_eq!(res.status(), Status::NoContent);
|
||||
}
|
||||
}
|
||||
102
crates/delta/src/routes/mfa/totp_enable.rs
Normal file
102
crates/delta/src/routes/mfa/totp_enable.rs
Normal file
@@ -0,0 +1,102 @@
|
||||
//! Generate a new secret for TOTP.
|
||||
//! POST /mfa/totp
|
||||
use revolt_database::{Database, Account};
|
||||
use revolt_models::v0;
|
||||
use revolt_result::Result;
|
||||
use rocket::serde::json::Json;
|
||||
use rocket::State;
|
||||
use rocket_empty::EmptyResponse;
|
||||
|
||||
/// # Enable TOTP 2FA
|
||||
///
|
||||
/// Generate a new secret for TOTP.
|
||||
#[openapi(tag = "MFA")]
|
||||
#[put("/totp", data = "<data>")]
|
||||
pub async fn totp_enable(
|
||||
db: &State<Database>,
|
||||
mut account: Account,
|
||||
data: Json<v0::MFAResponse>,
|
||||
) -> Result<EmptyResponse> {
|
||||
// Enable TOTP 2FA
|
||||
account.mfa.enable_totp(data.into_inner())?;
|
||||
|
||||
// Save model to database
|
||||
account.save(db).await.map(|_| EmptyResponse)
|
||||
}
|
||||
|
||||
#[cfg(test)]
|
||||
mod tests {
|
||||
use crate::{rocket, util::test::TestHarness};
|
||||
use revolt_database::{MFATicket, Totp};
|
||||
use rocket::http::{ContentType, Header, Status};
|
||||
use revolt_models::v0;
|
||||
|
||||
#[rocket::async_test]
|
||||
async fn success() {
|
||||
let harness = TestHarness::new().await;
|
||||
let (account, session, _) = harness.new_user().await;
|
||||
|
||||
let ticket = MFATicket::new(account.id.to_string(), true);
|
||||
ticket.save(&harness.db).await.unwrap();
|
||||
|
||||
let res = harness.client
|
||||
.post("/auth/mfa/totp")
|
||||
.header(Header::new("X-Session-Token", session.token.clone()))
|
||||
.header(Header::new("X-MFA-Ticket", ticket.token))
|
||||
.dispatch()
|
||||
.await;
|
||||
|
||||
assert_eq!(res.status(), Status::Ok);
|
||||
|
||||
let secret = res.into_json::<v0::ResponseTotpSecret>().await.unwrap().secret;
|
||||
|
||||
let code = Totp::Enabled { secret }.generate_code().unwrap();
|
||||
|
||||
let res = harness.client
|
||||
.put("/auth/mfa/totp")
|
||||
.header(Header::new("X-Session-Token", session.token))
|
||||
.header(ContentType::JSON)
|
||||
.body(json!({ "totp_code": code }).to_string())
|
||||
.dispatch()
|
||||
.await;
|
||||
|
||||
assert_eq!(res.status(), Status::NoContent);
|
||||
|
||||
let res = harness.client
|
||||
.post("/auth/session/login")
|
||||
.header(ContentType::JSON)
|
||||
.body(
|
||||
json!({
|
||||
"email": account.email.clone(),
|
||||
"password": "password_insecure"
|
||||
})
|
||||
.to_string(),
|
||||
)
|
||||
.dispatch()
|
||||
.await;
|
||||
|
||||
assert_eq!(res.status(), Status::Ok);
|
||||
let response = res.into_json::<v0::ResponseLogin>().await.unwrap();
|
||||
|
||||
if let v0::ResponseLogin::MFA { ticket, .. } = response {
|
||||
let res = harness.client
|
||||
.post("/auth/session/login")
|
||||
.header(ContentType::JSON)
|
||||
.body(
|
||||
json!({
|
||||
"mfa_ticket": ticket,
|
||||
"mfa_response": {
|
||||
"totp_code": code
|
||||
}
|
||||
})
|
||||
.to_string(),
|
||||
)
|
||||
.dispatch()
|
||||
.await;
|
||||
|
||||
assert_eq!(res.status(), Status::Ok);
|
||||
} else {
|
||||
unreachable!("Did not receive MFA challenge!");
|
||||
}
|
||||
}
|
||||
}
|
||||
59
crates/delta/src/routes/mfa/totp_generate_secret.rs
Normal file
59
crates/delta/src/routes/mfa/totp_generate_secret.rs
Normal file
@@ -0,0 +1,59 @@
|
||||
//! Generate a new secret for TOTP.
|
||||
//! POST /mfa/totp
|
||||
use revolt_result::Result;
|
||||
use revolt_models::v0;
|
||||
use revolt_database::{Database, Account, ValidatedTicket};
|
||||
use rocket::serde::json::Json;
|
||||
use rocket::State;
|
||||
|
||||
|
||||
/// # Generate TOTP Secret
|
||||
///
|
||||
/// Generate a new secret for TOTP.
|
||||
#[openapi(tag = "MFA")]
|
||||
#[post("/totp")]
|
||||
pub async fn totp_generate_secret(
|
||||
db: &State<Database>,
|
||||
mut account: Account,
|
||||
_ticket: ValidatedTicket,
|
||||
) -> Result<Json<v0::ResponseTotpSecret>> {
|
||||
// Generate a new secret
|
||||
let secret = account.mfa.generate_new_totp_secret()?;
|
||||
|
||||
// Save model to database
|
||||
account.save(db).await?;
|
||||
|
||||
// Send secret to user
|
||||
Ok(Json(v0::ResponseTotpSecret { secret }))
|
||||
}
|
||||
|
||||
#[cfg(test)]
|
||||
mod tests {
|
||||
use crate::{rocket, util::test::TestHarness};
|
||||
use revolt_database::{MFATicket, Totp};
|
||||
use rocket::http::{Header, Status};
|
||||
use revolt_models::v0;
|
||||
|
||||
#[rocket::async_test]
|
||||
async fn success() {
|
||||
let harness = TestHarness::new().await;
|
||||
let (account, session, _) = harness.new_user().await;
|
||||
|
||||
let ticket = MFATicket::new(account.id.to_string(), true);
|
||||
ticket.save(&harness.db).await.unwrap();
|
||||
|
||||
let res = harness.client
|
||||
.post("/auth/mfa/totp")
|
||||
.header(Header::new("X-Session-Token", session.token))
|
||||
.header(Header::new("X-MFA-Ticket", ticket.token))
|
||||
.dispatch()
|
||||
.await;
|
||||
|
||||
assert_eq!(res.status(), Status::Ok);
|
||||
|
||||
let secret = res.into_json::<v0::ResponseTotpSecret>().await.unwrap().secret;
|
||||
|
||||
let account = harness.db.fetch_account(&account.id).await.unwrap();
|
||||
assert_eq!(account.mfa.totp_token, Totp::Pending { secret });
|
||||
}
|
||||
}
|
||||
@@ -17,6 +17,9 @@ mod servers;
|
||||
mod sync;
|
||||
mod users;
|
||||
mod webhooks;
|
||||
mod account;
|
||||
mod session;
|
||||
mod mfa;
|
||||
|
||||
pub fn mount(config: Settings, mut rocket: Rocket<Build>) -> Rocket<Build> {
|
||||
let settings = OpenApiSettings::default();
|
||||
@@ -33,9 +36,9 @@ pub fn mount(config: Settings, mut rocket: Rocket<Build>) -> Rocket<Build> {
|
||||
"/invites" => invites::routes(),
|
||||
"/custom" => customisation::routes(),
|
||||
"/safety" => safety::routes(),
|
||||
"/auth/account" => rocket_authifier::routes::account::routes(),
|
||||
"/auth/session" => rocket_authifier::routes::session::routes(),
|
||||
"/auth/mfa" => rocket_authifier::routes::mfa::routes(),
|
||||
"/auth/account" => account::routes(),
|
||||
"/auth/session" => session::routes(),
|
||||
"/auth/mfa" => mfa::routes(),
|
||||
"/onboard" => onboard::routes(),
|
||||
"/policy" => policy::routes(),
|
||||
"/push" => push::routes(),
|
||||
@@ -54,9 +57,9 @@ pub fn mount(config: Settings, mut rocket: Rocket<Build>) -> Rocket<Build> {
|
||||
"/invites" => invites::routes(),
|
||||
"/custom" => customisation::routes(),
|
||||
"/safety" => safety::routes(),
|
||||
"/auth/account" => rocket_authifier::routes::account::routes(),
|
||||
"/auth/session" => rocket_authifier::routes::session::routes(),
|
||||
"/auth/mfa" => rocket_authifier::routes::mfa::routes(),
|
||||
"/auth/account" => account::routes(),
|
||||
"/auth/session" => session::routes(),
|
||||
"/auth/mfa" => mfa::routes(),
|
||||
"/onboard" => onboard::routes(),
|
||||
"/policy" => policy::routes(),
|
||||
"/push" => push::routes(),
|
||||
|
||||
@@ -1,7 +1,6 @@
|
||||
use authifier::models::Session;
|
||||
use once_cell::sync::Lazy;
|
||||
use regex::Regex;
|
||||
use revolt_database::{Database, User};
|
||||
use revolt_database::{Database, User, Session};
|
||||
use revolt_models::v0;
|
||||
use revolt_result::{create_error, Result};
|
||||
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
use authifier::models::Session;
|
||||
use revolt_database::User;
|
||||
use revolt_database::{Session, User};
|
||||
|
||||
use rocket::serde::json::Json;
|
||||
use serde::Serialize;
|
||||
|
||||
@@ -1,7 +1,5 @@
|
||||
use authifier::{
|
||||
models::{Session, WebPushSubscription},
|
||||
Authifier,
|
||||
};
|
||||
use revolt_database::{Database, Session};
|
||||
use revolt_models::v0;
|
||||
use revolt_result::{create_database_error, Result};
|
||||
use rocket::{serde::json::Json, State};
|
||||
use rocket_empty::EmptyResponse;
|
||||
@@ -14,13 +12,13 @@ use rocket_empty::EmptyResponse;
|
||||
#[openapi(tag = "Web Push")]
|
||||
#[post("/subscribe", data = "<data>")]
|
||||
pub async fn subscribe(
|
||||
authifier: &State<Authifier>,
|
||||
db: &State<Database>,
|
||||
mut session: Session,
|
||||
data: Json<WebPushSubscription>,
|
||||
data: Json<v0::WebPushSubscription>,
|
||||
) -> Result<EmptyResponse> {
|
||||
session.subscription = Some(data.into_inner());
|
||||
session.subscription = Some(data.into_inner().into());
|
||||
session
|
||||
.save(authifier)
|
||||
.save(db)
|
||||
.await
|
||||
.map(|_| EmptyResponse)
|
||||
.map_err(|_| create_database_error!("save", "session"))
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
use authifier::{models::Session, Authifier};
|
||||
|
||||
use revolt_database::{Database, Session};
|
||||
use revolt_result::{create_database_error, Result};
|
||||
use rocket_empty::EmptyResponse;
|
||||
|
||||
@@ -10,13 +9,10 @@ use rocket::State;
|
||||
/// Remove the Web Push subscription associated with the current session.
|
||||
#[openapi(tag = "Web Push")]
|
||||
#[post("/unsubscribe")]
|
||||
pub async fn unsubscribe(
|
||||
authifier: &State<Authifier>,
|
||||
mut session: Session,
|
||||
) -> Result<EmptyResponse> {
|
||||
pub async fn unsubscribe(db: &State<Database>, mut session: Session) -> Result<EmptyResponse> {
|
||||
session.subscription = None;
|
||||
session
|
||||
.save(authifier)
|
||||
.save(db)
|
||||
.await
|
||||
.map(|_| EmptyResponse)
|
||||
.map_err(|_| create_database_error!("save", "session"))
|
||||
|
||||
@@ -1,14 +1,13 @@
|
||||
use std::collections::HashSet;
|
||||
|
||||
use authifier::models::{totp::Totp, Account, ValidatedTicket};
|
||||
use revolt_database::{
|
||||
util::{permissions::DatabasePermissionQuery, reference::Reference},
|
||||
Database, File, PartialServer, User,
|
||||
Database, File, PartialServer, User, ValidatedTicket,
|
||||
};
|
||||
use revolt_models::v0;
|
||||
use revolt_permissions::{calculate_server_permissions, ChannelPermission};
|
||||
use revolt_result::{create_error, Result};
|
||||
use rocket::{serde::json::Json, Request, State};
|
||||
use rocket::{serde::json::Json, State};
|
||||
use validator::Validate;
|
||||
|
||||
/// # Edit Server
|
||||
@@ -18,7 +17,6 @@ use validator::Validate;
|
||||
#[patch("/<target>", data = "<data>")]
|
||||
pub async fn edit(
|
||||
db: &State<Database>,
|
||||
account: Account,
|
||||
user: User,
|
||||
target: Reference<'_>,
|
||||
data: Json<v0::DataEditServer>,
|
||||
|
||||
67
crates/delta/src/routes/session/edit.rs
Normal file
67
crates/delta/src/routes/session/edit.rs
Normal file
@@ -0,0 +1,67 @@
|
||||
//! Edit a session
|
||||
//! PATCH /session/:id
|
||||
use revolt_database::{Database, Session};
|
||||
use revolt_models::v0;
|
||||
use revolt_result::{Result, create_error};
|
||||
use rocket::serde::json::Json;
|
||||
use rocket::State;
|
||||
|
||||
|
||||
/// # Edit Session
|
||||
///
|
||||
/// Edit current session information.
|
||||
#[openapi(tag = "Session")]
|
||||
#[patch("/<id>", data = "<data>")]
|
||||
pub async fn edit(
|
||||
db: &State<Database>,
|
||||
user: Session,
|
||||
id: String,
|
||||
data: Json<v0::DataEditSession>,
|
||||
) -> Result<Json<v0::SessionInfo>> {
|
||||
let mut session = db.fetch_session(&id).await?;
|
||||
|
||||
// Make sure we own this session
|
||||
if user.user_id != session.user_id {
|
||||
return Err(create_error!(InvalidSession));
|
||||
}
|
||||
|
||||
// Rename the session
|
||||
session.name = data.into_inner().friendly_name;
|
||||
|
||||
// Save session
|
||||
session.save(db).await?;
|
||||
|
||||
Ok(Json(session.into()))
|
||||
}
|
||||
|
||||
#[cfg(test)]
|
||||
mod tests {
|
||||
use crate::{rocket, util::test::TestHarness};
|
||||
use rocket::http::{ContentType, Status};
|
||||
use revolt_models::v0;
|
||||
|
||||
#[rocket::async_test]
|
||||
async fn success() {
|
||||
use rocket::http::Header;
|
||||
|
||||
let harness = TestHarness::new().await;
|
||||
let (_, session, _) = harness.new_user().await;
|
||||
|
||||
let res = harness.client
|
||||
.patch(format!("/auth/session/{}", session.id))
|
||||
.header(ContentType::JSON)
|
||||
.header(Header::new("X-Session-Token", session.token))
|
||||
.body(
|
||||
json!({
|
||||
"friendly_name": "test name"
|
||||
})
|
||||
.to_string(),
|
||||
)
|
||||
.dispatch()
|
||||
.await;
|
||||
|
||||
assert_eq!(res.status(), Status::Ok);
|
||||
|
||||
assert_eq!(res.into_json::<v0::SessionInfo>().await.unwrap().name, "test name");
|
||||
}
|
||||
}
|
||||
52
crates/delta/src/routes/session/fetch_all.rs
Normal file
52
crates/delta/src/routes/session/fetch_all.rs
Normal file
@@ -0,0 +1,52 @@
|
||||
//! Fetch all sessions
|
||||
//! GET /session/all
|
||||
use revolt_result::Result;
|
||||
use revolt_database::{Database, Session};
|
||||
use revolt_models::v0;
|
||||
use rocket::serde::json::Json;
|
||||
use rocket::State;
|
||||
|
||||
/// # Fetch Sessions
|
||||
///
|
||||
/// Fetch all sessions associated with this account.
|
||||
#[openapi(tag = "Session")]
|
||||
#[get("/all")]
|
||||
pub async fn fetch_all(
|
||||
db: &State<Database>,
|
||||
session: Session,
|
||||
) -> Result<Json<Vec<v0::SessionInfo>>> {
|
||||
db
|
||||
.fetch_sessions(&session.user_id)
|
||||
.await
|
||||
.map(|ok| ok.into_iter().map(|session| session.into()).collect())
|
||||
.map(Json)
|
||||
}
|
||||
|
||||
#[cfg(test)]
|
||||
mod tests {
|
||||
use crate::{rocket, util::test::TestHarness};
|
||||
use rocket::http::{Header, Status};
|
||||
use revolt_models::v0;
|
||||
|
||||
#[rocket::async_test]
|
||||
async fn success() {
|
||||
let harness = TestHarness::new().await;
|
||||
let (account, session, _) = harness.new_user().await;
|
||||
|
||||
for i in 1..=3 {
|
||||
account
|
||||
.create_session(&harness.db, format!("session{}", i))
|
||||
.await
|
||||
.unwrap();
|
||||
}
|
||||
|
||||
let res = harness.client
|
||||
.get("/auth/session/all")
|
||||
.header(Header::new("X-Session-Token", session.token))
|
||||
.dispatch()
|
||||
.await;
|
||||
|
||||
assert_eq!(res.status(), Status::Ok);
|
||||
assert_eq!(res.into_json::<Vec<v0::SessionInfo>>().await.unwrap().len(), 4);
|
||||
}
|
||||
}
|
||||
588
crates/delta/src/routes/session/login.rs
Normal file
588
crates/delta/src/routes/session/login.rs
Normal file
@@ -0,0 +1,588 @@
|
||||
//! Login to an account
|
||||
//! POST /session/login
|
||||
use std::ops::Add;
|
||||
use std::time::Duration;
|
||||
|
||||
use async_std::task::sleep;
|
||||
use iso8601_timestamp::Timestamp;
|
||||
use revolt_database::{
|
||||
util::{email::normalise_email, password::assert_safe},
|
||||
Database, EmailVerification, Lockout, MFATicket,
|
||||
};
|
||||
use revolt_models::v0;
|
||||
use revolt_result::{create_error, Result};
|
||||
use rocket::serde::json::Json;
|
||||
use rocket::State;
|
||||
|
||||
/// # Login
|
||||
///
|
||||
/// Login to an account.
|
||||
#[openapi(tag = "Session")]
|
||||
#[post("/login", data = "<data>")]
|
||||
pub async fn login(
|
||||
db: &State<Database>,
|
||||
data: Json<v0::DataLogin>,
|
||||
) -> Result<Json<v0::ResponseLogin>> {
|
||||
// Random jitter from 0-1000ms
|
||||
sleep(Duration::from_millis((rand::random::<f32>() * 1000.) as u64)).await;
|
||||
|
||||
let (account, name) = match data.into_inner() {
|
||||
v0::DataLogin::Email {
|
||||
email,
|
||||
password,
|
||||
friendly_name,
|
||||
} => {
|
||||
// Try to find the account we want
|
||||
let email_normalised = normalise_email(email);
|
||||
|
||||
// Lookup the email in database
|
||||
if let Some(mut account) = db
|
||||
.fetch_account_by_normalised_email(&email_normalised)
|
||||
.await?
|
||||
{
|
||||
// Make sure the account has been verified
|
||||
if let EmailVerification::Pending { .. } = account.verification {
|
||||
return Err(create_error!(UnverifiedAccount));
|
||||
}
|
||||
|
||||
// Make sure password has not been compromised
|
||||
assert_safe(&password).await?;
|
||||
|
||||
// Check for account lockout
|
||||
if let Some(lockout) = &account.lockout {
|
||||
if let Some(expiry) = lockout.expiry {
|
||||
if expiry > Timestamp::now_utc() {
|
||||
return Err(create_error!(LockedOut));
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// Verify the password is correct.
|
||||
if let Err(err) = account.verify_password(&password) {
|
||||
// Lock out account if attempts are too high
|
||||
if let Some(lockout) = &mut account.lockout {
|
||||
lockout.attempts += 1;
|
||||
|
||||
// Allow 3 attempts
|
||||
//
|
||||
// Lockout for 1 minute on 3rd attempt
|
||||
// Lockout for 5 minutes on 4th attempt
|
||||
// Lockout for 1 hour on each subsequent attempt
|
||||
if lockout.attempts >= 3 {
|
||||
lockout.expiry = Some(Timestamp::now_utc().add(Duration::from_secs(
|
||||
if lockout.attempts >= 5 {
|
||||
3600
|
||||
} else if lockout.attempts == 4 {
|
||||
300
|
||||
} else {
|
||||
60
|
||||
},
|
||||
)));
|
||||
}
|
||||
} else {
|
||||
account.lockout = Some(Lockout {
|
||||
attempts: 1,
|
||||
expiry: None,
|
||||
});
|
||||
}
|
||||
|
||||
account.save(db).await?;
|
||||
return Err(err);
|
||||
}
|
||||
|
||||
// Clear lockout information if present
|
||||
if account.lockout.is_some() {
|
||||
account.lockout = None;
|
||||
account.save(db).await?;
|
||||
}
|
||||
|
||||
// Check whether an MFA step is required
|
||||
if account.mfa.is_active() {
|
||||
// Create a new ticket
|
||||
let mut ticket = MFATicket::new(account.id, false);
|
||||
ticket.populate(&account.mfa).await;
|
||||
ticket.save(db).await?;
|
||||
|
||||
// Return applicable methods
|
||||
return Ok(Json(v0::ResponseLogin::MFA {
|
||||
ticket: ticket.token,
|
||||
allowed_methods: account
|
||||
.mfa
|
||||
.get_methods()
|
||||
.into_iter()
|
||||
.map(Into::into)
|
||||
.collect(),
|
||||
}));
|
||||
}
|
||||
|
||||
(account, friendly_name)
|
||||
} else {
|
||||
return Err(create_error!(InvalidCredentials));
|
||||
}
|
||||
}
|
||||
v0::DataLogin::MFA {
|
||||
mfa_ticket,
|
||||
mfa_response,
|
||||
friendly_name,
|
||||
} => {
|
||||
// Resolve the MFA ticket
|
||||
let ticket = db
|
||||
.fetch_ticket_by_token(&mfa_ticket)
|
||||
.await?;
|
||||
|
||||
// Find the corresponding account
|
||||
let mut account = db.fetch_account(&ticket.account_id).await?;
|
||||
|
||||
// Verify the MFA response
|
||||
if let Some(mfa_response) = mfa_response {
|
||||
account
|
||||
.consume_mfa_response(db, mfa_response, Some(ticket))
|
||||
.await?;
|
||||
} else if !ticket.authorised {
|
||||
return Err(create_error!(InvalidToken));
|
||||
}
|
||||
|
||||
(account, friendly_name)
|
||||
}
|
||||
};
|
||||
|
||||
// Generate a session name
|
||||
let name = name.unwrap_or_else(|| "Unknown".to_string());
|
||||
|
||||
// Prevent disabled accounts from logging in
|
||||
if account.disabled {
|
||||
return Ok(Json(v0::ResponseLogin::Disabled {
|
||||
user_id: account.id,
|
||||
}));
|
||||
}
|
||||
|
||||
// Create and return a new session
|
||||
Ok(Json(v0::ResponseLogin::Success(
|
||||
account.create_session(db, name).await?.into(),
|
||||
)))
|
||||
}
|
||||
|
||||
#[cfg(test)]
|
||||
mod tests {
|
||||
use iso8601_timestamp::Timestamp;
|
||||
use revolt_database::{Account, EmailVerification, Lockout, MFATicket, Totp, events::client::EventV1};
|
||||
use crate::{rocket, util::test::TestHarness};
|
||||
use rocket::http::{ContentType, Status};
|
||||
use revolt_models::v0;
|
||||
use revolt_result::{Error, ErrorType};
|
||||
|
||||
#[rocket::async_test]
|
||||
async fn success() {
|
||||
let mut harness = TestHarness::new().await;
|
||||
|
||||
Account::new(
|
||||
&harness.db,
|
||||
"example@validemail.com".into(),
|
||||
"password_insecure".into(),
|
||||
false,
|
||||
)
|
||||
.await
|
||||
.unwrap();
|
||||
|
||||
harness.wait_for_event("global", |_| true).await;
|
||||
|
||||
let res = harness.client
|
||||
.post("/auth/session/login")
|
||||
.header(ContentType::JSON)
|
||||
.body(
|
||||
json!({
|
||||
"email": "EXAMPLE@validemail.com",
|
||||
"password": "password_insecure"
|
||||
})
|
||||
.to_string(),
|
||||
)
|
||||
.dispatch()
|
||||
.await;
|
||||
|
||||
assert_eq!(res.status(), Status::Ok);
|
||||
assert!(res.into_json::<v0::Session>().await.is_some());
|
||||
|
||||
let event = harness.wait_for_event("global", |_| true).await;
|
||||
if !matches!(event, EventV1::CreateSession { .. }) {
|
||||
panic!("Received incorrect event type. {:?}", event);
|
||||
}
|
||||
}
|
||||
|
||||
#[rocket::async_test]
|
||||
async fn success_totp_mfa() {
|
||||
let harness = TestHarness::new().await;
|
||||
let (mut account, _, _) = harness.new_user().await;
|
||||
|
||||
let totp = Totp::Enabled {
|
||||
secret: "secret".to_string(),
|
||||
};
|
||||
|
||||
account.mfa.totp_token = totp.clone();
|
||||
account.save(&harness.db).await.unwrap();
|
||||
|
||||
let res = harness.client
|
||||
.post("/auth/session/login")
|
||||
.header(ContentType::JSON)
|
||||
.body(
|
||||
json!({
|
||||
"email": &account.email,
|
||||
"password": "password_insecure"
|
||||
})
|
||||
.to_string(),
|
||||
)
|
||||
.dispatch()
|
||||
.await;
|
||||
|
||||
assert_eq!(res.status(), Status::Ok);
|
||||
let response = serde_json::from_str::<v0::ResponseLogin>(
|
||||
&res.into_string().await.unwrap(),
|
||||
)
|
||||
.expect("`ResponseLogin`");
|
||||
|
||||
if let v0::ResponseLogin::MFA {
|
||||
ticket,
|
||||
allowed_methods,
|
||||
} = response
|
||||
{
|
||||
assert!(allowed_methods.contains(&v0::MFAMethod::Totp));
|
||||
|
||||
let res = harness.client
|
||||
.post("/auth/session/login")
|
||||
.header(ContentType::JSON)
|
||||
.body(
|
||||
json!({
|
||||
"mfa_ticket": ticket,
|
||||
"mfa_response": {
|
||||
"totp_code": totp.generate_code().expect("totp code")
|
||||
}
|
||||
})
|
||||
.to_string(),
|
||||
)
|
||||
.dispatch()
|
||||
.await;
|
||||
|
||||
assert_eq!(res.status(), Status::Ok);
|
||||
assert!(serde_json::from_str::<v0::Session>(&res.into_string().await.unwrap()).is_ok());
|
||||
} else {
|
||||
panic!("expected `ResponseLogin::MFA`")
|
||||
}
|
||||
}
|
||||
|
||||
#[rocket::async_test]
|
||||
async fn success_totp_stored_mfa() {
|
||||
let harness = TestHarness::new().await;
|
||||
let (mut account, _, _) = harness.new_user().await;
|
||||
|
||||
let totp = Totp::Enabled {
|
||||
secret: "secret".to_string(),
|
||||
};
|
||||
|
||||
account.mfa.totp_token = totp.clone();
|
||||
account.save(&harness.db).await.unwrap();
|
||||
|
||||
let mut ticket = MFATicket::new(account.id.to_string(), true);
|
||||
ticket.last_totp_code = Some("token from earlier".into());
|
||||
ticket.save(&harness.db).await.unwrap();
|
||||
|
||||
let res = harness.client
|
||||
.post("/auth/session/login")
|
||||
.header(ContentType::JSON)
|
||||
.body(
|
||||
json!({
|
||||
"mfa_ticket": ticket.token,
|
||||
"mfa_response": {
|
||||
"totp_code": "token from earlier"
|
||||
}
|
||||
})
|
||||
.to_string(),
|
||||
)
|
||||
.dispatch()
|
||||
.await;
|
||||
|
||||
assert_eq!(res.status(), Status::Ok);
|
||||
assert!(serde_json::from_str::<v0::Session>(&res.into_string().await.unwrap()).is_ok());
|
||||
}
|
||||
|
||||
#[rocket::async_test]
|
||||
async fn fail_totp_invalid_mfa() {
|
||||
let harness = TestHarness::new().await;
|
||||
let (mut account, _, _) = harness.new_user().await;
|
||||
|
||||
let totp = Totp::Enabled {
|
||||
secret: "secret".to_string(),
|
||||
};
|
||||
|
||||
account.mfa.totp_token = totp.clone();
|
||||
account.save(&harness.db).await.unwrap();
|
||||
|
||||
let res = harness.client
|
||||
.post("/auth/session/login")
|
||||
.json(
|
||||
&json!({
|
||||
"email": account.email.clone(),
|
||||
"password": "password_insecure"
|
||||
})
|
||||
)
|
||||
.dispatch()
|
||||
.await;
|
||||
|
||||
assert_eq!(res.status(), Status::Ok);
|
||||
let response = serde_json::from_str::<v0::ResponseLogin>(
|
||||
&res.into_string().await.unwrap(),
|
||||
)
|
||||
.expect("`ResponseLogin`");
|
||||
|
||||
if let v0::ResponseLogin::MFA {
|
||||
ticket,
|
||||
allowed_methods,
|
||||
} = response
|
||||
{
|
||||
assert!(allowed_methods.contains(&v0::MFAMethod::Totp));
|
||||
|
||||
let res = harness.client
|
||||
.post("/auth/session/login")
|
||||
.json(
|
||||
&json!({
|
||||
"mfa_ticket": ticket,
|
||||
"mfa_response": {
|
||||
"totp_code": "some random data"
|
||||
}
|
||||
})
|
||||
)
|
||||
.dispatch()
|
||||
.await;
|
||||
|
||||
assert_eq!(res.status(), Status::Unauthorized);
|
||||
assert!(matches!(
|
||||
res.into_json::<Error>().await.unwrap().error_type,
|
||||
ErrorType::InvalidToken,
|
||||
));
|
||||
} else {
|
||||
panic!("expected `ResponseLogin::MFA`")
|
||||
}
|
||||
}
|
||||
|
||||
#[rocket::async_test]
|
||||
async fn fail_invalid_user() {
|
||||
let harness = TestHarness::new().await;
|
||||
|
||||
let res = harness.client
|
||||
.post("/auth/session/login")
|
||||
.json(
|
||||
&json!({
|
||||
"email": "example@validemail.com",
|
||||
"password": "password_insecure"
|
||||
})
|
||||
)
|
||||
.dispatch()
|
||||
.await;
|
||||
|
||||
assert_eq!(res.status(), Status::Unauthorized);
|
||||
assert!(matches!(
|
||||
res.into_json::<Error>().await.unwrap().error_type,
|
||||
ErrorType::InvalidCredentials,
|
||||
));
|
||||
}
|
||||
|
||||
#[rocket::async_test]
|
||||
async fn fail_disabled_account() {
|
||||
let harness = TestHarness::new().await;
|
||||
|
||||
let mut account = Account::new(
|
||||
&harness.db,
|
||||
"example@validemail.com".into(),
|
||||
"password_insecure".into(),
|
||||
false,
|
||||
)
|
||||
.await
|
||||
.unwrap();
|
||||
|
||||
account.disabled = true;
|
||||
account.save(&harness.db).await.unwrap();
|
||||
|
||||
let res = harness.client
|
||||
.post("/auth/session/login")
|
||||
.header(ContentType::JSON)
|
||||
.body(
|
||||
json!({
|
||||
"email": "example@validemail.com",
|
||||
"password": "password_insecure"
|
||||
})
|
||||
.to_string(),
|
||||
)
|
||||
.dispatch()
|
||||
.await;
|
||||
|
||||
assert_eq!(res.status(), Status::Ok);
|
||||
let response = serde_json::from_str::<v0::ResponseLogin>(
|
||||
&res.into_string().await.unwrap(),
|
||||
)
|
||||
.expect("`ResponseLogin`");
|
||||
|
||||
assert!(matches!(
|
||||
response,
|
||||
v0::ResponseLogin::Disabled { .. }
|
||||
));
|
||||
}
|
||||
|
||||
#[rocket::async_test]
|
||||
async fn fail_unverified_account() {
|
||||
let harness = TestHarness::new().await;
|
||||
|
||||
let mut account = Account::new(
|
||||
&harness.db,
|
||||
"example@validemail.com".into(),
|
||||
"password_insecure".into(),
|
||||
false,
|
||||
)
|
||||
.await
|
||||
.unwrap();
|
||||
|
||||
account.verification = EmailVerification::Pending {
|
||||
token: "".to_string(),
|
||||
expiry: Timestamp::now_utc(),
|
||||
};
|
||||
|
||||
account.save(&harness.db).await.unwrap();
|
||||
|
||||
let res = harness.client
|
||||
.post("/auth/session/login")
|
||||
.header(ContentType::JSON)
|
||||
.body(
|
||||
json!({
|
||||
"email": "example@validemail.com",
|
||||
"password": "password_insecure"
|
||||
})
|
||||
.to_string(),
|
||||
)
|
||||
.dispatch()
|
||||
.await;
|
||||
|
||||
assert_eq!(res.status(), Status::Forbidden);
|
||||
assert!(matches!(
|
||||
res.into_json::<Error>().await.unwrap().error_type,
|
||||
ErrorType::UnverifiedAccount,
|
||||
));
|
||||
}
|
||||
|
||||
#[rocket::async_test]
|
||||
async fn fail_locked_account() {
|
||||
let harness = TestHarness::new().await;
|
||||
|
||||
let mut account = Account::new(
|
||||
&harness.db,
|
||||
"example@validemail.com".into(),
|
||||
"password_insecure".into(),
|
||||
false,
|
||||
)
|
||||
.await
|
||||
.unwrap();
|
||||
|
||||
account.save(&harness.db).await.unwrap();
|
||||
|
||||
|
||||
// Attempt 1
|
||||
let res = harness.client
|
||||
.post("/auth/session/login")
|
||||
.header(ContentType::JSON)
|
||||
.body(
|
||||
json!({
|
||||
"email": "example@validemail.com",
|
||||
"password": "wrong_password"
|
||||
})
|
||||
.to_string(),
|
||||
)
|
||||
.dispatch()
|
||||
.await;
|
||||
|
||||
assert_eq!(res.status(), Status::Unauthorized);
|
||||
assert!(matches!(
|
||||
res.into_json::<Error>().await.unwrap().error_type,
|
||||
ErrorType::InvalidCredentials,
|
||||
));
|
||||
|
||||
// Attempt 2
|
||||
let res = harness.client
|
||||
.post("/auth/session/login")
|
||||
.header(ContentType::JSON)
|
||||
.body(
|
||||
json!({
|
||||
"email": "example@validemail.com",
|
||||
"password": "wrong_password"
|
||||
})
|
||||
.to_string(),
|
||||
)
|
||||
.dispatch()
|
||||
.await;
|
||||
|
||||
assert_eq!(res.status(), Status::Unauthorized);
|
||||
assert!(matches!(
|
||||
res.into_json::<Error>().await.unwrap().error_type,
|
||||
ErrorType::InvalidCredentials,
|
||||
));
|
||||
|
||||
// Attempt 3
|
||||
let res = harness.client
|
||||
.post("/auth/session/login")
|
||||
.header(ContentType::JSON)
|
||||
.body(
|
||||
json!({
|
||||
"email": "example@validemail.com",
|
||||
"password": "wrong_password"
|
||||
})
|
||||
.to_string(),
|
||||
)
|
||||
.dispatch()
|
||||
.await;
|
||||
|
||||
assert_eq!(res.status(), Status::Unauthorized);
|
||||
assert!(matches!(
|
||||
res.into_json::<Error>().await.unwrap().error_type,
|
||||
ErrorType::InvalidCredentials,
|
||||
));
|
||||
|
||||
// Attempt 4: Locked Out
|
||||
let res = harness.client
|
||||
.post("/auth/session/login")
|
||||
.header(ContentType::JSON)
|
||||
.body(
|
||||
json!({
|
||||
"email": "example@validemail.com",
|
||||
"password": "password_insecure"
|
||||
})
|
||||
.to_string(),
|
||||
)
|
||||
.dispatch()
|
||||
.await;
|
||||
|
||||
assert_eq!(res.status(), Status::Forbidden);
|
||||
assert!(matches!(
|
||||
res.into_json::<Error>().await.unwrap().error_type,
|
||||
ErrorType::LockedOut,
|
||||
));
|
||||
// Pretend it expired
|
||||
account.lockout = Some(Lockout {
|
||||
attempts: 9001,
|
||||
expiry: Some(Timestamp::now_utc()),
|
||||
});
|
||||
|
||||
account.save(&harness.db).await.unwrap();
|
||||
|
||||
// Once it expires, we can log in.
|
||||
let res = harness.client
|
||||
.post("/auth/session/login")
|
||||
.header(ContentType::JSON)
|
||||
.body(
|
||||
json!({
|
||||
"email": "example@validemail.com",
|
||||
"password": "password_insecure"
|
||||
})
|
||||
.to_string(),
|
||||
)
|
||||
.dispatch()
|
||||
.await;
|
||||
|
||||
assert_eq!(res.status(), Status::Ok);
|
||||
assert!(serde_json::from_str::<v0::Session>(&res.into_string().await.unwrap()).is_ok());
|
||||
}
|
||||
}
|
||||
79
crates/delta/src/routes/session/logout.rs
Normal file
79
crates/delta/src/routes/session/logout.rs
Normal file
@@ -0,0 +1,79 @@
|
||||
//! Logout of current session
|
||||
//! POST /session/logout
|
||||
use revolt_database::{Database, Session};
|
||||
use revolt_result::Result;
|
||||
use rocket::State;
|
||||
use rocket_empty::EmptyResponse;
|
||||
|
||||
/// # Logout
|
||||
///
|
||||
/// Delete current session.
|
||||
#[openapi(tag = "Session")]
|
||||
#[post("/logout")]
|
||||
pub async fn logout(db: &State<Database>, session: Session) -> Result<EmptyResponse> {
|
||||
session.delete(db).await.map(|_| EmptyResponse)
|
||||
}
|
||||
|
||||
#[cfg(test)]
|
||||
mod tests {
|
||||
use crate::{rocket, util::test::TestHarness};
|
||||
use revolt_database::events::client::EventV1;
|
||||
use revolt_result::ErrorType;
|
||||
use rocket::http::{Header, Status};
|
||||
|
||||
#[rocket::async_test]
|
||||
async fn success() {
|
||||
let mut harness = TestHarness::new().await;
|
||||
let (_, session, _) = harness.new_user().await;
|
||||
|
||||
let res = harness.client
|
||||
.post("/auth/session/logout")
|
||||
.header(Header::new("X-Session-Token", session.token))
|
||||
.dispatch()
|
||||
.await;
|
||||
|
||||
assert_eq!(res.status(), Status::NoContent);
|
||||
drop(res);
|
||||
assert!(matches!(
|
||||
harness.db
|
||||
.fetch_session(&session.id)
|
||||
.await
|
||||
.unwrap_err().error_type,
|
||||
ErrorType::UnknownUser
|
||||
));
|
||||
|
||||
let event = harness.wait_for_event(&format!("{}!", &session.user_id), |evt| matches!(evt, EventV1::DeleteSession { .. })).await;
|
||||
if let EventV1::DeleteSession {
|
||||
user_id,
|
||||
session_id,
|
||||
} = event
|
||||
{
|
||||
assert_eq!(user_id, session.user_id);
|
||||
assert_eq!(session_id, session.id);
|
||||
} else {
|
||||
panic!("Received incorrect event type. {:?}", event);
|
||||
}
|
||||
}
|
||||
|
||||
#[rocket::async_test]
|
||||
async fn fail_invalid_session() {
|
||||
let harness = TestHarness::new().await;
|
||||
|
||||
let res = harness.client
|
||||
.post("/auth/session/logout")
|
||||
.header(Header::new("X-Session-Token", "invalid"))
|
||||
.dispatch()
|
||||
.await;
|
||||
|
||||
assert_eq!(res.status(), Status::Unauthorized);
|
||||
}
|
||||
|
||||
#[rocket::async_test]
|
||||
async fn fail_no_session() {
|
||||
let harness = TestHarness::new().await;
|
||||
|
||||
let res = harness.client.post("/auth/session/logout").dispatch().await;
|
||||
|
||||
assert_eq!(res.status(), Status::Unauthorized);
|
||||
}
|
||||
}
|
||||
20
crates/delta/src/routes/session/mod.rs
Normal file
20
crates/delta/src/routes/session/mod.rs
Normal file
@@ -0,0 +1,20 @@
|
||||
use revolt_rocket_okapi::revolt_okapi::openapi3::OpenApi;
|
||||
use rocket::Route;
|
||||
|
||||
pub mod edit;
|
||||
pub mod fetch_all;
|
||||
pub mod login;
|
||||
pub mod logout;
|
||||
pub mod revoke;
|
||||
pub mod revoke_all;
|
||||
|
||||
pub fn routes() -> (Vec<Route>, OpenApi) {
|
||||
openapi_get_routes_spec![
|
||||
login::login,
|
||||
logout::logout,
|
||||
fetch_all::fetch_all,
|
||||
revoke::revoke,
|
||||
revoke_all::revoke_all,
|
||||
edit::edit
|
||||
]
|
||||
}
|
||||
114
crates/delta/src/routes/session/revoke.rs
Normal file
114
crates/delta/src/routes/session/revoke.rs
Normal file
@@ -0,0 +1,114 @@
|
||||
//! Revoke an active session
|
||||
//! DELETE /session/:id
|
||||
use revolt_database::{Database, Session, ValidatedTicket};
|
||||
use revolt_result::{Result, create_error};
|
||||
use rocket::State;
|
||||
use rocket_empty::EmptyResponse;
|
||||
|
||||
/// # Revoke Session
|
||||
///
|
||||
/// Delete a specific active session.
|
||||
#[openapi(tag = "Session")]
|
||||
#[delete("/<id>")]
|
||||
pub async fn revoke(
|
||||
db: &State<Database>,
|
||||
_ticket: ValidatedTicket,
|
||||
user: Session,
|
||||
id: String,
|
||||
) -> Result<EmptyResponse> {
|
||||
let session = db.fetch_session(&id).await?;
|
||||
|
||||
if session.user_id != user.user_id {
|
||||
return Err(create_error!(InvalidToken));
|
||||
}
|
||||
|
||||
session.delete(db).await.map(|_| EmptyResponse)
|
||||
}
|
||||
|
||||
#[cfg(test)]
|
||||
mod tests {
|
||||
use crate::{rocket, util::test::TestHarness};
|
||||
use revolt_database::{MFATicket, Totp};
|
||||
use revolt_result::ErrorType;
|
||||
use rocket::http::{Header, Status};
|
||||
|
||||
#[rocket::async_test]
|
||||
async fn success() {
|
||||
let harness = TestHarness::new().await;
|
||||
let (account, session, _) = harness.new_user().await;
|
||||
|
||||
let ticket = MFATicket::new(account.id.to_string(), true);
|
||||
ticket.save(&harness.db).await.unwrap();
|
||||
|
||||
let res = harness.client
|
||||
.delete(format!("/auth/session/{}", session.id))
|
||||
.header(Header::new("X-Session-Token", session.token))
|
||||
.header(Header::new("X-MFA-Ticket", ticket.token))
|
||||
.dispatch()
|
||||
.await;
|
||||
|
||||
assert_eq!(res.status(), Status::NoContent);
|
||||
assert!(matches!(
|
||||
harness.db
|
||||
.fetch_session(&session.id)
|
||||
.await
|
||||
.unwrap_err()
|
||||
.error_type,
|
||||
ErrorType::UnknownUser
|
||||
));
|
||||
}
|
||||
|
||||
#[rocket::async_test]
|
||||
async fn success_mfa() {
|
||||
let harness = TestHarness::new().await;
|
||||
let (mut account, session, _) = harness.new_user().await;
|
||||
|
||||
let totp = Totp::Enabled {
|
||||
secret: "secret".to_string(),
|
||||
};
|
||||
|
||||
account.mfa.totp_token = totp.clone();
|
||||
account.save(&harness.db).await.unwrap();
|
||||
|
||||
let ticket = MFATicket::new(account.id.to_string(), true);
|
||||
ticket.save(&harness.db).await.unwrap();
|
||||
|
||||
let res = harness.client
|
||||
.delete(format!("/auth/session/{}", session.id))
|
||||
.header(Header::new("X-Session-Token", session.token))
|
||||
.header(Header::new("X-MFA-Ticket", ticket.token))
|
||||
.dispatch()
|
||||
.await;
|
||||
|
||||
assert_eq!(res.status(), Status::NoContent);
|
||||
assert!(matches!(
|
||||
harness.db
|
||||
.fetch_session(&session.id)
|
||||
.await
|
||||
.unwrap_err()
|
||||
.error_type,
|
||||
ErrorType::UnknownUser
|
||||
));
|
||||
}
|
||||
|
||||
#[rocket::async_test]
|
||||
async fn fail_mfa() {
|
||||
let harness = TestHarness::new().await;
|
||||
let (mut account, session, _) = harness.new_user().await;
|
||||
|
||||
let totp = Totp::Enabled {
|
||||
secret: "secret".to_string(),
|
||||
};
|
||||
|
||||
account.mfa.totp_token = totp.clone();
|
||||
account.save(&harness.db).await.unwrap();
|
||||
|
||||
let res = harness.client
|
||||
.delete(format!("/auth/session/{}", session.id))
|
||||
.header(Header::new("X-Session-Token", session.token))
|
||||
.dispatch()
|
||||
.await;
|
||||
|
||||
assert_eq!(res.status(), Status::Unauthorized);
|
||||
}
|
||||
}
|
||||
196
crates/delta/src/routes/session/revoke_all.rs
Normal file
196
crates/delta/src/routes/session/revoke_all.rs
Normal file
@@ -0,0 +1,196 @@
|
||||
//! Revoke all sessions
|
||||
//! DELETE /session/all
|
||||
use revolt_database::{Account, Database, Session, ValidatedTicket};
|
||||
use revolt_result::Result;
|
||||
use rocket::State;
|
||||
use rocket_empty::EmptyResponse;
|
||||
|
||||
/// # Delete All Sessions
|
||||
///
|
||||
/// Delete all active sessions, optionally including current one.
|
||||
#[openapi(tag = "Session")]
|
||||
#[delete("/all?<revoke_self>")]
|
||||
pub async fn revoke_all(
|
||||
db: &State<Database>,
|
||||
_ticket: ValidatedTicket,
|
||||
session: Session,
|
||||
account: Account,
|
||||
revoke_self: Option<bool>,
|
||||
) -> Result<EmptyResponse> {
|
||||
let ignore = if revoke_self.unwrap_or(false) {
|
||||
None
|
||||
} else {
|
||||
Some(session.id)
|
||||
};
|
||||
|
||||
account
|
||||
.delete_all_sessions(db, ignore)
|
||||
.await
|
||||
.map(|_| EmptyResponse)
|
||||
}
|
||||
|
||||
#[cfg(test)]
|
||||
mod tests {
|
||||
use crate::{rocket, util::test::TestHarness};
|
||||
use revolt_database::{MFATicket, Totp};
|
||||
use rocket::http::{Header, Status};
|
||||
|
||||
#[rocket::async_test]
|
||||
async fn success() {
|
||||
let harness = TestHarness::new().await;
|
||||
let (account, session, _) = harness.new_user().await;
|
||||
|
||||
for i in 1..=3 {
|
||||
account
|
||||
.create_session(&harness.db, format!("session{}", i))
|
||||
.await
|
||||
.unwrap();
|
||||
}
|
||||
|
||||
let ticket = MFATicket::new(account.id.to_string(), true);
|
||||
ticket.save(&harness.db).await.unwrap();
|
||||
|
||||
let res = harness.client
|
||||
.delete("/auth/session/all?revoke_self=true")
|
||||
.header(Header::new("X-Session-Token", session.token))
|
||||
.header(Header::new("X-MFA-Ticket", ticket.token))
|
||||
.dispatch()
|
||||
.await;
|
||||
|
||||
assert_eq!(res.status(), Status::NoContent);
|
||||
assert!(harness.db
|
||||
.fetch_sessions(&session.user_id)
|
||||
.await
|
||||
.unwrap()
|
||||
.is_empty());
|
||||
}
|
||||
|
||||
#[rocket::async_test]
|
||||
async fn success_not_including_self() {
|
||||
let harness = TestHarness::new().await;
|
||||
let (account, session, _) = harness.new_user().await;
|
||||
|
||||
for i in 1..=3 {
|
||||
account
|
||||
.create_session(&harness.db, format!("session{}", i))
|
||||
.await
|
||||
.unwrap();
|
||||
}
|
||||
|
||||
let ticket = MFATicket::new(account.id.to_string(), true);
|
||||
ticket.save(&harness.db).await.unwrap();
|
||||
|
||||
let res = harness.client
|
||||
.delete("/auth/session/all?revoke_self=false")
|
||||
.header(Header::new("X-Session-Token", session.token))
|
||||
.header(Header::new("X-MFA-Ticket", ticket.token))
|
||||
.dispatch()
|
||||
.await;
|
||||
|
||||
assert_eq!(res.status(), Status::NoContent);
|
||||
let sessions = harness.db
|
||||
.fetch_sessions(&session.user_id)
|
||||
.await
|
||||
.unwrap();
|
||||
|
||||
assert_eq!(sessions.len(), 1);
|
||||
assert_eq!(sessions[0].id, session.id);
|
||||
}
|
||||
|
||||
#[rocket::async_test]
|
||||
async fn success_mfa() {
|
||||
let harness = TestHarness::new().await;
|
||||
let (mut account, session, _) = harness.new_user().await;
|
||||
|
||||
let totp = Totp::Enabled {
|
||||
secret: "secret".to_string(),
|
||||
};
|
||||
|
||||
account.mfa.totp_token = totp.clone();
|
||||
account.save(&harness.db).await.unwrap();
|
||||
|
||||
for i in 1..=3 {
|
||||
account
|
||||
.create_session(&harness.db, format!("session{}", i))
|
||||
.await
|
||||
.unwrap();
|
||||
}
|
||||
|
||||
let ticket = MFATicket::new(account.id.to_string(), true);
|
||||
ticket.save(&harness.db).await.unwrap();
|
||||
|
||||
let res = harness.client
|
||||
.delete("/auth/session/all?revoke_self=true")
|
||||
.header(Header::new("X-Session-Token", session.token))
|
||||
.header(Header::new("X-MFA-Ticket", ticket.token))
|
||||
.dispatch()
|
||||
.await;
|
||||
|
||||
assert_eq!(res.status(), Status::NoContent);
|
||||
assert!(harness.db
|
||||
.fetch_sessions(&session.user_id)
|
||||
.await
|
||||
.unwrap()
|
||||
.is_empty());
|
||||
}
|
||||
|
||||
#[rocket::async_test]
|
||||
async fn success_not_including_self_mfa() {
|
||||
let harness = TestHarness::new().await;
|
||||
let (mut account, session, _) = harness.new_user().await;
|
||||
|
||||
let totp = Totp::Enabled {
|
||||
secret: "secret".to_string(),
|
||||
};
|
||||
|
||||
account.mfa.totp_token = totp.clone();
|
||||
account.save(&harness.db).await.unwrap();
|
||||
|
||||
for i in 1..=3 {
|
||||
account
|
||||
.create_session(&harness.db, format!("session{}", i))
|
||||
.await
|
||||
.unwrap();
|
||||
}
|
||||
|
||||
let ticket = MFATicket::new(account.id.to_string(), true);
|
||||
ticket.save(&harness.db).await.unwrap();
|
||||
|
||||
let res = harness.client
|
||||
.delete("/auth/session/all?revoke_self=false")
|
||||
.header(Header::new("X-Session-Token", session.token))
|
||||
.header(Header::new("X-MFA-Ticket", ticket.token))
|
||||
.dispatch()
|
||||
.await;
|
||||
|
||||
assert_eq!(res.status(), Status::NoContent);
|
||||
let sessions = harness.db
|
||||
.fetch_sessions(&session.user_id)
|
||||
.await
|
||||
.unwrap();
|
||||
|
||||
assert_eq!(sessions.len(), 1);
|
||||
assert_eq!(sessions[0].id, session.id);
|
||||
}
|
||||
|
||||
#[rocket::async_test]
|
||||
async fn fail_mfa() {
|
||||
let harness = TestHarness::new().await;
|
||||
let (mut account, session, _) = harness.new_user().await;
|
||||
|
||||
let totp = Totp::Enabled {
|
||||
secret: "secret".to_string(),
|
||||
};
|
||||
|
||||
account.mfa.totp_token = totp.clone();
|
||||
account.save(&harness.db).await.unwrap();
|
||||
|
||||
let res = harness.client
|
||||
.delete("/auth/session/all")
|
||||
.header(Header::new("X-Session-Token", session.token))
|
||||
.dispatch()
|
||||
.await;
|
||||
|
||||
assert_eq!(res.status(), Status::Unauthorized);
|
||||
}
|
||||
}
|
||||
@@ -1,7 +1,6 @@
|
||||
use authifier::models::Account;
|
||||
use once_cell::sync::Lazy;
|
||||
use regex::Regex;
|
||||
use revolt_database::{Database, User};
|
||||
use revolt_database::{Database, User, Account};
|
||||
use revolt_models::v0;
|
||||
use revolt_result::{create_error, Result};
|
||||
use rocket::{serde::json::Json, State};
|
||||
|
||||
@@ -1,2 +1,4 @@
|
||||
pub mod ratelimits;
|
||||
|
||||
#[cfg(test)]
|
||||
pub mod test;
|
||||
|
||||
@@ -1,22 +1,24 @@
|
||||
use authifier::{
|
||||
models::{Account, EmailVerification, Session},
|
||||
Authifier,
|
||||
};
|
||||
use std::time::Duration;
|
||||
|
||||
use futures::StreamExt;
|
||||
use rand::Rng;
|
||||
use redis_kiss::{redis::aio::PubSub};
|
||||
use redis_kiss::redis::aio::PubSub;
|
||||
use revolt_database::util::email::normalise_email;
|
||||
use revolt_database::util::password::hash_password;
|
||||
use revolt_database::{
|
||||
events::client::EventV1, Channel, Database, Member, Message, PartialRole, Server, User, AMQP,
|
||||
};
|
||||
use revolt_database::{util::idempotency::IdempotencyKey, Role};
|
||||
use revolt_database::{Account, EmailVerification, Session};
|
||||
use revolt_models::v0;
|
||||
use revolt_permissions::OverrideField;
|
||||
use rocket::http::Header;
|
||||
use rocket::local::asynchronous::{Client, LocalRequest, LocalResponse};
|
||||
use rocket::tokio;
|
||||
use serde::{Deserialize, Serialize};
|
||||
|
||||
pub struct TestHarness {
|
||||
pub client: Client,
|
||||
authifier: Authifier,
|
||||
pub db: Database,
|
||||
pub amqp: AMQP,
|
||||
sub: PubSub,
|
||||
@@ -41,17 +43,10 @@ impl TestHarness {
|
||||
.expect("`Database`")
|
||||
.clone();
|
||||
|
||||
let authifier = client
|
||||
.rocket()
|
||||
.state::<Authifier>()
|
||||
.expect("`Authifier`")
|
||||
.clone();
|
||||
|
||||
let amqp = AMQP::new_auto().await;
|
||||
|
||||
TestHarness {
|
||||
client,
|
||||
authifier,
|
||||
db,
|
||||
amqp,
|
||||
sub,
|
||||
@@ -79,11 +74,12 @@ impl TestHarness {
|
||||
}
|
||||
|
||||
pub async fn account_from_user(&self, id: String) -> (Account, Session) {
|
||||
let email = format!("{}@stoat.chat", TestHarness::rand_string());
|
||||
let account = Account {
|
||||
id,
|
||||
email: format!("{}@revolt.chat", TestHarness::rand_string()),
|
||||
password: Default::default(),
|
||||
email_normalised: Default::default(),
|
||||
email: email.clone(),
|
||||
password: hash_password("password_insecure".to_string()).unwrap(),
|
||||
email_normalised: normalise_email(email),
|
||||
deletion: None,
|
||||
disabled: false,
|
||||
lockout: None,
|
||||
@@ -92,14 +88,10 @@ impl TestHarness {
|
||||
verification: EmailVerification::Verified,
|
||||
};
|
||||
|
||||
self.authifier
|
||||
.database
|
||||
.save_account(&account)
|
||||
.await
|
||||
.expect("`Account`");
|
||||
self.db.save_account(&account).await.expect("`Account`");
|
||||
|
||||
let session = account
|
||||
.create_session(&self.authifier, String::new())
|
||||
.create_session(&self.db, String::new())
|
||||
.await
|
||||
.expect("`Session`");
|
||||
|
||||
@@ -237,6 +229,40 @@ impl TestHarness {
|
||||
unreachable!()
|
||||
}
|
||||
|
||||
pub async fn assert_email(&self, mailbox: &str) -> (Mail, String) {
|
||||
// Wait a moment for maildev to catch the email
|
||||
|
||||
tokio::time::sleep(Duration::from_secs(1)).await;
|
||||
|
||||
let client = reqwest::Client::new();
|
||||
let results = client
|
||||
.get("http://localhost:14080/email")
|
||||
.send()
|
||||
.await
|
||||
.unwrap()
|
||||
.json::<Vec<Mail>>()
|
||||
.await
|
||||
.unwrap();
|
||||
|
||||
let re = regex::Regex::new(r"\[\[([A-Za-z0-9_-]*)\]\]").unwrap();
|
||||
|
||||
for entry in results.into_iter().rev() {
|
||||
if entry.envelope.to[0].address == mailbox {
|
||||
client
|
||||
.delete(format!("http://localhost:14080/delete/{}", &entry.id))
|
||||
.send()
|
||||
.await
|
||||
.unwrap();
|
||||
|
||||
let code = re.captures_iter(&entry.text).next().unwrap()[1].to_string();
|
||||
|
||||
return (entry, code);
|
||||
}
|
||||
}
|
||||
|
||||
panic!("Email not found.")
|
||||
}
|
||||
|
||||
pub async fn wait_for_message(&mut self, channel_id: &str) -> v0::Message {
|
||||
dbg!(&self.event_buffer);
|
||||
|
||||
@@ -252,3 +278,22 @@ impl TestHarness {
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
#[derive(Debug, Serialize, Deserialize)]
|
||||
pub struct Mail {
|
||||
pub id: String,
|
||||
pub envelope: MailEnvelope,
|
||||
pub subject: String,
|
||||
pub text: String,
|
||||
}
|
||||
|
||||
#[derive(Debug, Serialize, Deserialize)]
|
||||
pub struct MailEnvelope {
|
||||
pub from: MailAddress,
|
||||
pub to: Vec<MailAddress>,
|
||||
}
|
||||
|
||||
#[derive(Debug, Serialize, Deserialize)]
|
||||
pub struct MailAddress {
|
||||
pub address: String,
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user