continuwuity/src/service/uiaa/mod.rs

mod data;

use std::sync::Arc;

use argon2::{PasswordHash, PasswordVerifier};
use conduit::{utils, Error, Result};
use data::Data;
use ruma::{
	api::client::{
		error::ErrorKind,
		uiaa::{AuthData, AuthType, Password, UiaaInfo, UserIdentifier},
	},
	CanonicalJsonValue, DeviceId, UserId,
};
use tracing::error;

use crate::services;

pub const SESSION_ID_LENGTH: usize = 32;

pub struct Service {
	pub(super) db: Arc<dyn Data>,
}

impl Service {
	/// Creates a new Uiaa session. Make sure the session token is unique.
	pub fn create(
		&self, user_id: &UserId, device_id: &DeviceId, uiaainfo: &UiaaInfo, json_body: &CanonicalJsonValue,
	) -> Result<()> {
		self.db.set_uiaa_request(
			user_id,
			device_id,
			uiaainfo.session.as_ref().expect("session should be set"), /* TODO: better session error handling (why
			                                                            * is it optional in ruma?) */
			json_body,
		)?;
		self.db.update_uiaa_session(
			user_id,
			device_id,
			uiaainfo.session.as_ref().expect("session should be set"),
			Some(uiaainfo),
		)
	}

	pub fn try_auth(
		&self, user_id: &UserId, device_id: &DeviceId, auth: &AuthData, uiaainfo: &UiaaInfo,
	) -> Result<(bool, UiaaInfo)> {
		let mut uiaainfo = auth.session().map_or_else(
			|| Ok(uiaainfo.clone()),
			|session| self.db.get_uiaa_session(user_id, device_id, session),
		)?;

		if uiaainfo.session.is_none() {
			uiaainfo.session = Some(utils::random_string(SESSION_ID_LENGTH));
		}

		match auth {
			// Find out what the user completed
			AuthData::Password(Password {
				identifier,
				password,
				..
			}) => {
				let UserIdentifier::UserIdOrLocalpart(username) = identifier else {
					return Err(Error::BadRequest(ErrorKind::Unrecognized, "Identifier type not recognized."));
				};

				let user_id = UserId::parse_with_server_name(username.clone(), services().globals.server_name())
					.map_err(|_| Error::BadRequest(ErrorKind::InvalidParam, "User ID is invalid."))?;

				// Check if password is correct
				if let Some(hash) = services().users.password_hash(&user_id)? {
					let hash_matches = services()
						.globals
						.argon
						.verify_password(
							password.as_bytes(),
							&PasswordHash::new(&hash).expect("valid hash in database"),
						)
						.is_ok();

					if !hash_matches {
						uiaainfo.auth_error = Some(ruma::api::client::error::StandardErrorBody {
							kind: ErrorKind::forbidden(),
							message: "Invalid username or password.".to_owned(),
						});
						return Ok((false, uiaainfo));
					}
				}

				// Password was correct! Let's add it to `completed`
				uiaainfo.completed.push(AuthType::Password);
			},
			AuthData::RegistrationToken(t) => {
				if Some(t.token.trim()) == services().globals.config.registration_token.as_deref() {
					uiaainfo.completed.push(AuthType::RegistrationToken);
				} else {
					uiaainfo.auth_error = Some(ruma::api::client::error::StandardErrorBody {
						kind: ErrorKind::forbidden(),
						message: "Invalid registration token.".to_owned(),
					});
					return Ok((false, uiaainfo));
				}
			},
			AuthData::Dummy(_) => {
				uiaainfo.completed.push(AuthType::Dummy);
			},
			k => error!("type not supported: {:?}", k),
		}

		// Check if a flow now succeeds
		let mut completed = false;
		'flows: for flow in &mut uiaainfo.flows {
			for stage in &flow.stages {
				if !uiaainfo.completed.contains(stage) {
					continue 'flows;
				}
			}
			// We didn't break, so this flow succeeded!
			completed = true;
		}

		if !completed {
			self.db.update_uiaa_session(
				user_id,
				device_id,
				uiaainfo.session.as_ref().expect("session is always set"),
				Some(&uiaainfo),
			)?;
			return Ok((false, uiaainfo));
		}

		// UIAA was successful! Remove this session and return true
		self.db.update_uiaa_session(
			user_id,
			device_id,
			uiaainfo.session.as_ref().expect("session is always set"),
			None,
		)?;
		Ok((true, uiaainfo))
	}

	#[must_use]
	pub fn get_uiaa_request(
		&self, user_id: &UserId, device_id: &DeviceId, session: &str,
	) -> Option<CanonicalJsonValue> {
		self.db.get_uiaa_request(user_id, device_id, session)
	}
}
refactor state accessor, state cache, user, uiaa 2022-08-14 13:38:21 +02:00			`mod data;`
cargo fix 2022-10-08 13:04:55 +02:00
Hot-Reloading Refactor Signed-off-by: Jason Volk <jason@zemos.net> 2024-05-09 15:59:08 -07:00			`use std::sync::Arc;`

feat: replaced flaky argon2 with better argon2 crate (#37) * feat: replaced flaky argon2 with better argon2 crate * fix: applied cargo fmt nightly * docs: added comment specifying what the settings for Argon2 mean * fix: made hashing error a bit more descriptive * fix: fixed incorrect value for Kib 2023-12-25 16:28:56 +01:00			`use argon2::{PasswordHash, PasswordVerifier};`
Hot-Reloading Refactor Signed-off-by: Jason Volk <jason@zemos.net> 2024-05-09 15:59:08 -07:00			`use conduit::{utils, Error, Result};`
dissolve key_value/* Signed-off-by: Jason Volk <jason@zemos.net> 2024-05-26 21:29:19 +00:00			`use data::Data;`
cargo fmt 2022-10-05 20:34:31 +02:00			`use ruma::{`
			`api::client::{`
			`error::ErrorKind,`
WIP: Upgrade Ruma 2022-12-14 13:09:10 +01:00			`uiaa::{AuthData, AuthType, Password, UiaaInfo, UserIdentifier},`
cargo fmt 2022-10-05 20:34:31 +02:00			`},`
Bump ruma 2022-10-09 17:25:06 +02:00			`CanonicalJsonValue, DeviceId, UserId,`
cargo fmt 2022-10-05 20:34:31 +02:00			`};`
fix: some compile time errors Only 174 errors left! 2022-09-06 23:15:09 +02:00			`use tracing::error;`
feat: swappable database backend 2021-06-08 18:10:00 +02:00
Hot-Reloading Refactor Signed-off-by: Jason Volk <jason@zemos.net> 2024-05-09 15:59:08 -07:00			`use crate::services;`

			`pub const SESSION_ID_LENGTH: usize = 32;`
feat: user interactive authentication 2020-06-06 18:44:50 +02:00
Hot-Reloading Refactor Signed-off-by: Jason Volk <jason@zemos.net> 2024-05-09 15:59:08 -07:00			`pub struct Service {`
dissolve key_value/* Signed-off-by: Jason Volk <jason@zemos.net> 2024-05-26 21:29:19 +00:00			`pub(super) db: Arc<dyn Data>,`
feat: user interactive authentication 2020-06-06 18:44:50 +02:00			`}`

messing with trait objects 2022-10-05 12:45:54 +02:00			`impl Service {`
feat: user interactive authentication 2020-06-06 18:44:50 +02:00			`/// Creates a new Uiaa session. Make sure the session token is unique.`
Hot-Reloading Refactor Signed-off-by: Jason Volk <jason@zemos.net> 2024-05-09 15:59:08 -07:00			`pub fn create(`
improvement: uiaa works like in synapse 2021-05-04 19:03:18 +02:00			`&self, user_id: &UserId, device_id: &DeviceId, uiaainfo: &UiaaInfo, json_body: &CanonicalJsonValue,`
Update to latest ruma/master rev 2020-07-25 14:25:24 -04:00			`) -> Result<()> {`
37 errors left 2022-10-05 20:33:55 +02:00			`self.db.set_uiaa_request(`
improvement: uiaa works like in synapse 2021-05-04 19:03:18 +02:00			`user_id,`
			`device_id,`
			`uiaainfo.session.as_ref().expect("session should be set"), /* TODO: better session error handling (why`
			`* is it optional in ruma?) */`
			`json_body,`
			`)?;`
37 errors left 2022-10-05 20:33:55 +02:00			`self.db.update_uiaa_session(`
improvement: uiaa works like in synapse 2021-05-04 19:03:18 +02:00			`user_id,`
			`device_id,`
			`uiaainfo.session.as_ref().expect("session should be set"),`
			`Some(uiaainfo),`
			`)`
feat: user interactive authentication 2020-06-06 18:44:50 +02:00			`}`
add rustfmt.toml, format entire codebase Signed-off-by: strawberry <strawberry@puppygock.gay> 2024-03-05 19:48:54 -05:00
Hot-Reloading Refactor Signed-off-by: Jason Volk <jason@zemos.net> 2024-05-09 15:59:08 -07:00			`pub fn try_auth(`
Update to latest ruma/master rev 2020-07-25 14:25:24 -04:00			`&self, user_id: &UserId, device_id: &DeviceId, auth: &AuthData, uiaainfo: &UiaaInfo,`
feat: user interactive authentication 2020-06-06 18:44:50 +02:00			`) -> Result<(bool, UiaaInfo)> {`
go through a ton of pedantic clippy lints Signed-off-by: strawberry <strawberry@puppygock.gay> 2024-03-02 20:55:02 -05:00			`let mut uiaainfo = auth.session().map_or_else(`
			`\|\| Ok(uiaainfo.clone()),`
			`\|session\| self.db.get_uiaa_session(user_id, device_id, session),`
			`)?;`
add rustfmt.toml, format entire codebase Signed-off-by: strawberry <strawberry@puppygock.gay> 2024-03-05 19:48:54 -05:00
improvement: faster incoming transaction handling 2021-08-19 11:01:18 +02:00			`if uiaainfo.session.is_none() {`
			`uiaainfo.session = Some(utils::random_string(SESSION_ID_LENGTH));`
			`}`
add rustfmt.toml, format entire codebase Signed-off-by: strawberry <strawberry@puppygock.gay> 2024-03-05 19:48:54 -05:00
improvement: faster incoming transaction handling 2021-08-19 11:01:18 +02:00			`match auth {`
feat: user interactive authentication 2020-06-06 18:44:50 +02:00			`// Find out what the user completed`
WIP: Upgrade Ruma 2022-12-14 13:09:10 +01:00			`AuthData::Password(Password {`
improvement: faster incoming transaction handling 2021-08-19 11:01:18 +02:00			`identifier,`
			`password,`
			`..`
			`}) => {`
go through a ton of pedantic clippy lints Signed-off-by: strawberry <strawberry@puppygock.gay> 2024-03-02 20:55:02 -05:00			`let UserIdentifier::UserIdOrLocalpart(username) = identifier else {`
			`return Err(Error::BadRequest(ErrorKind::Unrecognized, "Identifier type not recognized."));`
improvement: faster incoming transaction handling 2021-08-19 11:01:18 +02:00			`};`
add rustfmt.toml, format entire codebase Signed-off-by: strawberry <strawberry@puppygock.gay> 2024-03-05 19:48:54 -05:00
cargo fmt 2022-10-05 20:34:31 +02:00			`let user_id = UserId::parse_with_server_name(username.clone(), services().globals.server_name())`
			`.map_err(\|_\| Error::BadRequest(ErrorKind::InvalidParam, "User ID is invalid."))?;`
add rustfmt.toml, format entire codebase Signed-off-by: strawberry <strawberry@puppygock.gay> 2024-03-05 19:48:54 -05:00
improvement: faster incoming transaction handling 2021-08-19 11:01:18 +02:00			`// Check if password is correct`
Fixed more compile time errors 2022-09-07 13:25:51 +02:00			`if let Some(hash) = services().users.password_hash(&user_id)? {`
feat: replaced flaky argon2 with better argon2 crate (#37) * feat: replaced flaky argon2 with better argon2 crate * fix: applied cargo fmt nightly * docs: added comment specifying what the settings for Argon2 mean * fix: made hashing error a bit more descriptive * fix: fixed incorrect value for Kib 2023-12-25 16:28:56 +01:00			`let hash_matches = services()`
			`.globals`
			`.argon`
			`.verify_password(`
			`password.as_bytes(),`
			`&PasswordHash::new(&hash).expect("valid hash in database"),`
			`)`
			`.is_ok();`
add rustfmt.toml, format entire codebase Signed-off-by: strawberry <strawberry@puppygock.gay> 2024-03-05 19:48:54 -05:00
improvement: faster incoming transaction handling 2021-08-19 11:01:18 +02:00			`if !hash_matches {`
WIP: Upgrade Ruma 2022-12-14 13:09:10 +01:00			`uiaainfo.auth_error = Some(ruma::api::client::error::StandardErrorBody {`
replace `ErrorKind::Forbidden` with `forbidden()` non-exhaustive constructor https://github.com/ruma/ruma/commit/917584e0cae4ae8642625f234f22f049bc159fee Signed-off-by: strawberry <strawberry@puppygock.gay> 2024-04-03 15:59:03 -04:00			`kind: ErrorKind::forbidden(),`
improvement: faster incoming transaction handling 2021-08-19 11:01:18 +02:00			`message: "Invalid username or password.".to_owned(),`
			`});`
			`return Ok((false, uiaainfo));`
add rustfmt.toml, format entire codebase Signed-off-by: strawberry <strawberry@puppygock.gay> 2024-03-05 19:48:54 -05:00			`}`
feat: user interactive authentication 2020-06-06 18:44:50 +02:00			`}`
add rustfmt.toml, format entire codebase Signed-off-by: strawberry <strawberry@puppygock.gay> 2024-03-05 19:48:54 -05:00
improvement: faster incoming transaction handling 2021-08-19 11:01:18 +02:00			// Password was correct! Let's add it to `completed`
Upgrade Ruma Co-authored-by: Timo Kösters <timo@koesters.xyz> 2021-10-13 10:16:45 +02:00			`uiaainfo.completed.push(AuthType::Password);`
improvement: faster incoming transaction handling 2021-08-19 11:01:18 +02:00			`},`
feat: registration tokens 2023-08-09 18:27:30 +02:00			`AuthData::RegistrationToken(t) => {`
			`if Some(t.token.trim()) == services().globals.config.registration_token.as_deref() {`
			`uiaainfo.completed.push(AuthType::RegistrationToken);`
			`} else {`
			`uiaainfo.auth_error = Some(ruma::api::client::error::StandardErrorBody {`
replace `ErrorKind::Forbidden` with `forbidden()` non-exhaustive constructor https://github.com/ruma/ruma/commit/917584e0cae4ae8642625f234f22f049bc159fee Signed-off-by: strawberry <strawberry@puppygock.gay> 2024-04-03 15:59:03 -04:00			`kind: ErrorKind::forbidden(),`
feat: registration tokens 2023-08-09 18:27:30 +02:00			`message: "Invalid registration token.".to_owned(),`
			`});`
			`return Ok((false, uiaainfo));`
			`}`
			`},`
WIP: Upgrade Ruma 2022-12-14 13:09:10 +01:00			`AuthData::Dummy(_) => {`
Upgrade Ruma Co-authored-by: Timo Kösters <timo@koesters.xyz> 2021-10-13 10:16:45 +02:00			`uiaainfo.completed.push(AuthType::Dummy);`
feat: user interactive authentication 2020-06-06 18:44:50 +02:00			`},`
improvement: faster incoming transaction handling 2021-08-19 11:01:18 +02:00			`k => error!("type not supported: {:?}", k),`
			`}`
add rustfmt.toml, format entire codebase Signed-off-by: strawberry <strawberry@puppygock.gay> 2024-03-05 19:48:54 -05:00
improvement: faster incoming transaction handling 2021-08-19 11:01:18 +02:00			`// Check if a flow now succeeds`
			`let mut completed = false;`
			`'flows: for flow in &mut uiaainfo.flows {`
			`for stage in &flow.stages {`
			`if !uiaainfo.completed.contains(stage) {`
			`continue 'flows;`
add rustfmt.toml, format entire codebase Signed-off-by: strawberry <strawberry@puppygock.gay> 2024-03-05 19:48:54 -05:00			`}`
improvement: faster incoming transaction handling 2021-08-19 11:01:18 +02:00			`}`
			`// We didn't break, so this flow succeeded!`
			`completed = true;`
			`}`
add rustfmt.toml, format entire codebase Signed-off-by: strawberry <strawberry@puppygock.gay> 2024-03-05 19:48:54 -05:00
improvement: faster incoming transaction handling 2021-08-19 11:01:18 +02:00			`if !completed {`
37 errors left 2022-10-05 20:33:55 +02:00			`self.db.update_uiaa_session(`
improvement: uiaa works like in synapse 2021-05-04 19:03:18 +02:00			`user_id,`
			`device_id,`
			`uiaainfo.session.as_ref().expect("session is always set"),`
improvement: faster incoming transaction handling 2021-08-19 11:01:18 +02:00			`Some(&uiaainfo),`
improvement: uiaa works like in synapse 2021-05-04 19:03:18 +02:00			`)?;`
improvement: faster incoming transaction handling 2021-08-19 11:01:18 +02:00			`return Ok((false, uiaainfo));`
feat: user interactive authentication 2020-06-06 18:44:50 +02:00			`}`
add rustfmt.toml, format entire codebase Signed-off-by: strawberry <strawberry@puppygock.gay> 2024-03-05 19:48:54 -05:00
improvement: faster incoming transaction handling 2021-08-19 11:01:18 +02:00			`// UIAA was successful! Remove this session and return true`
37 errors left 2022-10-05 20:33:55 +02:00			`self.db.update_uiaa_session(`
improvement: faster incoming transaction handling 2021-08-19 11:01:18 +02:00			`user_id,`
			`device_id,`
			`uiaainfo.session.as_ref().expect("session is always set"),`
			`None,`
			`)?;`
			`Ok((true, uiaainfo))`
feat: user interactive authentication 2020-06-06 18:44:50 +02:00			`}`
add rustfmt.toml, format entire codebase Signed-off-by: strawberry <strawberry@puppygock.gay> 2024-03-05 19:48:54 -05:00
Hot-Reloading Refactor Signed-off-by: Jason Volk <jason@zemos.net> 2024-05-09 15:59:08 -07:00			`#[must_use]`
			`pub fn get_uiaa_request(`
improvement: uiaa works like in synapse 2021-05-04 19:03:18 +02:00			`&self, user_id: &UserId, device_id: &DeviceId, session: &str,`
Remove unnecessary Result 2022-01-19 23:56:55 +01:00			`) -> Option<CanonicalJsonValue> {`
refactor state accessor, state cache, user, uiaa 2022-08-14 13:38:21 +02:00			`self.db.get_uiaa_request(user_id, device_id, session)`
improvement: uiaa works like in synapse 2021-05-04 19:03:18 +02:00			`}`
feat: user interactive authentication 2020-06-06 18:44:50 +02:00			`}`