zed/crates/collab/src/auth.rs

use std::sync::Arc;

use super::db::{self, UserId};
use crate::{AppState, Error, Result};
use anyhow::{anyhow, Context};
use axum::{
    http::{self, Request, StatusCode},
    middleware::Next,
    response::IntoResponse,
};
use rand::thread_rng;
use scrypt::{
    password_hash::{PasswordHash, PasswordHasher, PasswordVerifier, SaltString},
    Scrypt,
};

pub async fn validate_header<B>(mut req: Request<B>, next: Next<B>) -> impl IntoResponse {
    let mut auth_header = req
        .headers()
        .get(http::header::AUTHORIZATION)
        .and_then(|header| header.to_str().ok())
        .ok_or_else(|| {
            Error::Http(
                StatusCode::BAD_REQUEST,
                "missing authorization header".to_string(),
            )
        })?
        .split_whitespace();

    let user_id = UserId(auth_header.next().unwrap_or("").parse().map_err(|_| {
        Error::Http(
            StatusCode::BAD_REQUEST,
            "missing user id in authorization header".to_string(),
        )
    })?);

    let access_token = auth_header.next().ok_or_else(|| {
        Error::Http(
            StatusCode::BAD_REQUEST,
            "missing access token in authorization header".to_string(),
        )
    })?;

    let mut credentials_valid = false;
    let state = req.extensions().get::<Arc<AppState>>().unwrap();
    if let Some(admin_token) = access_token.strip_prefix("ADMIN_TOKEN:") {
        if state.config.api_token == admin_token {
            credentials_valid = true;
        }
    } else {
        for password_hash in state.db.get_access_token_hashes(user_id).await? {
            if verify_access_token(access_token, &password_hash)? {
                credentials_valid = true;
                break;
            }
        }
    }

    if credentials_valid {
        let user = state
            .db
            .get_user_by_id(user_id)
            .await?
            .ok_or_else(|| anyhow!("user {} not found", user_id))?;
        req.extensions_mut().insert(user);
        Ok::<_, Error>(next.run(req).await)
    } else {
        Err(Error::Http(
            StatusCode::UNAUTHORIZED,
            "invalid credentials".to_string(),
        ))
    }
}

const MAX_ACCESS_TOKENS_TO_STORE: usize = 8;

pub async fn create_access_token(db: &dyn db::Db, user_id: UserId) -> Result<String> {
    let access_token = rpc::auth::random_token();
    let access_token_hash =
        hash_access_token(&access_token).context("failed to hash access token")?;
    db.create_access_token_hash(user_id, &access_token_hash, MAX_ACCESS_TOKENS_TO_STORE)
        .await?;
    Ok(access_token)
}

fn hash_access_token(token: &str) -> Result<String> {
    // Avoid slow hashing in debug mode.
    let params = if cfg!(debug_assertions) {
        scrypt::Params::new(1, 1, 1).unwrap()
    } else {
        scrypt::Params::recommended()
    };

    Ok(Scrypt
        .hash_password(
            token.as_bytes(),
            None,
            params,
            &SaltString::generate(thread_rng()),
        )
        .map_err(anyhow::Error::new)?
        .to_string())
}

pub fn encrypt_access_token(access_token: &str, public_key: String) -> Result<String> {
    let native_app_public_key =
        rpc::auth::PublicKey::try_from(public_key).context("failed to parse app public key")?;
    let encrypted_access_token = native_app_public_key
        .encrypt_string(access_token)
        .context("failed to encrypt access token with public key")?;
    Ok(encrypted_access_token)
}

pub fn verify_access_token(token: &str, hash: &str) -> Result<bool> {
    let hash = PasswordHash::new(hash).map_err(anyhow::Error::new)?;
    Ok(Scrypt.verify_password(token.as_bytes(), &hash).is_ok())
}
WIP 2022-04-26 02:05:09 +00:00			`use std::sync::Arc;`

Finish adding API routes We haven't tested them yet. Co-Authored-By: Max Brunsfeld <maxbrunsfeld@gmail.com> 2022-04-25 23:51:13 +00:00			`use super::db::{self, UserId};`
WIP 2022-05-19 17:09:44 +00:00			`use crate::{AppState, Error, Result};`
			`use anyhow::{anyhow, Context};`
WIP 2022-04-26 02:05:09 +00:00			`use axum::{`
			`http::{self, Request, StatusCode},`
			`middleware::Next,`
			`response::IntoResponse,`
			`};`
Finish adding API routes We haven't tested them yet. Co-Authored-By: Max Brunsfeld <maxbrunsfeld@gmail.com> 2022-04-25 23:51:13 +00:00			`use rand::thread_rng;`
			`use scrypt::{`
			`password_hash::{PasswordHash, PasswordHasher, PasswordVerifier, SaltString},`
			`Scrypt,`
			`};`
Include contents of the zed-server repo We're going full monorepo. Co-Authored-By: Max Brunsfeld <maxbrunsfeld@gmail.com> 2021-07-12 20:14:39 +00:00
Get zed.dev working with new collab backend Co-Authored-By: Antonio Scandurra <me@as-cii.com> 2022-04-26 17:15:41 +00:00			`pub async fn validate_header<B>(mut req: Request<B>, next: Next<B>) -> impl IntoResponse {`
WIP 2022-04-26 02:05:09 +00:00			`let mut auth_header = req`
			`.headers()`
			`.get(http::header::AUTHORIZATION)`
			`.and_then(\|header\| header.to_str().ok())`
			`.ok_or_else(\|\| {`
			`Error::Http(`
			`StatusCode::BAD_REQUEST,`
			`"missing authorization header".to_string(),`
			`)`
			`})?`
			`.split_whitespace();`

			`let user_id = UserId(auth_header.next().unwrap_or("").parse().map_err(\|_\| {`
			`Error::Http(`
			`StatusCode::BAD_REQUEST,`
			`"missing user id in authorization header".to_string(),`
			`)`
			`})?);`
Include contents of the zed-server repo We're going full monorepo. Co-Authored-By: Max Brunsfeld <maxbrunsfeld@gmail.com> 2021-07-12 20:14:39 +00:00
WIP 2022-04-26 02:05:09 +00:00			`let access_token = auth_header.next().ok_or_else(\|\| {`
			`Error::Http(`
			`StatusCode::BAD_REQUEST,`
			`"missing access token in authorization header".to_string(),`
			`)`
			`})?;`
Include contents of the zed-server repo We're going full monorepo. Co-Authored-By: Max Brunsfeld <maxbrunsfeld@gmail.com> 2021-07-12 20:14:39 +00:00
WIP 2022-04-26 02:05:09 +00:00			`let mut credentials_valid = false;`
Allow impersonating users via the api token, bypassing oauth 2022-10-19 00:36:54 +00:00			`let state = req.extensions().get::<Arc<AppState>>().unwrap();`
			`if let Some(admin_token) = access_token.strip_prefix("ADMIN_TOKEN:") {`
			`if state.config.api_token == admin_token {`
WIP 2022-04-26 02:05:09 +00:00			`credentials_valid = true;`
Allow impersonating users via the api token, bypassing oauth 2022-10-19 00:36:54 +00:00			`}`
			`} else {`
			`for password_hash in state.db.get_access_token_hashes(user_id).await? {`
			`if verify_access_token(access_token, &password_hash)? {`
			`credentials_valid = true;`
			`break;`
			`}`
WIP 2022-04-26 02:05:09 +00:00			`}`
			`}`
Avoid verifying access tokens for out-of-date clients Replace the 'VerifyToken' middleware with a 'process_auth_header' function that we call in the '/rpc' handler after checking that the client's protocol version matches. 2021-09-23 22:32:23 +00:00
Get zed.dev working with new collab backend Co-Authored-By: Antonio Scandurra <me@as-cii.com> 2022-04-26 17:15:41 +00:00			`if credentials_valid {`
Include login in connection-related tracing spans/events Also, include metadata on more events and add an event called "signing out" with all this metadata to make it easier to search for. 2022-05-12 18:06:06 +00:00			`let user = state`
			`.db`
			`.get_user_by_id(user_id)`
			`.await?`
			`.ok_or_else(\|\| anyhow!("user {} not found", user_id))?;`
			`req.extensions_mut().insert(user);`
Get zed.dev working with new collab backend Co-Authored-By: Antonio Scandurra <me@as-cii.com> 2022-04-26 17:15:41 +00:00			`Ok::<_, Error>(next.run(req).await)`
			`} else {`
WIP 2022-04-26 02:05:09 +00:00			`Err(Error::Http(`
			`StatusCode::UNAUTHORIZED,`
			`"invalid credentials".to_string(),`
Get zed.dev working with new collab backend Co-Authored-By: Antonio Scandurra <me@as-cii.com> 2022-04-26 17:15:41 +00:00			`))`
WIP 2022-04-26 02:05:09 +00:00			`}`
			`}`
Include contents of the zed-server repo We're going full monorepo. Co-Authored-By: Max Brunsfeld <maxbrunsfeld@gmail.com> 2021-07-12 20:14:39 +00:00
Finish adding API routes We haven't tested them yet. Co-Authored-By: Max Brunsfeld <maxbrunsfeld@gmail.com> 2022-04-25 23:51:13 +00:00			`const MAX_ACCESS_TOKENS_TO_STORE: usize = 8;`
Speed up login by avoiding unnecessary access token verification 2021-09-23 20:34:53 +00:00
Finish adding API routes We haven't tested them yet. Co-Authored-By: Max Brunsfeld <maxbrunsfeld@gmail.com> 2022-04-25 23:51:13 +00:00			`pub async fn create_access_token(db: &dyn db::Db, user_id: UserId) -> Result<String> {`
			`let access_token = rpc::auth::random_token();`
			`let access_token_hash =`
			`hash_access_token(&access_token).context("failed to hash access token")?;`
			`db.create_access_token_hash(user_id, &access_token_hash, MAX_ACCESS_TOKENS_TO_STORE)`
			`.await?;`
			`Ok(access_token)`
			`}`
Include contents of the zed-server repo We're going full monorepo. Co-Authored-By: Max Brunsfeld <maxbrunsfeld@gmail.com> 2021-07-12 20:14:39 +00:00
Finish adding API routes We haven't tested them yet. Co-Authored-By: Max Brunsfeld <maxbrunsfeld@gmail.com> 2022-04-25 23:51:13 +00:00			`fn hash_access_token(token: &str) -> Result<String> {`
			`// Avoid slow hashing in debug mode.`
			`let params = if cfg!(debug_assertions) {`
			`scrypt::Params::new(1, 1, 1).unwrap()`
			`} else {`
			`scrypt::Params::recommended()`
			`};`
Include contents of the zed-server repo We're going full monorepo. Co-Authored-By: Max Brunsfeld <maxbrunsfeld@gmail.com> 2021-07-12 20:14:39 +00:00
Finish adding API routes We haven't tested them yet. Co-Authored-By: Max Brunsfeld <maxbrunsfeld@gmail.com> 2022-04-25 23:51:13 +00:00			`Ok(Scrypt`
			`.hash_password(`
			`token.as_bytes(),`
			`None,`
			`params,`
			`&SaltString::generate(thread_rng()),`
Enable descriptive HTTP errors to be returned from DB layer For now, we only use this when redeeming an invite code. Co-Authored-By: Antonio Scandurra <me@as-cii.com> 2022-05-19 17:55:55 +00:00			`)`
			`.map_err(anyhow::Error::new)?`
Finish adding API routes We haven't tested them yet. Co-Authored-By: Max Brunsfeld <maxbrunsfeld@gmail.com> 2022-04-25 23:51:13 +00:00			`.to_string())`
			`}`
Include contents of the zed-server repo We're going full monorepo. Co-Authored-By: Max Brunsfeld <maxbrunsfeld@gmail.com> 2021-07-12 20:14:39 +00:00
Finish adding API routes We haven't tested them yet. Co-Authored-By: Max Brunsfeld <maxbrunsfeld@gmail.com> 2022-04-25 23:51:13 +00:00			`pub fn encrypt_access_token(access_token: &str, public_key: String) -> Result<String> {`
			`let native_app_public_key =`
			`rpc::auth::PublicKey::try_from(public_key).context("failed to parse app public key")?;`
			`let encrypted_access_token = native_app_public_key`
One big cleanup pass of clippy lints Co-authored-by: Mikayla <mikayla@zed.dev> 2022-08-10 21:39:24 +00:00			`.encrypt_string(access_token)`
Finish adding API routes We haven't tested them yet. Co-Authored-By: Max Brunsfeld <maxbrunsfeld@gmail.com> 2022-04-25 23:51:13 +00:00			`.context("failed to encrypt access token with public key")?;`
			`Ok(encrypted_access_token)`
			`}`
Enable authentication via the NextJS site 2021-12-22 15:19:19 +00:00
Finish adding API routes We haven't tested them yet. Co-Authored-By: Max Brunsfeld <maxbrunsfeld@gmail.com> 2022-04-25 23:51:13 +00:00			`pub fn verify_access_token(token: &str, hash: &str) -> Result<bool> {`
Enable descriptive HTTP errors to be returned from DB layer For now, we only use this when redeeming an invite code. Co-Authored-By: Antonio Scandurra <me@as-cii.com> 2022-05-19 17:55:55 +00:00			`let hash = PasswordHash::new(hash).map_err(anyhow::Error::new)?;`
Finish adding API routes We haven't tested them yet. Co-Authored-By: Max Brunsfeld <maxbrunsfeld@gmail.com> 2022-04-25 23:51:13 +00:00			`Ok(Scrypt.verify_password(token.as_bytes(), &hash).is_ok())`
			`}`