mirrors/zed
1
0
Fork 0
mirror of https://github.com/zed-industries/zed.git synced 2025-01-24 11:01:54 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 12

Enable authentication via the NextJS site

Browse source
This commit is contained in:
Nathan Sobo 2021-12-22 08:19:19 -07:00
parent 6dd23c250b
commit fe5465a265
3 changed files with 79 additions and 31 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

41
crates/client/src/client.rs
View file

@ -35,8 +35,10 @@ pub use rpc::*;
pub use user::*;
lazy_static! {
static ref ZED_SERVER_URL: String =
std::env::var("ZED_SERVER_URL").unwrap_or("https://zed.dev:443".to_string());
static ref COLLAB_URL: String =
std::env::var("ZED_COLLAB_URL").unwrap_or("https://collab.zed.dev:443".to_string());
static ref SITE_URL: String =
std::env::var("ZED_SITE_URL").unwrap_or("https://zed.dev".to_string());
static ref IMPERSONATE_LOGIN: Option<String> = std::env::var("ZED_IMPERSONATE")
.ok()
.and_then(|s| if s.is_empty() { None } else { Some(s) });
@ -403,7 +405,7 @@ impl Client {
match self.establish_connection(&credentials, cx).await {
Ok(conn) => {
log::info!("connected to rpc address {}", *ZED_SERVER_URL);
log::info!("connected to rpc address {}", *COLLAB_URL);
self.state.write().credentials = Some(credentials.clone());
if !used_keychain && IMPERSONATE_LOGIN.is_none() {
write_credentials_to_keychain(&credentials, cx).log_err();
@ -414,7 +416,7 @@ impl Client {
Err(EstablishConnectionError::Unauthorized) => {
self.state.write().credentials.take();
if used_keychain {
cx.platform().delete_credentials(&ZED_SERVER_URL).log_err();
cx.platform().delete_credentials(&COLLAB_URL).log_err();
self.set_status(Status::SignedOut, cx);
self.authenticate_and_connect(cx).await
} else {
@ -522,19 +524,19 @@ impl Client {
)
.header("X-Zed-Protocol-Version", rpc::PROTOCOL_VERSION);
cx.background().spawn(async move {
if let Some(host) = ZED_SERVER_URL.strip_prefix("https://") {
if let Some(host) = COLLAB_URL.strip_prefix("https://") {
let stream = smol::net::TcpStream::connect(host).await?;
let request = request.uri(format!("wss://{}/rpc", host)).body(())?;
let (stream, _) =
async_tungstenite::async_tls::client_async_tls(request, stream).await?;
Ok(Connection::new(stream))
} else if let Some(host) = ZED_SERVER_URL.strip_prefix("http://") {
} else if let Some(host) = COLLAB_URL.strip_prefix("http://") {
let stream = smol::net::TcpStream::connect(host).await?;
let request = request.uri(format!("ws://{}/rpc", host)).body(())?;
let (stream, _) = async_tungstenite::client_async(request, stream).await?;
Ok(Connection::new(stream))
} else {
Err(anyhow!("invalid server url: {}", *ZED_SERVER_URL))?
Err(anyhow!("invalid server url: {}", *COLLAB_URL))?
}
})
}
@ -561,8 +563,8 @@ impl Client {
// Open the Zed sign-in page in the user's browser, with query parameters that indicate
// that the user is signing in from a Zed app running on the same device.
let mut url = format!(
"{}/sign_in?native_app_port={}&native_app_public_key={}",
*ZED_SERVER_URL, port, public_key_string
"{}/native_app_signin?native_app_port={}&native_app_public_key={}",
*SITE_URL, port, public_key_string
);
if let Some(impersonate_login) = IMPERSONATE_LOGIN.as_ref() {
@ -592,9 +594,15 @@ impl Client {
user_id = Some(value.to_string());
}
}
let post_auth_url = format!("{}/native_app_signin_succeeded", *SITE_URL);
req.respond(
tiny_http::Response::from_string(LOGIN_RESPONSE).with_header(
tiny_http::Header::from_bytes("Content-Type", "text/html").unwrap(),
tiny_http::Response::empty(302).with_header(
tiny_http::Header::from_bytes(
&b"Location"[..],
post_auth_url.as_bytes(),
)
.unwrap(),
),
)
.context("failed to respond to login http request")?;
@ -660,7 +668,7 @@ fn read_credentials_from_keychain(cx: &AsyncAppContext) -> Option<Credentials> {
let (user_id, access_token) = cx
.platform()
.read_credentials(&ZED_SERVER_URL)
.read_credentials(&COLLAB_URL)
.log_err()
.flatten()?;
Some(Credentials {
@ -671,7 +679,7 @@ fn read_credentials_from_keychain(cx: &AsyncAppContext) -> Option<Credentials> {
fn write_credentials_to_keychain(credentials: &Credentials, cx: &AsyncAppContext) -> Result<()> {
cx.platform().write_credentials(
&ZED_SERVER_URL,
&COLLAB_URL,
&credentials.user_id.to_string(),
credentials.access_token.as_bytes(),
)
@ -694,13 +702,6 @@ pub fn decode_worktree_url(url: &str) -> Option<(u64, String)> {
Some((id, access_token.to_string()))
}
const LOGIN_RESPONSE: &'static str = "
<!DOCTYPE html>
<html>
<script>window.close();</script>
</html>
";
#[cfg(test)]
mod tests {
use super::*;

50
crates/server/src/api.rs
View file

@ -1,7 +1,9 @@
use crate::{auth, AppState, Request, RequestExt as _};
use async_trait::async_trait;
use serde::Deserialize;
use serde_json::json;
use std::sync::Arc;
use surf::StatusCode;
pub fn add_routes(app: &mut tide::Server<Arc<AppState>>) {
app.at("/users/:github_login").get(get_user);
@ -18,7 +20,7 @@ async fn get_user(request: Request) -> tide::Result {
.await?
.ok_or_else(|| surf::Error::from_str(404, "user not found"))?;
Ok(tide::Response::builder(200)
Ok(tide::Response::builder(StatusCode::Ok)
.body(tide::Body::from_json(&user)?)
.build())
}
@ -30,11 +32,49 @@ async fn create_access_token(request: Request) -> tide::Result {
.db()
.get_user_by_github_login(request.param("github_login")?)
.await?
.ok_or_else(|| surf::Error::from_str(404, "user not found"))?;
let token = auth::create_access_token(request.db(), user.id).await?;
.ok_or_else(|| surf::Error::from_str(StatusCode::NotFound, "user not found"))?;
let access_token = auth::create_access_token(request.db(), user.id).await?;
Ok(tide::Response::builder(200)
.body(json!({"user_id": user.id, "access_token": token}))
#[derive(Deserialize)]
struct QueryParams {
public_key: String,
impersonate: Option<String>,
}
let query_params: QueryParams = request.query().map_err(|_| {
surf::Error::from_str(StatusCode::UnprocessableEntity, "invalid query params")
})?;
let encrypted_access_token =
auth::encrypt_access_token(&access_token, query_params.public_key.clone())?;
let mut user_id = user.id;
if let Some(impersonate) = query_params.impersonate {
if user.admin {
if let Some(impersonated_user) =
request.db().get_user_by_github_login(&impersonate).await?
{
user_id = impersonated_user.id;
} else {
return Ok(tide::Response::builder(StatusCode::UnprocessableEntity)
.body(format!(
"Can't impersonate non-existent user {}",
impersonate
))
.build());
}
} else {
return Ok(tide::Response::builder(StatusCode::Unauthorized)
.body(format!(
"Can't impersonate user {} because the real user isn't an admin",
impersonate
))
.build());
}
}
Ok(tide::Response::builder(StatusCode::Ok)
.body(json!({"user_id": user_id, "encrypted_access_token": encrypted_access_token}))
.build())
}

19
crates/server/src/auth.rs
View file

@ -238,12 +238,10 @@ async fn get_auth_callback(mut request: Request) -> tide::Result {
}
let access_token = create_access_token(request.db(), user_id).await?;
let native_app_public_key =
zed_auth::PublicKey::try_from(app_sign_in_params.native_app_public_key.clone())
.context("failed to parse app public key")?;
let encrypted_access_token = native_app_public_key
.encrypt_string(&access_token)
.context("failed to encrypt access token with public key")?;
let encrypted_access_token = encrypt_access_token(
&access_token,
app_sign_in_params.native_app_public_key.clone(),
)?;
return Ok(tide::Redirect::new(&format!(
"http://127.0.0.1:{}?user_id={}&access_token={}",
@ -289,6 +287,15 @@ fn hash_access_token(token: &str) -> tide::Result<String> {
.to_string())
}
pub fn encrypt_access_token(access_token: &str, public_key: String) -> tide::Result<String> {
let native_app_public_key =
zed_auth::PublicKey::try_from(public_key).context("failed to parse app public key")?;
let encrypted_access_token = native_app_public_key
.encrypt_string(&access_token)
.context("failed to encrypt access token with public key")?;
Ok(encrypted_access_token)
}
pub fn verify_access_token(token: &str, hash: &str) -> tide::Result<bool> {
let hash = PasswordHash::new(hash)?;
Ok(Scrypt.verify_password(token.as_bytes(), &hash).is_ok())