forked from jmug/stoatchat
chore: migrate authifier into codebase (#658)
Co-authored-by: izzy <me@insrt.uk> Signed-off-by: Zomatree <me@zomatree.live> Signed-off-by: izzy <me@insrt.uk>
This commit is contained in:
157
crates/delta/src/routes/mfa/create_ticket.rs
Normal file
157
crates/delta/src/routes/mfa/create_ticket.rs
Normal file
@@ -0,0 +1,157 @@
|
||||
//! Create a new MFA ticket or validate an existing one.
|
||||
//! PUT /mfa/ticket
|
||||
use revolt_result::{Result, create_error};
|
||||
use revolt_database::{Account, Database, MFATicket, UnvalidatedTicket};
|
||||
use revolt_models::v0;
|
||||
use rocket::serde::json::Json;
|
||||
use rocket::State;
|
||||
|
||||
|
||||
/// # Create MFA ticket
|
||||
///
|
||||
/// Create a new MFA ticket or validate an existing one.
|
||||
#[openapi(tag = "MFA")]
|
||||
#[put("/ticket", data = "<data>")]
|
||||
pub async fn create_ticket(
|
||||
db: &State<Database>,
|
||||
account: Option<Account>,
|
||||
existing_ticket: Option<UnvalidatedTicket>,
|
||||
data: Json<v0::MFAResponse>,
|
||||
) -> Result<Json<v0::MFATicket>> {
|
||||
// Find the relevant account
|
||||
let mut account = match (account, existing_ticket) {
|
||||
(Some(_), Some(_)) => return Err(create_error!(OperationFailed)),
|
||||
(Some(account), _) => account,
|
||||
(_, Some(ticket)) => {
|
||||
db.delete_ticket(&ticket.id).await?;
|
||||
db.fetch_account(&ticket.account_id).await?
|
||||
}
|
||||
_ => return Err(create_error!(InvalidToken)),
|
||||
};
|
||||
|
||||
// Validate the MFA response
|
||||
account
|
||||
.consume_mfa_response(db, data.into_inner(), None)
|
||||
.await?;
|
||||
|
||||
// Create a new ticket for this account
|
||||
let ticket = MFATicket::new(account.id, true);
|
||||
ticket.save(db).await?;
|
||||
Ok(Json(ticket.into()))
|
||||
}
|
||||
|
||||
#[cfg(test)]
|
||||
mod tests {
|
||||
use crate::{rocket, util::test::TestHarness};
|
||||
use revolt_database::Totp;
|
||||
use rocket::http::{Header, Status};
|
||||
use revolt_models::v0;
|
||||
use revolt_result::{Error, ErrorType};
|
||||
|
||||
#[rocket::async_test]
|
||||
async fn success() {
|
||||
let harness = TestHarness::new().await;
|
||||
let (_, session, _) = harness.new_user().await;
|
||||
|
||||
let res = harness.client
|
||||
.put("/auth/mfa/ticket")
|
||||
.header(Header::new("X-Session-Token", session.token.clone()))
|
||||
.body(
|
||||
json!({
|
||||
"password": "password_insecure"
|
||||
})
|
||||
.to_string(),
|
||||
)
|
||||
.dispatch()
|
||||
.await;
|
||||
|
||||
assert_eq!(res.status(), Status::Ok);
|
||||
assert!(res.into_json::<v0::MFATicket>().await.unwrap().validated);
|
||||
}
|
||||
|
||||
#[rocket::async_test]
|
||||
async fn success_totp() {
|
||||
let harness = TestHarness::new().await;
|
||||
let (mut account, session, _) = harness.new_user().await;
|
||||
|
||||
account.mfa.totp_token = Totp::Enabled {
|
||||
secret: "secret".to_string(),
|
||||
};
|
||||
account.save(&harness.db).await.unwrap();
|
||||
|
||||
let res = harness.client
|
||||
.put("/auth/mfa/ticket")
|
||||
.header(Header::new("X-Session-Token", session.token.clone()))
|
||||
.body(
|
||||
json!({
|
||||
"totp_code": Totp::Enabled {
|
||||
secret: "secret".to_string(),
|
||||
}.generate_code().unwrap()
|
||||
})
|
||||
.to_string(),
|
||||
)
|
||||
.dispatch()
|
||||
.await;
|
||||
|
||||
assert_eq!(res.status(), Status::Ok);
|
||||
assert!(res.into_json::<v0::MFATicket>().await.is_some());
|
||||
}
|
||||
|
||||
#[rocket::async_test]
|
||||
async fn failure_totp() {
|
||||
let harness = TestHarness::new().await;
|
||||
let (mut account, session, _) = harness.new_user().await;
|
||||
|
||||
account.mfa.totp_token = Totp::Enabled {
|
||||
secret: "secret".to_string(),
|
||||
};
|
||||
account.save(&harness.db).await.unwrap();
|
||||
|
||||
let res = harness.client
|
||||
.put("/auth/mfa/ticket")
|
||||
.header(Header::new("X-Session-Token", session.token.clone()))
|
||||
.body(
|
||||
json!({
|
||||
"totp_code": "000000"
|
||||
})
|
||||
.to_string(),
|
||||
)
|
||||
.dispatch()
|
||||
.await;
|
||||
|
||||
assert_eq!(res.status(), Status::Unauthorized);
|
||||
assert!(matches!(
|
||||
res.into_json::<Error>().await.unwrap().error_type,
|
||||
ErrorType::InvalidToken,
|
||||
));
|
||||
}
|
||||
|
||||
#[rocket::async_test]
|
||||
async fn failure_no_totp() {
|
||||
let harness = TestHarness::new().await;
|
||||
let (mut account, session, _) = harness.new_user().await;
|
||||
|
||||
account.mfa.totp_token = Totp::Enabled {
|
||||
secret: "secret".to_string(),
|
||||
};
|
||||
account.save(&harness.db).await.unwrap();
|
||||
|
||||
let res = harness.client
|
||||
.put("/auth/mfa/ticket")
|
||||
.header(Header::new("X-Session-Token", session.token.clone()))
|
||||
.body(
|
||||
json!({
|
||||
"password": "this is the wrong mfa method"
|
||||
})
|
||||
.to_string(),
|
||||
)
|
||||
.dispatch()
|
||||
.await;
|
||||
|
||||
assert_eq!(res.status(), Status::BadRequest);
|
||||
assert!(matches!(
|
||||
res.into_json::<Error>().await.unwrap().error_type,
|
||||
ErrorType::DisallowedMFAMethod,
|
||||
));
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user